mirror of
https://github.com/philmmanjaro/alma.git
synced 2025-07-27 07:29:28 +02:00
145 lines
3.3 KiB
Bash
Executable File
145 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# -*- mode: sh; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
|
# vim: et sts=4 sw=4
|
|
|
|
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# Copyright © 2020-2021 Collabora Ltd.
|
|
# Copyright © 2020-2021 Valve Corporation.
|
|
#
|
|
# This file is part of steamos-customizations.
|
|
#
|
|
# steamos-customizations is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public License as
|
|
# published by the Free Software Foundation; either version 2.1 of the License,
|
|
# or (at your option) any later version.
|
|
|
|
set -euo pipefail
|
|
|
|
declare -r ROOTDEV=/dev/disk/by-partsets/self/rootfs
|
|
declare -r VERITYDEV=/dev/disk/by-partsets/self/verity
|
|
declare -r HASHFILE=/efi/SteamOS/roothash
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: ${0##*/} enable|disable|status|verify
|
|
|
|
Enable or disable the block level verification on the current running SteamOS.
|
|
EOF
|
|
}
|
|
|
|
mapper_root_mounted() {
|
|
grep -q '^/dev/mapper/root / ' /proc/mounts
|
|
}
|
|
|
|
read_write() {
|
|
steamos-readonly disable
|
|
|
|
if mapper_root_mounted
|
|
then
|
|
echo "Warning: The rootfs is still read-only!" >&2
|
|
echo " Reboot to complete setup." >&2
|
|
return
|
|
fi
|
|
rm -f "$HASHFILE"
|
|
sync /
|
|
}
|
|
|
|
read_only() {
|
|
if mapper_root_mounted
|
|
then
|
|
echo "Warning: The rootfs is already read-only!" >&2
|
|
echo " Nothing is performed." >&2
|
|
return
|
|
fi
|
|
|
|
local block_size=$(blkid -o value -s BLOCK_SIZE "$ROOTDEV")
|
|
|
|
steamos-readonly enable
|
|
|
|
veritysetup format --data-block-size "$block_size" --hash-block-size "$block_size" \
|
|
"$ROOTDEV" "$VERITYDEV" | \
|
|
tee /dev/stderr | \
|
|
sed -n 's,^Root hash:[[:blank:]]\+\([[:xdigit:]]\{64\}\)$,\1,p' > "$HASHFILE"
|
|
|
|
echo "Reboot to complete setup." >&2
|
|
}
|
|
|
|
status() {
|
|
local filesystem_is_readonly
|
|
local device_is_readonly
|
|
local roothash
|
|
|
|
if mapper_root_mounted
|
|
then
|
|
device_is_readonly=yes
|
|
fi
|
|
|
|
if steamos-readonly status >/dev/null
|
|
then
|
|
filesystem_is_readonly=yes
|
|
fi
|
|
|
|
if [[ -e "$HASHFILE" ]]
|
|
then
|
|
roothash="$(cat $HASHFILE)"
|
|
fi
|
|
|
|
if [[ "${roothash:-}" ]] && [[ "${device_is_readonly:-}" ]] && [[ "${filesystem_is_readonly:-}" ]]
|
|
then
|
|
echo "enabled"
|
|
return
|
|
fi
|
|
|
|
# XXX: this seems off
|
|
if [[ ! "${roothash:-}" ]] && [[ ! "${filesystem_is_readonly:-}" ]]
|
|
then
|
|
echo "disabled"
|
|
return 1
|
|
elif [[ ! "${roothash:-}" ]] && [[ ! "${filesystem_is_readonly:-}" ]]
|
|
then
|
|
echo "disabled${device_is_readonly:+ (after reboot)}"
|
|
return 1
|
|
fi
|
|
|
|
echo "unknown"
|
|
echo "- device-is-read-only: ${device_is_readonly:-no}"
|
|
echo "- filesystem-is-read-only: ${filesystem_is_readonly:-no}"
|
|
echo "- roothash: ${roothash:-none}"
|
|
return 1
|
|
}
|
|
|
|
verify() {
|
|
if [[ ! -e "$HASHFILE" ]]
|
|
then
|
|
return 1
|
|
fi
|
|
|
|
veritysetup verify "$ROOTDEV" "$VERITYDEV" "$(cat $HASHFILE)"
|
|
}
|
|
|
|
# Ideally status will be root-free, alas steamos-readonly status
|
|
# does not like that.
|
|
if [[ "$(id -u)" -ne 0 ]]; then
|
|
echo "$(basename $0) needs to be run as root"
|
|
exit 1
|
|
fi
|
|
|
|
case "${1:-}" in
|
|
disable)
|
|
read_write
|
|
;;
|
|
enable)
|
|
read_only
|
|
;;
|
|
status)
|
|
status
|
|
;;
|
|
verify)
|
|
verify
|
|
;;
|
|
*)
|
|
usage
|
|
exit 1
|
|
esac
|