free
/
freedombone
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Activity
9111 Incheckningar
5 Grenar
Träd: 572076dffa
Grenar Taggar
${ item.name }
Create branch ${ searchTerm }
from '572076dffa'
${ noResults }
freedombone/src/freedombone-utils-rng

freedombone-utils-rng 5.7KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 
  1. #!/bin/bash

  2. #  _____               _           _

  3. # |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___

  4. # |   __|  _| -_| -_| . | . |     | . | . |   | -_|

  5. # |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|

  6. #

  7. #                              Freedom in the Cloud

  8. #

  9. # Random number generation functions

  10. #

  11. # License

  12. # =======

  13. #

  14. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  15. #

  16. # This program is free software: you can redistribute it and/or modify

  17. # it under the terms of the GNU Affero General Public License as published by

  18. # the Free Software Foundation, either version 3 of the License, or

  19. # (at your option) any later version.

  20. #

  21. # This program is distributed in the hope that it will be useful,

  22. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  23. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  24. # GNU Affero General Public License for more details.

  25. #

  26. # You should have received a copy of the GNU Affero General Public License

  27. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  28. 

  29. # The type of hardware random number generator being used

  30. # This can be empty, "beaglebone" or "onerng"

  31. HWRNG_TYPE=

  32. 

  33. # Download location for OneRNG driver

  34. ONERNG_PACKAGE="onerng_3.4-1_all.deb"

  35. ONERNG_PACKAGE_DOWNLOAD="https://github.com/OneRNG/onerng.github.io/blob/master/sw/$ONERNG_PACKAGE?raw=true"

  36. # Hash for OneRNG driver

  37. ONERNG_PACKAGE_HASH='78f1c2f52ae573e3b398a695ece7ab9f41868252657ea269f0d5cf0bd4f2eb59'

  38. 

  39. # device name for OneRNG

  40. ONERNG_DEVICE='ttyACM0'

  41. 

  42. function check_hwrng {

  43.     if [[ $HWRNG_TYPE == "beaglebone" ]]; then

  44.         # If hardware random number generation was enabled then make sure that the device exists.

  45.         # if /dev/hwrng is not found then any subsequent cryptographic key generation would

  46.         # suffer from low entropy and might be insecure

  47.         if [ ! -e /dev/hwrng ]; then

  48.             ls /dev/hw*

  49.             echo $'The hardware random number generator is enabled but could not be detected on'

  50.             echo $'/dev/hwrng.  There may be a problem with the installation or the Beaglebone hardware.'

  51.             exit 75

  52.         fi

  53.     fi

  54. 

  55.     # If a OneRNG device was installed then verify its firmware

  56.     #check_onerng_verification

  57. }

  58. 

  59. function check_onerng_verification {

  60.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  61.         return

  62.     fi

  63.     if [[ $HWRNG_TYPE != "onerng" ]]; then

  64.         return

  65.     fi

  66.     echo $'Checking OneRNG firmware verification'

  67.     last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog.1 | awk '/./{line=$0} END{print line}')

  68.     if [[ $last_onerng_validation != *"passed OK"* ]]; then

  69.         last_onerng_validation=$(grep "OneRNG: firmware verification" /var/log/syslog | awk '/./{line=$0} END{print line}')

  70.         if [[ $last_onerng_validation != *"passed OK"* ]]; then

  71.             echo "$last_onerng_validation"

  72.             echo $'OneRNG firmware verification failed'

  73.             exit 735026

  74.         fi

  75.     fi

  76.     echo $'OneRNG firmware verification passed'

  77.     # if haveged was previously installed then remove it

  78.     apt-get -yq remove haveged

  79.     mark_completed "${FUNCNAME[0]}"

  80. }

  81. 

  82. function install_onerng {

  83.     apt-get -yq install rng-tools at python-gnupg

  84. 

  85.     # Move to the installation directory

  86.     if [ ! -d "$INSTALL_DIR" ]; then

  87.         mkdir "$INSTALL_DIR"

  88.     fi

  89.     cd "$INSTALL_DIR" || exit 24762464

  90. 

  91.     # Download the package

  92.     if [ ! -f $ONERNG_PACKAGE ]; then

  93.         wget "$ONERNG_PACKAGE_DOWNLOAD"

  94.         # shellcheck disable=SC2086

  95.         mv $ONERNG_PACKAGE?raw=true $ONERNG_PACKAGE

  96.     fi

  97.     if [ ! -f $ONERNG_PACKAGE ]; then

  98.         echo $"OneRNG package could not be downloaded"

  99.         exit 59249

  100.     fi

  101. 

  102.     # Check the hash

  103.     hash=$(sha256sum $ONERNG_PACKAGE | awk -F ' ' '{print $1}')

  104.     if [[ "$hash" != "$ONERNG_PACKAGE_HASH" ]]; then

  105.         echo $"OneRNG package: $ONERNG_PACKAGE"

  106.         echo $"Hash does not match. This could indicate that the package has been tampered with."

  107.         echo $"OneRNG expected package hash: $ONERNG_PACKAGE_HASH"

  108.         echo $"OneRNG actual hash: $hash"

  109.         exit 25934

  110.     fi

  111. 

  112.     # install the package

  113.     dpkg -i $ONERNG_PACKAGE

  114. 

  115.     # Check that the install worked

  116.     if [ ! -f /etc/onerng.conf ]; then

  117.         echo $'OneRNG configuration file not found. The package may not have installed successfully.'

  118.         exit 42904

  119.     fi

  120. 

  121.     dialog --title $"OneRNG Device" \

  122.            --msgbox $"Please plug in the OneRNG device" 6 40

  123. 

  124.     # check rng-tools configuration

  125.     if ! grep -q "/dev/$ONERNG_DEVICE" /etc/default/rng-tools; then

  126.         echo "HRNGDEVICE=/dev/$ONERNG_DEVICE" >> /etc/default/rng-tools

  127.     fi

  128. 

  129.     systemctl restart rng-tools

  130. }

  131. 

  132. function random_number_generator {

  133.     if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then

  134.         return

  135.     fi

  136.     if [[ $INSTALLED_WITHIN_DOCKER == "yes" ]]; then

  137.         # it is assumed that docker uses the random number

  138.         # generator of the host system

  139.         return

  140.     fi

  141. 

  142.     # if the hrng type has not been set but /dev/hwrng is detected

  143.     if [[ $HWRNG_TYPE != "beaglebone" ]]; then

  144.         if [ -e /dev/hwrng ]; then

  145.             HWRNG_TYPE="beaglebone"

  146.         fi

  147.     fi

  148. 

  149.     case $HWRNG_TYPE in

  150.         beaglebone)

  151.             apt-get -yq install rng-tools

  152.             sed -i 's|#HRNGDEVICE=/dev/hwrng|HRNGDEVICE=/dev/hwrng|g' /etc/default/rng-tools

  153.             ;;

  154.         onerng)

  155.             function_check install_onerng

  156.             install_onerng

  157.             ;;

  158.         *)

  159.             # With some VMs, the hardware cycles counter is emulated and deterministic,

  160.             # and thus predictible, so havege should not be used

  161.             if [[ "$ARCHITECTURE" != "qemu"* ]]; then

  162.                 apt-get -yq install haveged

  163.             fi

  164.             ;;

  165.     esac

  166. 

  167.     mark_completed "${FUNCNAME[0]}"

  168. }

  169. 

  170. # NOTE: deliberately no exit 0