X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id E4AC4DC128F
	for <alpine-devel@lists.alpinelinux.org>; Thu, 27 Jun 2013 07:32:31 +0000 (UTC)
Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id D08E620F1D
	for <alpine-devel@lists.alpinelinux.org>; Thu, 27 Jun 2013 03:32:24 -0400 (EDT)
Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161])
  by compute5.internal (MEProxy); Thu, 27 Jun 2013 03:32:24 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=from:to:subject:date:message-id
	:in-reply-to:references; s=smtpout; bh=YCbwClzbIYPJMF6cXWlDLkTaY
	gM=; b=IWqW5uDh7pjHjQwXhj3IK+cHZzxMqZqntuacGr1WmY+G42Q14qgtrNyZe
	lH0FDymqU7UBgr/b956Z3kmy6TFkNBQ7IC348/JOKqssuHxAOTFi0EpzTGxk3kSf
	1jNu54xFcYiqAwEC8hHUNz8+5wRdRDoBTPxpDJQW8YvQaozPLk=
X-Sasl-enc: VZfmqeY4qpQIsrxTk8iO1BkA7+Pm1JovL3ft5ey0kwHG 1372318344
Received: from localhost (unknown [69.86.161.244])
	by mail.messagingengine.com (Postfix) with ESMTPA id 9E09E680456
	for <alpine-devel@lists.alpinelinux.org>; Thu, 27 Jun 2013 03:32:24 -0400 (EDT)
From: Dubiousjim <dubiousjim@gmail.com>
To: alpine-devel@lists.alpinelinux.org
Subject: [alpine-devel] [PATCH 8/8] main/syslinux: hooks for bootloader password
Date: Thu, 27 Jun 2013 03:32:21 -0400
Message-Id: <8e59b6613a04739d2800a1bf8a317ff73523d096.1372318132.git.dubiousjim@gmail.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <cover.1372318132.git.dubiousjim@gmail.com>
References: <cover.1372318132.git.dubiousjim@gmail.com>
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>

We allow a password to be set in /etc/update-extlinux.conf. This can be
generated using a script we install that has a runtime dependency on perl and
perl-digest-sha1.  These only need to be in place when the password is first
generated.

If one sets a password, one will presumably want to make
/etc/update-extlinux.conf world-unreadable. We don't do that for you; however
we do make sure when a password is present to make the /boot/extlinux.conf
files we generate be world-unreadable.

Of the auto-generated entries, only HDT (if this is generated) is now
configured to respect the password; however, you can include "MENU PASSWD" in
any entries you put in /etc/update-extlinux.d/.

For example, I configure my BIOS to only boot from the internal drive, but I
have an entry in /etc/update-extlinux.d that permits chain-booting from a USB
key, and I have this entry configured to also require the password. (The BIOS
is also passworded, so that these settings can't be changed willy-nilly.)
---
 main/syslinux/APKBUILD             |  1 +
 main/syslinux/update-extlinux      | 10 ++++++++++
 main/syslinux/update-extlinux.conf |  6 ++++++
 3 files changed, 17 insertions(+)

diff --git a/main/syslinux/APKBUILD b/main/syslinux/APKBUILD
index 79d7e6c..a6c0f54 100644
--- a/main/syslinux/APKBUILD
+++ b/main/syslinux/APKBUILD
@@ -39,6 +39,7 @@ build() {
 package() {
 	cd "$_builddir"
 	make INSTALLROOT="$pkgdir" MANDIR=/usr/share/man local-install
+	install -D -m755 utils/sha1pass "$pkgdir"/usr/sbin/sha1pass || return 1
 
 	mkdir -p "$pkgdir"/etc/update-extlinux.d
 	cp "$srcdir"/update-extlinux.conf "$pkgdir"/etc/
diff --git a/main/syslinux/update-extlinux b/main/syslinux/update-extlinux
index a8b0474..1bc7b3f 100755
--- a/main/syslinux/update-extlinux
+++ b/main/syslinux/update-extlinux
@@ -134,6 +134,13 @@ for kernel in $(find /boot -name "vmlinuz-*" -type f); do
 	lst=$(($lst + 1))
 done
 
+if [ -n "$password" ]; then
+	echo "NOESCAPE 1" >> $conf.new
+	echo "MENU MASTER PASSWD $password" >> $conf.new
+	echo "" >> $conf.new
+	chmod o-r $conf.new
+fi
+
 everbose "$lst entries found."
 
 for entry in /etc/update-extlinux.d/*; do
@@ -147,6 +154,9 @@ if [ -f "/boot/hdt.c32" ]; then
 	everbose "Found Hardware Detection Tool: /boot/hdt.c32"
 	echo "LABEL hdt" >> $conf.new
 	echo "  MENU LABEL Hardware info" >> $conf.new
+	if [ -n "$password" ]; then
+		echo "  MENU PASSWD" >> $conf.new
+	fi
 	echo "  COM32 hdt.c32" >> $conf.new
 	if [ -f "/boot/memtest" ]; then
 		everbose "Found memtest86+: /boot/memtest"
diff --git a/main/syslinux/update-extlinux.conf b/main/syslinux/update-extlinux.conf
index b548d7e..6cabc61 100644
--- a/main/syslinux/update-extlinux.conf
+++ b/main/syslinux/update-extlinux.conf
@@ -45,3 +45,9 @@ xen_opts=dom0_mem=256M
 
 # none of /boot/memtest, /boot/hdt.c32, or /boot/reboot.c32 are installed by default
 # but entries for them will be auto-generated if they're present
+
+# optional password
+# generate using /usr/sbin/sha1pass, which has a runtime dependency on perl and perl-digest-sha1
+# of the auto-generated entries, only hdt (if present) is password-protected
+# but you can include "MENU PASSWD" in any entries in /etc/update-extlinux.d/
+password=''
-- 
1.8.3.1



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---