msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-05 20:32:52 +02:00
parent c90e7f0deb
commit 053a06d7e1
29 changed files with 276 additions and 184 deletions
Download Patch File Download Diff File Expand all files Collapse all files

206
func/cdi_4200_boot/4200_generate_fstab.sh Normal file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper to write '/etc/fstab' entries.
# Globals:
# TARGET
# Arguments:
# 1: UUID or /dev/mapper
# 2: Mount Path
# 3: Filesystem
# 4: Mount Options
# 5: Pass value, while Dump value is hardcoded always "0".
# Returns:
# 0: on success
#######################################
write_fstab() {
declare write_maps="$1" write_path="$2" write_type="$3" write_opts="$4" write_pass="$5"
if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4200() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
elif [[ "${write_maps}" == /dev/mapper/* ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4200() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
fi
return 0
}
#######################################
# Generate target '/etc/fstab' entries.
# Globals:
# ARY_PATHS_SORTED
# HMP_EPHEMERAL_ENCLABEL
# HMP_FSTAB_MOUNT_FTYPE
# HMP_FSTAB_MOUNT_OPTS
# HMP_PATH_FSUUID
# TARGET
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_fstab() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
### Generate '${TARGET}/etc/fstab' header.
: >| "${TARGET}/etc/fstab"
chmod 0600 "${TARGET}/etc/fstab"
cat << EOF >> "${TARGET}/etc/fstab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information '/etc/fstab'.
#
# Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
# name devices that work even if disks are added and removed. See fstab(5).
#
# 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# changes here.
#
# <file system UUID> <mount point> <type> <options> <dump> <pass>
EOF
### Generate dynamic '${TARGET}/etc/fstab' entries.
for var_path in "${ARY_PATHS_SORTED[@]}"; do
case "${var_path,,}" in
swap|SWAP) continue;;
/tmp)
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["${var_path}"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
var_fs_pass="0"
;;
*)
var_fs_uuid="${HMP_PATH_FSUUID["${var_path}"]}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
case "${var_path,,}" in
/) var_fs_pass="1" ;;
/boot/efi) var_fs_pass="0" ;;
*) var_fs_pass="2" ;;
esac
;;
esac
case "${var_fs_type,,}" in
btrfs)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
if [[ -v HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"] ]]; then
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"]}"
if [[ "${var_fs_path}" == "/" ]]; then
write_fstab "${var_fs_uuid}" "/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
else
write_fstab "${var_fs_uuid}" "${var_fs_path}/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
fi
fi
continue
;;
ext4)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
fat32)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "vfat" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
esac
done
### Generate separate SWAP entry.
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["SWAP"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="none"
var_fs_type="swap"
var_fs_opts="defaults"
var_fs_pass="0"
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
cat << 'EOF' >> "${TARGET}/etc/fstab"
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
EOF
do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
cat << 'EOF' >> "${TARGET}/etc/fstab"
### Secure tmpfs mounts for a hardened system
# Mount the 'proc' filesystem to provide process and kernel information.
# Mount 'sysfs' to expose kernel device information to user space.
# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
do_log "info" "file_only" "4200() fstab generated successfully."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

143
func/cdi_4200_boot/4210_generate_crypttab.sh Normal file
View File

@@ -0,0 +1,143 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# '/etc/crypttab' entry writer and logger.
# Globals:
# TARGET
# Arguments:
# 1: Encryption Label
# 2: LUKS Container UUID
# 3: Keyfile or none
# 4: LUKS Options
# Returns:
# 0: on success
#######################################
write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4210() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0
}
#######################################
# Generate target '/etc/crypttab' entries.
# Globals:
# HMP_EPHEMERAL_ENCLABEL
# HMP_PATH_ENCLABEL
# HMP_PATH_FSUUID
# HMP_PATH_LUKSUUID
# TARGET
# VAR_NUKE
# VAR_VERSION
# dropbear_boot
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_crypttab() {
### Declare Arrays, HashMaps, and Variables.
declare var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_uuid=""
### Generate '${TARGET}/etc/crypttab' header.
: >| "${TARGET}/etc/crypttab"
chmod 0600 "${TARGET}/etc/crypttab"
cat << EOF >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/crypttab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information: '/etc/crypttab'.
#
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
# 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
# the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
# whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
#
# RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective.
#
# <name> <device> <password-file-or-none> <options>
EOF
### Generate '${TARGET}/etc/crypttab' entries.
for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${dropbear_boot,,}" == "true" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
else
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
fi
done
### Generate '${TARGET}/etc/crypttab' ephemeral entries.
for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
case "${var_key}" in
SWAP)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
;;
/tmp)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
;;
*)
do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue
;;
esac
done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
do_log "info" "file_only" "4210() crypttab generated successfully."
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
func/cdi_4200_boot/4220_installation_cryptsetup.sh Normal file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_cryptsetup() {
### Declare Arrays, HashMaps, and Variables.
declare -r var_logfile="/root/.ciss/cdi/log/4220_installation_cryptsetup.log"
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

273
func/cdi_4200_boot/4230_update_grub.sh Normal file
View File

@@ -0,0 +1,273 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
# --- UEFI GRUB Installation Strategy ---
#
# We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is
# unreliable and can break host firmware boot order. Instead of relying on '--removable', we manually copy the GRUB EFI binary
# to the fallback location 'EFI/BOOT/BOOTX64.EFI'. This mirrors the behavior of '--removable', but gives us more control over
# the bootloader ID and file paths.
# Result:
# - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries).
# - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed).
# This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware).
#######################################
# Installation and setup of the GRUB2 (backported) version.
# The backported version MUST be installed for LUKS2 '/boot' encryption.
# Globals:
# TARGET
# VAR_ARCHITECTURE
# VAR_RECIPE_FIRMWARE
# VAR_SETUP_PATH
# grub_background_enable
# grub_background_path
# grub_latest
# grub_prober
# grub_skip
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_GRUB_BACKGROUND
# ERR_GRUB_EFI_FORCE
#######################################
update_grub() {
### Declare Arrays, HashMaps, and Variables.
declare -g var_update_grub_required="false" grub_update_nvram=${grub_update_nvram:-false}
declare -r var_logfile="/root/.ciss/cdi/log/4230_update_grub.log"
declare var_background=""
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
if [[ "${grub_skip,,}" != "true" ]]; then
### Install GRUB2 package
if [[ "${grub_latest,,}" == "true" ]]; then
### Install the GRUB2 backported version from the Bookworm backports repository.
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends -t bookworm-backports grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends -t bookworm-backports grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y --no-install-recommends -t bookworm-backports grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y --no-install-recommends -t bookworm-backports grub2 grub2-common grub-pc
fi
else
### Install the GRUB2 stable version.
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-pc
fi
fi
### Install grub on the specific device.
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
install_grub_uefi
elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
install_grub_bios
fi
### Enable booting from LUKS encrypted devices by default.
cat << EOF >> "${TARGET}/etc/default/grub"
# Enable booting from LUKS encrypted devices by default.
GRUB_ENABLE_CRYPTODISK=y
EOF
var_update_grub_required="true"
### Install a boot menu background.
if [[ "${grub_background_enable,,}" == "true" ]]; then
var_background=$(basename "${grub_background_path}")
install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
cat << EOF >> "${TARGET}/etc/default/grub"
# Enable boot menu background.
GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'vbeinfo'
GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
GRUB_GFXPAYLOAD_LINUX=keep
EOF
var_update_grub_required="true"
fi
### Change the GRUB OS detection configuration accordingly.
if [[ "${grub_prober,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=false
EOF
var_update_grub_required="true"
elif [[ "${grub_prober,,}" == "false" ]]; then
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=true
EOF
var_update_grub_required="true"
fi
else
do_log "info" "file_only" "4230() GRUB2 setup skipped."
fi
[[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub
### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them.
if [[ -f "${TARGET}/boot/grub/grub.cfg" ]]; then
chown root:root "${TARGET}/boot/grub/grub.cfg"
chmod 0640 "${TARGET}/boot/grub/grub.cfg"
fi
chmod -R 0700 "${TARGET}/etc/grub.d"
return 0
}
#######################################
# Installs GRUB to BIOS in BIOS mode.
# Globals:
# TARGET
# grub_bootdev
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_GRUB_INSTALL
#######################################
install_grub_bios() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_bios_arg=()
declare var_bios_mod=""
### Cryptographic modules.
var_bios_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2"
### Filesystem modules.
var_bios_mod+="btrfs ext2"
### Partitioning / Device / GPT
var_bios_mod+="biosdisk mdraid1x part_gpt"
### Device / Terminal modules.
var_bios_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label"
### Debug modules.
var_bios_mod+="cat echo hexdump ls test terminfo"
ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=${var_bios_mod}" )
do_in_target "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]."
var_update_grub_required="true"
return 0
}
#######################################
# Installs GRUB to ESP in UEFI mode.
# Globals:
# TARGET
# grub_bootdev
# grub_force_efi
# grub_update_nvram
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_GRUB_INSTALL
#######################################
install_grub_uefi() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_uefi_arg=()
declare var_uefi_mod=""
### Cryptographic modules.
var_uefi_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2"
### Filesystem modules.
var_uefi_mod+="btrfs ext2"
### Partitioning / Device / GPT
var_uefi_mod+="mdraid1x part_gpt"
### Device / Terminal modules.
var_uefi_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label"
### Debug modules.
var_uefi_mod+="cat echo hexdump ls test terminfo"
ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=debian "--modules=${var_uefi_mod}" )
[[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
var_update_grub_required="true"
if [[ "${grub_force_efi,,}" == "true" ]]; then
mkdir -p "${TARGET}/boot/efi/EFI/BOOT"
cp "${TARGET}/boot/efi/EFI/debian/grubx64.efi" "${TARGET}/boot/efi/EFI/BOOT/BOOTX64.EFI"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI] on: Default EFI Boot-Path."
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

85
func/cdi_4200_boot/4240_update_grub_password.sh Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Append the GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals:
# DIR_CNF
# ERR_READ_GRUB_FILE
# TARGET
# VAR_DEBUG_TRACE
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_GRUB_FILE
#######################################
update_grub_password() {
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
return "${ERR_READ_GRUB_FILE}"
fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
### Append if not already present
if ! grep -q "set superusers=" "${var_of}"; then
{
echo ""
echo "### Added by CISS.debian.installer ###"
echo "${var_grub_entry}"
echo "### End by CISS.debian.installer ###"
} >> "${var_of}"
fi
do_in_target "${TARGET}" update-grub
return 0
}
#######################################
# Generate PBKDF2 password hash for GRUB.
# Arguments:
# 1: Username (default to superadmin).
# 2: User password.
# Returns:
# 0: on success
#######################################
generate_grub_password_pbkdf2() {
declare var_user="${1:-superadmin}"
declare var_pass="${2:?error: password required}"
expect <<EOF
log_user 0
spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
expect "Enter password:"
send "${var_pass}\r"
expect "Reenter password:"
send "${var_pass}\r"
expect {
-re {PBKDF2 hash of your password is (\S+)} {
puts "set superusers=\"${var_user}\"\npassword_pbkdf2 ${var_user} \$expect_out(1,string)"
}
}
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
func/cdi_4200_boot/4250_update_grub_bootparameter.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "GRUB_CMDLINE_LINUX" are always effective.
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
guard_sourcing
#######################################
# Hardening Grub boot parameter.
# Globals:
# ARY_BOOTPARAM
# TARGET
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_grub_bootparameter() {
declare var_nuke_string="" var_param=""
grub_extract_current_string
for var_param in "${ARY_BOOTPARAM[@]}"; do
if [[ -z "${var_param}" ]]; then
do_log "warn" "file_only" "Empty GRUB parameter detected and skipped."
continue
fi
if grep -q --word-regexp "${var_param%%=*}" <<< "${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"; then
do_log "info" "file_only" "Skipping duplicate kernel parameter: '${var_param}'."
continue
fi
VAR_GRUB_CMDLINE_LINUX_DEFAULT+=" ${var_param}"
done
if [[ "${VAR_NUKE}" == "true" ]]; then
var_nuke_string="nuke=${VAR_NUKE_HASH}"
VAR_GRUB_CMDLINE_LINUX+=" ${var_nuke_string}"
fi
grub_finalize_string
do_in_target "${TARGET}" update-grub
do_log "info" "file_only" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh