From 954fb61e917c90909d2f0a5558a7fa12427d599f Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@robotics.uk.to>
Date: Sat, 13 Jun 2015 14:20:07 +0100
Subject: [PATCH] Verify the firmware of OneRNG devices

---
 src/freedombone | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

diff --git a/src/freedombone b/src/freedombone
index beec3f2e..0b8ab459 100755
--- a/src/freedombone
+++ b/src/freedombone
@@ -1497,18 +1497,20 @@ function remove_instructions_from_motd {
 }
 
 function check_hwrng {
-  # If hardware random number generation was enabled then make sure that the device exists.
-  # if /dev/hwrng is not found then any subsequent cryptographic key generation would
-  # suffer from low entropy and might be insecure
-  if [ ! -f /etc/default/rng-tools ]; then
-      return
-  fi
-  if [ ! -e /dev/hwrng ]; then
-      ls /dev/hw*
-      echo 'The hardware random number generator is enabled but could not be detected on'
-      echo '/dev/hwrng.  There may be a problem with the installation or the Beaglebone hardware.'
-      exit 75
+  if [[ $HWRNG_TYPE == "beaglebone" ]]; then
+      # If hardware random number generation was enabled then make sure that the device exists.
+      # if /dev/hwrng is not found then any subsequent cryptographic key generation would
+      # suffer from low entropy and might be insecure
+      if [ ! -e /dev/hwrng ]; then
+          ls /dev/hw*
+          echo 'The hardware random number generator is enabled but could not be detected on'
+          echo '/dev/hwrng.  There may be a problem with the installation or the Beaglebone hardware.'
+          exit 75
+      fi
   fi
+
+  # If a OneRNG device was install then verify its firmware
+  check_onerng_verification
 }
 
 function get_mariadb_password {
@@ -4736,6 +4738,22 @@ function enable_zram {
   echo 'enable_zram' >> $COMPLETION_FILE
 }
 
+function check_onerng_verification {
+  if [[ $HWRNG_TYPE != "onerng" ]]; then
+      return
+  fi
+  echo 'Checking OneRNG firmware verification'
+  last_onerng_validation=$(cat /var/log/syslog.1 | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+  if [[ $last_onerng_validation != *"passed OK"* ]]; then
+      last_onerng_validation=$(cat /var/log/syslog | grep "OneRNG: firmware verification" | awk '/./{line=$0} END{print line}')
+      if [[ $last_onerng_validation != *"passed OK"* ]]; then
+          echo $last_onerng_validation
+          echo 'OneRNG firmware verification failed'
+          exit 735026
+      fi
+  fi
+}
+
 function install_onerng {
   apt-get -y install rng-tools at python-gnupg