syslinux: process @rescue_hash@ (forensic mode)

This value is used to authenticate rescue rootfs image by verifying the squashfs file's sha256sum before use (propagator-20140419+). Looks like this check might be useful for other stage2 images as well but let's get started with this one. Thanks Maxim Suhanov <suhanov/group-ib.ru> for both http://www.forensicswiki.org/wiki/Forensic_Live_CD_issues and propagator patches.

syslinux: process @rescue_hash@ (forensic mode)
a2fcc601 · Michael Shigorin · 635018aa · a2fcc601 · a2fcc601
Commit a2fcc601 authored Apr 18, 2014 by Michael Shigorin
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

83rescue_fm.cfg features.in/syslinux/cfg.in/83rescue_fm.cfg +1 -1

20-propagator-rescue-hash features.in/syslinux/scripts.d/20-propagator-rescue-hash +14 -0

No files found.
--- a/features.in/syslinux/cfg.in/83rescue_fm.cfg
+++ b/features.in/syslinux/cfg.in/83rescue_fm.cfg
 label rescue_forensic
  menu label ^Forensic mode (leave disks alone)
  kernel alt0/vmlinuz
-  append initrd=alt0/full.cz fastboot live showopts automatic=method:cdrom ramdisk_size=@rescue_size@ stagename=rescue forensic
+  append initrd=alt0/full.cz fastboot live showopts automatic=method:cdrom ramdisk_size=@rescue_size@ stagename=rescue forensic hash=@rescue_hash@

--- a/features.in/syslinux/scripts.d/20-propagator-rescue-hash
+++ b/features.in/syslinux/scripts.d/20-propagator-rescue-hash
+#!/bin/sh
+# postprocess isolinux configuration
+# to add rescue image hash, if any
+# (for propagator in forensic mode)
+
+cd "$WORKDIR"
+
+grep -qs "@rescue_hash@" syslinux/*.cfg || exit 0
+
+find -maxdepth 1 -type f -name rescue \
+| while read image; do
+	rescue_hash="$(sha256sum -b "$image" | cut -f1 -d' ')"
+	sed -i "s,@rescue_hash@,$rescue_hash," syslinux/*.cfg
+done