Created
March 31, 2017 22:51
-
-
Save jpouellet/abe5cf438267afffc851a1a11d8be8f0 to your computer and use it in GitHub Desktop.
qubes-rpc service to write image to USB stick & return hash of contents actually written
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ $# -eq 0 ]; then | |
| dev=/dev/sda | |
| else | |
| # Protected by arg-specific qubes-rpc policy. | |
| dev=/dev/"$1" | |
| fi | |
| if ! [ -b "$dev" ]; then | |
| echo "${0##*/}: $dev: No such block device" >&2 | |
| exit 1 | |
| fi | |
| # Keep track of exactly how much we wrote to know where to stop reading later. | |
| len=$(sudo tee -- "$dev" | wc -c) | |
| echo "${0##*/}: Done writing $len bytes to $dev. Verifying..." >&2 | |
| # Read it back from actual media, only once, passing it to all checksums. | |
| # Wait for all hashes to be done, and guarantee consistent ordering. | |
| sudo head -c "$len" -- "$dev" | ( | |
| tee >(sha1sum --tag) >(sha256sum --tag) > >(sha512sum --tag) | |
| ) | sort |
Install this either in /usr/local/etc/qubes-rpc of sys-usb or /etc/qubes-rpc of the template used by sys-usb.
The purpose of the hash is not so much for image verification (it should already be trusted before you decide to write it), but rather to detect when you have failing (or perhaps malicious?) media.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example usage:
Using
curl -o- file:///...gives you a nice progress meter with reasonably-accurate ETA to completion.Example policy:
dom0:/etc/qubes-rpc/policy/jpo.WriteUSB
dom0:/etc/qubes-rpc/policy/jpo.WriteUSB+sda
dom0:/etc/qubes-rpc/policy/jpo.WriteUSB+sdb
Following service-oriented qrexec) model this would be
$anyvm dom0 ask,target=sys-usb.