From a469c7b298569504e3a0062c69b13634f34e213c Mon Sep 17 00:00:00 2001 From: Captain ALM Date: Wed, 12 Jun 2024 15:05:03 +0100 Subject: [PATCH] Reorganise files. Add makefile.machine for p7zip --- bin/linux-version | 121 ++++++++++++++++++++++++++++++++++++ local-sbin/boot-verify-sign | 9 +++ local-sbin/grub-update | 6 ++ local-sbin/install-grub | 12 ++++ local-sbin/sign-boot | 41 ++++++++++++ local-sbin/update-mydebs | 3 + local-sbin/verify-boot | 54 ++++++++++++++++ p7zip-1602/makefile.machine | 24 +++++++ 8 files changed, 270 insertions(+) create mode 100755 bin/linux-version create mode 100755 local-sbin/boot-verify-sign create mode 100644 local-sbin/grub-update create mode 100644 local-sbin/install-grub create mode 100644 local-sbin/sign-boot create mode 100644 local-sbin/update-mydebs create mode 100644 local-sbin/verify-boot create mode 100644 p7zip-1602/makefile.machine diff --git a/bin/linux-version b/bin/linux-version new file mode 100755 index 0000000..b154f73 --- /dev/null +++ b/bin/linux-version @@ -0,0 +1,121 @@ +#!/usr/bin/perl + +# Copyright 2011 Ben Hutchings +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA + +use strict; +use warnings; + +use DebianLinux qw(version_cmp image_list); + +sub usage { + my $fh = shift; + print $fh (<< "EOT"); +Usage: $0 compare VERSION1 OP VERSION2 + $0 sort [--reverse] [VERSION1 VERSION2 ...] + $0 list [--paths] + +The version arguments should be kernel version strings as shown by +'uname -r' and used in filenames. + +The valid comparison operators are: lt le eq ge gt +EOT +} + +sub usage_error { + usage(*STDERR{IO}); + exit 2; +} + +sub compare_versions { + my %op_map = qw(lt < le <= eq == ge >= gt >); + + # Check arguments + if (@_ != 3) { + usage_error(); + } + my ($left, $op, $right) = @_; + if (!exists($op_map{$op})) { + usage_error(); + } + + my $sign = version_cmp($left, $right); + exit !eval("$sign ${op_map{$op}} 0"); +} + +sub sort_versions { + # Check for --reverse option + my $sign = 1; + if (@_ >= 1 and $_[0] eq '--reverse') { + $sign = -1; + shift; + } + + # Collect versions from argv or stdin (with optional suffix after a space) + my @versions; + if (@_) { + @versions = map({[$_, "\n"]} @_); + } else { + while () { + /^([^ \n]*)(.*\n?)$/ or die; + push @versions, [$1, $2]; + } + } + + for (sort({version_cmp($a->[0], $b->[0]) * $sign} @versions)) { + print @$_; + } + exit 0; +} + +sub list_versions { + my $show_paths; + + if (@_ == 1 and $_[0] eq '--paths') { + $show_paths = 1; + } elsif (@_ != 0) { + usage_error(); + } + my $sig = '.sig'; + for (image_list()) { + my ($version, $path) = @$_; + unless ($path =~ /\Q$sig\E$/) { + if ($show_paths) { + print "$version $path\n"; + } else { + print "$version\n"; + } + } + } + exit 0; +} + +if (@ARGV == 0) { + usage_error(); +} + +my $command = shift; +if ($command eq 'help' or grep({$_ eq '--help'} $command, @ARGV)) { + usage(*STDOUT{IO}); + exit 0; +} elsif ($command eq 'compare') { + compare_versions(@ARGV); +} elsif ($command eq 'sort') { + sort_versions(@ARGV); +} elsif ($command eq 'list') { + list_versions(@ARGV); +} +usage_error(); diff --git a/local-sbin/boot-verify-sign b/local-sbin/boot-verify-sign new file mode 100755 index 0000000..466a54c --- /dev/null +++ b/local-sbin/boot-verify-sign @@ -0,0 +1,9 @@ +#!/bin/bash +/bin/bash /usr/local/sbin/verify-boot; +if [ $? -ne 0 ]; then + echo "Bad" > /opt/boot-verify-state; + /bin/bash /usr/local/sbin/sign-boot; + echo "Good" > /opt/boot-verify-state; +else + echo "Good" > /opt/boot-verify-state; +fi; diff --git a/local-sbin/grub-update b/local-sbin/grub-update new file mode 100644 index 0000000..66ce91c --- /dev/null +++ b/local-sbin/grub-update @@ -0,0 +1,6 @@ +#!/bin/bash +echo "[+] Updating Grub..."; +/usr/sbin/update-grub; +/usr/share/ubuntu-system-adjustments/systemd/start; +/usr/local/sbin/sign-boot; +echo "[*] Grub Update Complete!"; diff --git a/local-sbin/install-grub b/local-sbin/install-grub new file mode 100644 index 0000000..ef0e4b2 --- /dev/null +++ b/local-sbin/install-grub @@ -0,0 +1,12 @@ +#!/bin/bash +echo "[+] Installing Grub..."; +grub-install -v --target=x86_64-efi /dev/sda --efi-directory=/boot/efi --boot-directory=/boot --uefi-secure-boot --pubkey=/root/pubkey --sbat=/root/sbat --disable-shim-lock --modules="acpi afsplitter all_video bitmap bitmap_scale boot btrfs bufio cat chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efi_gop efinet efi_uga ext2 extcmd fat font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux linuxefi loadenv loopback ls luks lvm lzopio mdraid09 mdraid1x mmap mpi net normal ntfs password_pbkdf2 pbkdf2 pgp png probe procfs raid5rec raid6rec regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal trig video video_bochs video_cirrus video_colors xfs xzio zfs zfscrypt zfsinfo zstd part_gpt tpm"; +#echo "[+] Patching load.cfg"; +#echo >> /boot/grub/x86_64-efi/load.cfg; +#echo 'trust --skip-sig (hd0,gpt6)/pubkey' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'set check_signatures=enforce' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'set superusers="root"' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'password_pbkdf2 root grub.pbkdf2.sha512.10000.87A1064D2A4493C4235F8BB04C02309873D6ECC872696400690D4C6194A9EE8A0BE005590ACAE2E3C1F416A8E9DBB665EC1F6AE35B4274CE3CD8F4694D17D0DA.18DDB69D7AB16CDC661D9F8D47CFA37A9C6A9FF8E2851C56E0E131A99BC713C348C152D338171809BE7AE2CBDA7DACE06AAD83F6B7ED118430F0C3DD9935B5AF' >> /boot/grub/x86_64-efi/load.cfg; +#sudo cp /boot/grub/x86_64-efi/load.cfg /boot/efi/EFI/ubuntu/grub.cfg; +grub-update; +echo "[*] Grub Install Complete!"; diff --git a/local-sbin/sign-boot b/local-sbin/sign-boot new file mode 100644 index 0000000..6e6f75c --- /dev/null +++ b/local-sbin/sign-boot @@ -0,0 +1,41 @@ +#!/bin/bash +echo "[*] Preparing to sign!"; +#touch /dev/shm/sb-passpwd.txt; +#chown root:root /dev/shm/sb-passpwd.txt; +#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt; +#echo -n "Password: "; +#read -s pwd; +#echo -n "$pwd" > /dev/shm/sb-passpwd.txt; +echo "[-] BMOK Un-Signing..."; +for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print) +do + echo $i; + /usr/bin/sbattach --remove $i; +done; +echo "[+] BMOK Signing..."; +for i in $(/usr/bin/find /boot/grub -iname "*.efi" -type f -print) +do + echo $i; + /usr/bin/sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i; +done; +echo "[-] Un-Signing..."; +#-iname "efi" -prune -o +for i in $(/usr/bin/find /boot -iname "*.sig" -type f -print) +do + rm "$i"; +done; +echo "[+] Signing..."; +for i in $(/usr/bin/find /boot -iname "efi" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + echo $i; + /usr/bin/gpg --batch --detach-sign $i; + #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \ + # /dev/shm/sb-passpwd.txt; +done; +for i in $(/usr/bin/find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print) +do + echo $i; + /usr/bin/gpg --batch --detach-sign $i; +done; +#shred /dev/shm/sb-passpwd.txt; +echo "[*] Signing Complete!"; diff --git a/local-sbin/update-mydebs b/local-sbin/update-mydebs new file mode 100644 index 0000000..cc0ca12 --- /dev/null +++ b/local-sbin/update-mydebs @@ -0,0 +1,3 @@ +#! /bin/bash +cd /usr/local/mydebs +dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz diff --git a/local-sbin/verify-boot b/local-sbin/verify-boot new file mode 100644 index 0000000..d8ce70d --- /dev/null +++ b/local-sbin/verify-boot @@ -0,0 +1,54 @@ +#!/bin/bash +echo "[*] Preparing to verify!"; +echo "[-] Missing Signatures:"; +ec=0; +for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + if [ ! -f "$i.sig" ]; then + echo "Missing: $i"; + ec=1; + fi +done; +for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print) +do + if [ ! -f "$i.sig" ]; then + echo "Missing: $i"; + ec=1; + fi +done; +bad='Good'; +echo "[*] Signed:"; +for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + if [ -f "$i.sig" ]; then + if gpg --verify-files "$i.sig" > /dev/null 2>&1 + then + echo "Good: $i"; + else + echo "Bad: $i"; + bad='Bad'; + ec=2; + fi + fi +done; +for i in $(find /boot/efi -iname "*.cfg" -type f -o -iname "*.efi" -type f -print) +do + if [ -f "$i.sig" ]; then + if gpg --verify-files "$i.sig" > /dev/null 2>&1 + then + echo "Good: $i"; + else + echo "Bad: $i"; + bad='Bad'; + ec=2; + fi + fi +done; +echo "[-] Signature State: $bad"; +if [ $ec -ne 0 ]; then + touch /boot/boot-tainted; +elif [ -f /boot/boot-tainted ]; then + rm -f /boot/boot-tainted; +fi +echo "[*] Finished Verification!"; +exit $ec; diff --git a/p7zip-1602/makefile.machine b/p7zip-1602/makefile.machine new file mode 100644 index 0000000..db8c8b7 --- /dev/null +++ b/p7zip-1602/makefile.machine @@ -0,0 +1,24 @@ + +OPTFLAGS=-O -s + +# Install libwxgtk3.0-gtk3-dev (Any libwxgtk >= 2) +# use "-m32" to have a 32bits executable +ALLFLAGS=-m64 ${OPTFLAGS} -pipe \ + -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE \ + -DNDEBUG -D_REENTRANT -DENV_UNIX \ + -D_7ZIP_LARGE_PAGES \ + $(LOCAL_FLAGS) + +CXX=g++ -Wno-narrowing -std=c++11 +CC=gcc -Wno-narrowing -std=c11 +CC_SHARED=-fPIC +LINK_SHARED=-fPIC -shared + +PRE_COMPILED_HEADER=StdAfx.h.gch + +LOCAL_LIBS=-lpthread +LOCAL_LIBS_DLL=$(LOCAL_LIBS) -ldl + +OBJ_CRC32=$(OBJ_CRC32_C) +OBJ_AES= +