V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-23 08:50:22 +02:00
parent 328e346c95
commit 080e04efa3
52 changed files with 35 additions and 37 deletions
--- a/func/partitioning/3220_partition_encryption.sh
+++ b/func/partitioning/3220_partition_encryption.sh
@@ -0,0 +1,156 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Function to encrypt the respective partition on each device according to the chosen recipe string.
+# Globals:
+#   DIR_BAK
+#   DIR_CNF
+#   HMP_EPHEMERAL_DEV
+#   HMP_EPHEMERAL_ENCLABEL
+#   HMP_EPHEMERAL_FS_LABEL
+#   HMP_PATH_ENCLABEL
+#   HMP_PATH_LUKSUUID
+#   VAR_CRYPT_ROOT
+#   VAR_RECIPE_STRING
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+partition_encryption() {
+  ### Declare Arrays and Variables.
+  declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
+  declare var_dev var_part \
+    var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
+    var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
+    var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path var_uuid
+  declare -a ary_devs=() ary_parts=() ary_luks_opts=()
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"       "${VAR_SETUP_PART}")
+      var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
+      var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
+      var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher"       "${VAR_SETUP_PART}")
+      var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash"           "${VAR_SETUP_PART}")
+      var_encryption_iter=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime"       "${VAR_SETUP_PART}")
+      var_encryption_key=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.key"             "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"         "${VAR_SETUP_PART}")
+      var_encryption_meta=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.metadatasize"   "${VAR_SETUP_PART}")
+      var_encryption_pbkdf=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.pbkdf"         "${VAR_SETUP_PART}")
+      var_encryption_rng=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.rng"             "${VAR_SETUP_PART}")
+      var_filesystem_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"         "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                     "${VAR_SETUP_PART}")
+
+      if [[ "${var_encryption_enable,,}" != "true" ]]; then
+        continue
+      fi
+
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_boot.txt" )
+      else
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_common.txt" )
+      fi
+
+      ary_luks_opts+=(
+        "--type luks2"
+        "--cipher ${var_encryption_cipher}"
+        "--hash ${var_encryption_hash}"
+        "--iter-time ${var_encryption_iter}"
+        "--key-size ${var_encryption_key}"
+        "--label ${var_encryption_label}"
+        "--luks2-metadata-size ${var_encryption_meta}"
+        "--pbkdf ${var_encryption_pbkdf}"
+        "--${var_encryption_rng}"
+        "--batch-mode --verbose"
+      )
+
+      [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( "--integrity hmac-sha512" )
+
+      if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
+
+        case "${var_mount_path}" in
+
+          SWAP|/tmp)
+
+            mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
+            do_log "info" "true" "Ephemeral: '${var_mount_path}' prepared on: '/dev/${var_dev}${var_part}'."
+
+            HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
+            HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
+            HMP_EPHEMERAL_FS_LABEL["${var_mount_path}"]="${var_filesystem_label}"
+            do_log "info" "true" "Stored in HashMap [HMP_EPHEMERAL_DEV]     : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
+            do_log "info" "true" "Stored in HashMap [HMP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
+            continue
+            ;;
+
+          *)
+            do_log "error" "true" "Invalid mount path: '${var_mount_path}' for partition: '/dev/${var_dev}${var_part}'."
+            continue
+            ;;
+
+        esac
+
+      fi
+
+      cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}${var_part}"
+
+      if [[ "${var_encryption_integrity,,}" == "true" ]]; then
+
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
+
+      else
+
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' encrypted."
+
+      fi
+
+      cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
+
+      ### Opening encrypted container.
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_boot.txt" \
+          "${var_encryption_label}"
+      else
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_common.txt" \
+          "${var_encryption_label}"
+      fi
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
+
+      ### Store UUID of the LUKS container.
+      var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
+      # shellcheck disable=SC2155
+      [[ "${var_mount_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
+      [[ "${var_mount_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
+      HMP_PATH_LUKSUUID["UUID_${var_mount_path}"]="${var_uuid}"
+      HMP_PATH_ENCLABEL["LABEL_${var_mount_path}"]="${var_encryption_label}"
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh