freedombone-utils-rng 5.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
  1. #!/bin/bash
  2. # _____ _ _
  3. # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
  4. # | __| _| -_| -_| . | . | | . | . | | -_|
  5. # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
  6. #
  7. # Freedom in the Cloud
  8. #
  9. # Random number generation functions
  10. #
  11. # License
  12. # =======
  13. #
  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
  15. #
  16. # This program is free software: you can redistribute it and/or modify
  17. # it under the terms of the GNU Affero General Public License as published by
  18. # the Free Software Foundation, either version 3 of the License, or
  19. # (at your option) any later version.
  20. #
  21. # This program is distributed in the hope that it will be useful,
  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  24. # GNU Affero General Public License for more details.
  25. #
  26. # You should have received a copy of the GNU Affero General Public License
  27. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  28. # The type of hardware random number generator being used
  29. # This can be empty, "beaglebone" or "onerng"
  30. HWRNG_TYPE=
  31. # Download location for OneRNG driver
  32. ONERNG_PACKAGE="onerng_3.4-1_all.deb"
  33. ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true"
  34. # Hash for OneRNG driver
  35. ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59'
  36. # device name for OneRNG
  37. ONERNG_DEVICE='ttyACM0'
  38. function check_hwrng {
  39. if [[ $HWRNG_TYPE == "beaglebone" ]]; then
  40. # If hardware random number generation was enabled then make sure that the device exists.
  41. # if /dev/hwrng is not found then any subsequent cryptographic key generation would
  42. # suffer from low entropy and might be insecure
  43. if [ ! -e /dev/hwrng ]; then
  44. ls /dev/hw*
  45. echo $'The hardware random number generator is enabled but could not be detected on'
  46. echo $'/dev/hwrng. There may be a problem with the installation or the Beaglebone hardware.'
  47. exit 75
  48. fi
  49. fi
  50. # If a OneRNG device was installed then verify its firmware
  51. #check_onerng_verification
  52. }
  53. function check_onerng_verification {
  54. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  55. return
  56. fi
  57. if [[ $HWRNG_TYPE != "onerng" ]]; then
  58. return
  59. fi
  60. echo $'Checking OneRNG firmware verification'
  61. last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog.1 | awk '/./{line=$0} END{print line}')
  62. if [[ $last_onerng_validation != *"passed OK"* ]]; then
  63. last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog | awk '/./{line=$0} END{print line}')
  64. if [[ $last_onerng_validation != *"passed OK"* ]]; then
  65. echo "$last_onerng_validation"
  66. echo $'OneRNG firmware verification failed'
  67. exit 735026
  68. fi
  69. fi
  70. echo $'OneRNG firmware verification passed'
  71. # if haveged was previously installed then remove it
  72. apt-get -yq remove haveged
  73. mark_completed "${FUNCNAME[0]}"
  74. }
  75. function install_onerng {
  76. apt-get -yq install rng-tools at python-gnupg
  77. # Move to the installation directory
  78. if [ ! -d "$INSTALL_DIR" ]; then
  79. mkdir "$INSTALL_DIR"
  80. fi
  81. cd "$INSTALL_DIR" || exit 24762464
  82. # Download the package
  83. if [ ! -f $ONERNG_PACKAGE ]; then
  84. wget "$ONERNG_PACKAGE_DOWNLOAD"
  85. # shellcheck disable=SC2086
  86. mv $ONERNG_PACKAGE?raw=true $ONERNG_PACKAGE
  87. fi
  88. if [ ! -f $ONERNG_PACKAGE ]; then
  89. echo $"OneRNG package could not be downloaded"
  90. exit 59249
  91. fi
  92. # Check the hash
  93. hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}')
  94. if [[ "$hash" != "$ONERNG_PACKAGE_HASH" ]]; then
  95. echo $"OneRNG package: $ONERNG_PACKAGE"
  96. echo $"Hash does not match. This could indicate that the package has been tampered with."
  97. echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH"
  98. echo $"OneRNG actual hash: $hash"
  99. exit 25934
  100. fi
  101. # install the package
  102. dpkg -i $ONERNG_PACKAGE
  103. # Check that the install worked
  104. if [ ! -f /etc/onerng.conf ]; then
  105. echo $'OneRNG configuration file not found. The package may not have installed successfully.'
  106. exit 42904
  107. fi
  108. dialog --title $"OneRNG Device" \
  109. --msgbox $"Please plug in the OneRNG device" 6 40
  110. # check rng-tools configuration
  111. if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then
  112. echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools
  113. fi
  114. systemctl restart rng-tools
  115. }
  116. function random_number_generator {
  117. if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then
  118. return
  119. fi
  120. if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then
  121. # it is assumed that docker uses the random number
  122. # generator of the host system
  123. return
  124. fi
  125. # if the hrng type has not been set but /dev/hwrng is detected
  126. if [[ $HWRNG_TYPE != "beaglebone" ]]; then
  127. if [ -e /dev/hwrng ]; then
  128. HWRNG_TYPE="beaglebone"
  129. fi
  130. fi
  131. case $HWRNG_TYPE in
  132. beaglebone)
  133. apt-get -yq install rng-tools
  134. sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools
  135. ;;
  136. onerng)
  137. function_check install_onerng
  138. install_onerng
  139. ;;
  140. *)
  141. # With some VMs, the hardware cycles counter is emulated and deterministic,
  142. # and thus predictible, so havege should not be used
  143. if [[ "$ARCHITECTURE" != "qemu"* ]]; then
  144. apt-get -yq install haveged
  145. fi
  146. ;;
  147. esac
  148. mark_completed "${FUNCNAME[0]}"
  149. }
  150. # NOTE: deliberately no exit 0