Audit your /boot files with md5deep audit tool

Take the media device that you wrote (with the dd command) the image file fore Raspberry Pi.   Plug that media device (into your development workstation computer)    Make some mount points with 'mkdir' command.  Your setup and O/S might automatically make the mount points and mount the device for you.

sudo mkdir /media/da1s1

sudo mkdir /media/da1s2a

mount -t msdos /dev/mmcsda1s1  /media/da1s1

mount -t ufs /dev/mmcsda1s2a  /media/da1s2a

 

Here is the manual page for md5deep

 http://md5deep.sourceforge.net/md5deep.html

http://md5deep.sourceforge.net/start-md5deep.html 

https://en.wikipedia.org/wiki/Md5deep 

https://serverfault.com/questions/390522/how-can-i-easily-confirm-in-linux-that-two-separate-directories-have-the-exact-s 

 

While you could hack together a quick script that will calculate individual MD5 hashes for individual files in a directory, the better way to do it would be to use a tool called md5deep which will recursively calculate the hashes of all files in a directory, and then output them to a file. It can then be used on another directory, taking the first hash file as an input, and providing you with a list of files that are different between the two directories.

So, taking your example, you would follow this process:

  1. Calculate hashes of the required directory on Server A:

    md5deep -r /opt/foo/ > file_hashes.txt

  2. Copy the file file_hashes.txt file onto Server B for comparison.

  3. Calculate hashes of the required directory on Server B, but taking the file hashes from Server A as an input file by using the -x flag to only show files that are different:

    md5deep -x file_hashes.txt -r /opt/foo/

The md5deep set of tools forms part of the package management system of most distros, and the great thing is that it supports a number of different hashing algorithms, not just MD5. So if you're paranoid about collisions, you have a number of alternatives available. The following tools form part of md5deep, each providing an alternative hashing algorithm:

   md5deep - Compute and compare MD5 message digests
   sha1deep - Compute and compare SHA-1 message digests
   sha256deep - Compute and compare SHA-256 message digests
   tigerdeep - Compute and compare Tiger message digests
   whirlpooldeep - Compute and compare Whirlpool message digests

 

Github location for HASHDEEP/md5deep tools.  Read for information

https://github.com/jessek/hashdeep   

from Jesse Kornblum Github

 

 

hope@localhost ~> pwd
/home/hope


hope@localhost ~> cd /media/da1s1
hope@localhost /m/da1s1> ls
EFI bootcode.bin fixup_db.dat start_cd.elf
README config.txt fixup_x.dat start_db.elf
armstub8.bin fixup.dat overlays start_x.elf
bcm2710-rpi-3-b.dtb fixup_cd.dat start.elf u-boot.bin
hope@localhost /m/da1s1> ls -l
total 25248
drwxrwxr-x 1 root wheel 4096 May 10 09:38 EFI
-rw-r--r-- 1 root wheel 124 May 10 09:38 README
-rw-r--r-- 1 root wheel 5888 May 10 09:38 armstub8.bin
-rw-r--r-- 1 root wheel 28392 May 10 09:38 bcm2710-rpi-3-b.dtb
-rw-r--r-- 1 root wheel 52456 May 10 09:38 bootcode.bin
-rw-r--r-- 1 root wheel 141 May 10 09:38 config.txt
-rw-r--r-- 1 root wheel 7314 May 10 09:38 fixup.dat
-rw-r--r-- 1 root wheel 3187 May 10 09:38 fixup_cd.dat
-rw-r--r-- 1 root wheel 10298 May 10 09:38 fixup_db.dat
-rw-r--r-- 1 root wheel 10298 May 10 09:38 fixup_x.dat
drwxrwxr-x 1 root wheel 20480 May 10 09:38 overlays
-rw-r--r-- 1 root wheel 2952960 May 10 09:38 start.elf
-rw-r--r-- 1 root wheel 793116 May 10 09:38 start_cd.elf
-rw-r--r-- 1 root wheel 4794472 May 10 09:38 start_db.elf
-rw-r--r-- 1 root wheel 3704808 May 10 09:38 start_x.elf
-rw-r--r-- 1 root wheel 513168 May 10 09:38 u-boot.bin
hope@localhost /m/da1s1>

hope@localhost /m/da1s1> pwd
/media/da1s1
hope@localhost /m/da1s1> ls
EFI bootcode.bin fixup_db.dat start_cd.elf
README config.txt fixup_x.dat start_db.elf
armstub8.bin fixup.dat overlays start_x.elf
bcm2710-rpi-3-b.dtb fixup_cd.dat start.elf u-boot.bin
hope@localhost /m/da1s1> md5deep -z -b * > ~/audit_bootfiles_raspi4b_may12.md5
/media/da1s1/EFI: Is a directory
/media/da1s1/overlays: Is a directory
hope@localhost /m/da1s1> ls ~/audit_bootfiles_raspi4b_may12.md5
/home/hope/audit_bootfiles_raspi4b_may12.md5
hope@localhost /m/da1s1> ls -l ~/audit_bootfiles_raspi4b_may12.md5
-rw-r--r-- 1 hope wheel 815 May 12 02:03 /home/hope/audit_bootfiles_raspi4b_may12.md5
hope@localhost /m/da1s1> cat ~/audit_bootfiles_raspi4b_may12.md5
5888 74647627f798ca2a3fbed3c13e342c71 armstub8.bin
141 daa84f7928905470af6969db30de4af3 config.txt
3187 3af5097c49ce34ba375452ff5e486c05 fixup_cd.dat
28392 1a08a1b0a13ae93e0106384057136be3 bcm2710-rpi-3-b.dtb
52456 bc175da040361a117dea6ca0d5459c12 bootcode.bin
124 5aeff4c2e6496760c2b754cf51fabf6e README
7314 81f4693f6e65112b4e545d3f02f018f0 fixup.dat
10298 6bebd59753c504c3b312371014d8df26 fixup_db.dat
10298 4f30700929f834278238b1b0b6327b93 fixup_x.dat
793116 75c18a9fb7a5a851f4ee87bb70673b40 start_cd.elf
513168 e42c9fa7253d4c8d30c3c3e1c88f328e u-boot.bin
2952960 1ac5026674c8b8c9acdd8e43e7bc1d81 start.elf
3704808 40810618fd52598375c18856db1f13f9 start_x.elf
4794472 cb35a8bed01f9b4bb9b80105b2a1dc8a start_db.elf
hope@localhost /m/da1s1>



md5deep -h
md5deep version 4.4 by Jesse Kornblum and Simson Garfinkel.
$ md5deep [OPTION]... [FILES]...
See the man page or README.txt file or use -hh for the full list of options
-p <size> - piecewise mode. Files are broken into blocks for hashing
-r - recursive mode. All subdirectories are traversed
-e - show estimated time remaining for each file
-s - silent mode. Suppress all error messages
-z - display file size before hash
-m <file> - enables matching mode. See README/man page
-x <file> - enables negative matching mode. See README/man page
-M and -X are the same as -m and -x but also print hashes of each file
-w - displays which known file generated a match
-n - displays known hashes that did not match any input files
-a and -A add a single hash to the positive or negative matching set
-b - prints only the bare name of files; all path information is omitted
-l - print relative paths for filenames
-t - print GMT timestamp (ctime)
-i/I <size> - only process files smaller/larger than SIZE
-v - display version number and exit
-d - output in DFXML; -u - Escape Unicode; -W FILE - write to FILE.
-j <num> - use num threads (default 4)
-Z - triage mode; -h - help; -hh - full help


md5deep -hh
md5deep version 4.4 by Jesse Kornblum and Simson Garfinkel.
$ md5deep [OPTION]... [FILES]...
See the man page or README.txt file or use -hh for the full list of options
-p <size> - piecewise mode. Files are broken into blocks for hashing
-r - recursive mode. All subdirectories are traversed
-e - show estimated time remaining for each file
-s - silent mode. Suppress all error messages
-z - display file size before hash
-m <file> - enables matching mode. See README/man page
-x <file> - enables negative matching mode. See README/man page
-M and -X are the same as -m and -x but also print hashes of each file
-w - displays which known file generated a match
-n - displays known hashes that did not match any input files
-a and -A add a single hash to the positive or negative matching set
-b - prints only the bare name of files; all path information is omitted
-l - print relative paths for filenames
-t - print GMT timestamp (ctime)
-i/I <size> - only process files smaller/larger than SIZE
-v - display version number and exit
-d - output in DFXML; -u - Escape Unicode; -W FILE - write to FILE.
-j <num> - use num threads (default 4)
-Z - triage mode; -h - help; -hh - full help
-S - Silent mode, but warn on bad hashes
-0 - use a NUL (\0) for newline.
-k - print asterisk before filename
-u - escape Unicode characters in filenames
-B - verbose mode; repeat for more verbosity
-C - OS X only --- use Common Crypto hash functions
-Fb - I/O mode buffered; -Fu unbuffered; -Fm memory-mapped
-f <file> - take list of files to hash from filename
-o[bcpflsde] - expert mode. Only process certain types of files:
b=block dev; c=character dev; p=named pipe
f=regular file; l=symlink; s=socket; d=door e=Windows PE
-D <num> - set debug level to nn
hope@localhost /m/da1s1>

 

So, now you have tools to  categorize and qualify the files in the /boot directory.  Use an image that you have tested to boot up and work on your hardware with your HDMI monitor or display.

Run  the md5deep command tool to create a file that has size and md5 sums inside for the msdos FAT32 /boot directory .  Use this hash file to compare with new versions of the raspberry pi FreeBSD boot image with the /boot directory.

Here is a initial command line to use. Modify for your needs.

md5deep -z -b * > ~/audit_bootfiles_raspi4b_may12.md5_hash

Great resource that has examples of using md5deep near the end.

https://unix.stackexchange.com/questions/22730/is-there-md5-or-similar-to-a-folder-how-to-verify-if-two-folders-are-equal

Comments

  1. Obtaining md5 checksums of the boot files normally located in the /boot/efi directory (ESP FAT32) of a USB flash drive for booting the Raspberry Pi 4B. Performed with the https://Freebsd.org/where arm64 FreeBSD-14.0-Current July 6, 2023 snap shot image.
    Index of /snapshots/arm64/aarch64/ISO-IMAGES/14.0/
    Using a Linux O/S computer ( yes can be performed with a FreeBSD O/S computer, yet this I had available)
    Download XZ compressed image file https://download.freebsd.org/snapshots/arm64/aarch64/ISO-IMAGES/14.0/FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img.xz
    curl -O https://download.freebsd.org/snapshots/arm64/aarch64/ISO-IMAGES/14.0/FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img.xz
    or
    wget -c https://download.freebsd.org/snapshots/arm64/aarch64/ISO-IMAGES/14.0/FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img.xz


    XZ -d Free*.xz
    dd if=FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img of=/dev/sdc bs=1M conv=sync status=progress
    mkdir /media/msdos
    mount /dev/sdc1 /media/msdos

    FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img.xz 645398696 2023-Jul-06 13:19
    $ FreeBSD-14.0-CURRENT-arm64-aarch64-RPI-20230706-884eaacd24bd-263985.img.xz 645398696 2023-Jul-06 13:19

    /dev/sdc1 on /media/msdos type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
    mxme@mx16-Klik:/media/msdos
    $

    Jul 08, 2023, 16:02:48 md5deep -z -r * > ~/audit_bootfiles_raspi4b_july8.md5_hash

    5888 3a92d74688db2222f8720662dc5902d0 /media/msdos/armstub8.bin
    5888 165ec91ff1cd734909c6c1debb78e951 /media/msdos/armstub8-gic.bin

    177 20ab45202003d40ef7b82a0d213745ca /media/msdos/config.txt
    49090 9490c333629da513b498887bdfb594bc /media/msdos/bcm2711-rpi-4-b.dtb
    52456 bc175da040361a117dea6ca0d5459c12 /media/msdos/bootcode.bin

    8454 989ee4bfa4ba88b871c5a8d68790469e /media/msdos/fixup4x.dat
    8452 fab1cba97ab08d64e9453afd6c571416 /media/msdos/fixup4db.dat
    5448 92d0a068a2ab7039d663673d03482cc4 /media/msdos/fixup4.dat

    240 ec1a61f2cf768b409ddfd0d148b926a7 /media/msdos/README
    860628 2b457f7c83e736020313fd4feaf6a456 /media/msdos/EFI/BOOT/bootaa64.efi

    2228800 6bae42b26707aa0e05f3d47bdafaab96 /media/msdos/start4.elf
    2981192 75fbf37381f28a87da110b0459fe19ff /media/msdos/start4x.elf

    602552 71287bb1f4d4ceb9dc9cbf1efb0186a8 /media/msdos/u-boot.bin


    fdisk -l on a MXME 21 Wildflower Linux
    Disk /dev/sdb: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
    Disk model: PSSD T7
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 33553920 bytes
    Disklabel type: gpt
    Disk identifier: D4AD3C58-24B6-433F-BCED-8081A4AD18C5

    Device Start End Sectors Size Type
    /dev/sdb1 2048 6293503 6291456 3G EFI System
    /dev/sdb2 6293504 111151103 104857600 50G Microsoft basic data
    /dev/sdb3 111151104 320866303 209715200 100G Linux filesystem
    /dev/sdb4 320866304 530581503 209715200 100G Linux filesystem
    /dev/sdb5 530581504 1886416895 1355835392 646.5G FreeBSD ZFS
    /dev/sdb6 1886416896 1919971327 33554432 16G Linux filesystem
    /dev/sdb7 1919971328 1936748543 16777216 8G Linux swap
    /dev/sdb8 1936748544 1953523711 16775168 8G FreeBSD swap


    Disk /dev/sdc: 115.23 GiB, 123730388992 bytes, 241660916 sectors
    Disk model: DataTraveler 3.0
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x00000000

    Device Boot Start End Sectors Size Id Type
    /dev/sdc1 * 2048 104447 102400 50M c W95 FAT32 (LBA)
    /dev/sdc2 104448 10485759 10381312 5G a5 FreeBSD
    mxme@mx16-Klik:/media/msdos
    $

    ReplyDelete
  2. Large newer edited config.txt file in use. July 3, 2023 1746 bytes long

    root@generic:/boot/efi # uname -aK
    FreeBSD generic 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n263748-b95d2237af40: Thu Jun 22 11:10:5
    0 UTC 2023 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/arm64.aarch64/sys/GENERIC arm64 14000
    90
    root@generic:/boot/efi # pwd
    /boot/efi
    root@generic:/boot/efi # ls -l c*
    -rwxr-xr-x 1 root wheel 1746 Jul 3 12:17 config.txt
    -rwxr-xr-x 1 root wheel 177 Jul 3 11:13 config.txt.original
    -rwxr-xr-x 1 root wheel 221 Jul 3 11:28 config_june22.txt
    root@generic:/boot/efi # md5 conf*
    MD5 (config.txt) = 17f6b36fb7d03c25b18cd86ab27363c6
    MD5 (config.txt.original) = 20ab45202003d40ef7b82a0d213745ca
    MD5 (config_june22.txt) = f2155c52a835dfd7d0d498450a587e90
    root@generic:/boot/efi # cat config.txt
    # https://www.vinnie.work/blog/2020-11-06-baremetal-rpi4-setup
    # https://docs.rtems.org/branches/master/user/bsps/bsps-aarch64.html#raspberry-pi-4b
    # if user wants to enable GIC, uncomment the next line
    # enable_gic=1
    # arm_64bit=1
    # dtoverlay = disable-bt
    # enable_uart=1

    # Disable pull downs
    # gpio=14,15,22-27=np
    gpio=22-27=np
    # set up uart3, disable pull downs, alt4 function 4:txd 5:rxd pin 7,29
    gpio=4,5=np,a4

    # Enable jtag pins (i.e. GPIO22-GPIO27)
    enable_jtag_gpio=1
    enable_uart=1
    # dtoverlay=uart3
    dtoverlay=

    device_tree_address=0x4000
    kernel=u-boot.bin
    #kernel=refind_aa64.efi
    arm_64bit=1
    # dtparam=audio=on,i2c_arm=on,spi=on
    dtparam=audio=on
    dtoverlay=mmc
    dtoverlay=disable-bt
    dtoverlay=vc4-kms-v3d
    max_framebuffers=2

    [pi4]
    #hdmi_safe=1
    ##### START audio over hdmi #####
    # You need them both set because hdmi_group=1 tells the kernel we are using CEA
    # mode (for TV's, has sound) instead of DMT mode(for monitors, no sound) and
    # hdmi_drive=2 tells the kernel to use HDMI if available. (HDMI mode has sound,
    DVI does not.)
    #hdmi_group=2 # DTE monitors, no HDMI sound
    hdmi_group=1
    hdmi_drive=2
    hdmi_mode=16
    # hdmi_mode=16 1080p 60Hz 16:9
    # hdmi_mode=4 720p 60Hz 16:9
    # hdmi_mode=15 480p 60Hz 16:9 double pixels
    ##### END audio over hdmi #####
    armstub=armstub8-gic.bin
    arm_boost=1
    [all]

    # over_voltage=2
    # arm_freq=1500
    # gpu_freq=600
    #
    #
    # Local addition that avoids USB3 SSD boot failures that look like:
    # uhub_reattach_port: port ? reset failed, error=USB_ERR_TIMEOUT
    # uhub_reattach_port: device problem (USB_ERR_TIMEOUT), disabling port ?
    # WARNING, not sufficient for "boot -s": that needs the full force_turbo=1
    initial_turbo=60
    [pi4]
    over_voltage=6
    arm_freq=2000
    sdram_freq_min=3200
    force_turbo=1
    #
    hdmi_safe=0

    root@generic:/boot/efi #

    ReplyDelete

Post a Comment

Popular posts from this blog

HDMI Audio sound patches into GhostBSD source code /usr/ghost14/ghostbsd-src SOLVED Jan20 2024

How to install GhostBSD-Arm64 into a USB Flash Drive stick April 24, 2024 update edition.

January 19, 2024 Howto Download a Raspberry Pi 4B bootable image from http://ghostbsdarm64.hopto.org/packages/