msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m26s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-03 13:11:24 +02:00
parent 44dcf86569
commit 16a20e38a0
2 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -11,12 +11,11 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command. # SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
#set -Ceuo pipefail set -Ceuo pipefail
####################################### #######################################
# Variable declaration # Variable declaration
####################################### #######################################
#declare -r ASKPASS='/lib/cryptsetup/askpass'
# shellcheck disable=SC2016 # shellcheck disable=SC2016
declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$' declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
# shellcheck disable=SC2155 # shellcheck disable=SC2155
@@ -115,8 +114,8 @@ extract_nuke_hash() {
done done
### No 'nuke=HASH' entry found. color_echo "${GRE}" "✅ No Nuke Hash found. Proceeding."
return 1 return 0
} }
####################################### #######################################
@@ -168,9 +167,7 @@ nuke() {
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds." color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
# TODO: DEBUGGER power_off 16
drop_bash
#power_off 16
} }
####################################### #######################################
@@ -263,7 +260,7 @@ fi)\
####################################### #######################################
read_passphrase() { read_passphrase() {
declare -i ROUNDS=0 declare -i ROUNDS=0
declare CAND="" SALT="" declare CAND="" SALT="" _FULL_SALT=""
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'. ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
ask_via_stdin "Enter passphrase: " PASSPHRASE ask_via_stdin "Enter passphrase: " PASSPHRASE
@@ -271,14 +268,18 @@ read_passphrase() {
echo "NUKE_ENABLED: ${NUKE_ENABLED}" echo "NUKE_ENABLED: ${NUKE_ENABLED}"
echo "NUKE_HASH : ${NUKE_HASH}" echo "NUKE_HASH : ${NUKE_HASH}"
# BusyBox mkpasswd invocation (no options):
CAND="$(mkpasswd "${PASSPHRASE}" "${_FULL_SALT}")" || CAND=""
### NUKE pre-check ### NUKE pre-check
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")" ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
ROUNDS="${ROUNDS#rounds=}" ROUNDS="${ROUNDS#rounds=}"
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")" SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
_FULL_SALT="\$6\$rounds=${ROUNDS}\$${SALT}"
CAND=$(mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}") ### BusyBox mkpasswd invocation (no options):
CAND="$(mkpasswd "${PASSPHRASE}" "${_FULL_SALT}")"
# TODO: DEBUGGER # TODO: DEBUGGER
echo "ROUNDS : ${ROUNDS}" echo "ROUNDS : ${ROUNDS}"

4
includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh
View File

@@ -48,8 +48,8 @@ copy_exec /usr/bin/lsblk /usr/bin
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin] \n\e[0m" printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin] \n\e[0m"
### Include mkpasswd ### Include mkpasswd
copy_exec /usr/bin/mkpasswd /usr/bin copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin] \n\e[0m" printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
### Include udevadm (udev management tool) ### Include udevadm (udev management tool)
copy_exec /usr/bin/udevadm /usr/bin copy_exec /usr/bin/udevadm /usr/bin