Skip to content

BCF-6406: [REAR] Improve post-BMR integrity check #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Anton Bukhvalau (BukhvalauAnton) merged 4 commits into from
Feb 18, 2026
Merged

BCF-6406: [REAR] Improve post-BMR integrity check #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e33c872
feat(cove): allow running single checks
svlv Feb 10, 2026
fe01652
feat(cove): add more log messages
svlv Feb 11, 2026
e6dabea
feat(cove): minor improvements
svlv Feb 11, 2026
ea77eb9
feat(cove): do both checks if COVE_CHECK_INTEGRITY="binaries configs"
svlv Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 0 additions & 16 deletions usr/share/rear/checkintegrity/COVE/default/001_compare_binaries.sh
View file
Open in desktop

This file was deleted.

56 changes: 56 additions & 0 deletions usr/share/rear/checkintegrity/COVE/default/010_verify_checksums.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
# Check md5sum files

function verify_checksums() {
local md5sum_files=()

case "$COVE_CHECK_INTEGRITY" in
all)
md5sum_files+=(files.md5sum cove-files.md5sum)
;;
*binaries*)
md5sum_files+=(cove-files.md5sum)
;;&
*configs*)
md5sum_files+=(files.md5sum)
;;
esac

if [ ${#md5sum_files[@]} -eq 0 ]; then
LogUserOutput "Nothing to check. See COVE_CHECK_INTEGRITY in 'default.conf'."
return 0
fi

LogUserOutput "Checking if certain restored files are consistent with the recreated system..."

local all_pass=1
for md5sum_file in "${md5sum_files[@]}" ; do
local path="$VAR_DIR/layout/config/$md5sum_file"

# Skip when there are no checksums for this file
if ! test -s "$path"; then
LogUserOutput "Warning: '$path' not found. Skipped."
continue
fi

LogUserOutput "Verifying checksums from '$path'..."

local md5sum_stdout
if ! md5sum_stdout="$( md5sum -c --quiet < "$path" )" ; then
LogUserOutput "Restored file(s) do not fully match the recreated system."
LogUserOutput "$( sed -e 's/^/ /' <<< "$md5sum_stdout" )"
LogUserOutput "Verification failed: checksums do not match for file(s) in '$md5sum_file'."
all_pass=0
else
LogUserOutput "Verification passed: checksums match in '$md5sum_file'."
fi
done

if [ $all_pass -eq 1 ]; then
LogUserOutput ""
LogUserOutput "Verification passed: all checksums match."
else
Error "Verification failed: checksums did NOT match."
fi
}

verify_checksums
6 changes: 6 additions & 0 deletions usr/share/rear/conf/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3351,6 +3351,12 @@ COVE_VERIFY_BINARIES=0
# Locations to verify during recovery when COVE_VERIFY_BINARIES is enabled
COVE_VERIFY_PATHS=(/boot/efi /usr/bin /usr/sbin /usr/lib)

# Checks to perform after Bare-Metal Recovery
# all - do all checks
# binaries - check the hash sum of binary files
# configs - check the hash sum of configuration files specified in CHECK_CONFIG_FILES
COVE_CHECK_INTEGRITY="${COVE_CHECK_INTEGRITY:-binaries}"

##
# End of BACKUP=COVE default settings.
####
Expand Down
20 changes: 19 additions & 1 deletion usr/share/rear/layout/save/default/600_snapshot_files.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
# Save a hash of files that would warrant a new rescue image when changed.

# shellcheck disable=SC2168,SC2207

if [ "$WORKFLOW" = "checklayout" ] ; then
return 0
fi
Expand All @@ -12,7 +15,7 @@ for obj in "${CHECK_CONFIG_FILES[@]}" ; do
config_files+=( "$obj")
fi
done
md5sum "${config_files[@]}" > $VAR_DIR/layout/config/files.md5sum
md5sum "${config_files[@]}" > "$VAR_DIR/layout/config/files.md5sum"

# For COVE backup, additionally verify binaries if enabled
local item
Expand All @@ -27,6 +30,21 @@ if [ "$WORKFLOW" = "mksystemstate" ] && is_true "$COVE_VERIFY_BINARIES" ; then
cove_files+=( "$item" )
fi
done

# See finalize/COVE/Debian/620_upgrade_bootloaders.sh to find out when
# signed binaries are copied from the Cove Rescue Media to the target fs
# on systems running Debian 10. The logic is simplified because UEFI_BOOTLOADER
# path is unknown by this time.
if [ "$OS_VENDOR_VERSION" = "Debian/10" ] && is_true "$USING_UEFI_BOOTLOADER"; then
local exclusions=(
/boot/efi/EFI/debian/grubx64.efi
/boot/efi/EFI/debian/shimx64.efi
)
local exclusion
for exclusion in "${exclusions[@]}"; do
cove_files=( $( RmInArray "$exclusion" "${cove_files[@]}" ) )
Comment thread
svlv marked this conversation as resolved.
done
fi
fi

cove_md5sum_file="$VAR_DIR/layout/config/cove-files.md5sum"
Expand Down