msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 52s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-03 17:10:34 +02:00
parent a022769093
commit 525e7db19f
38 changed files with 288 additions and 182 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
func/cdi_4200_boot_installation/4200_generate_fstab.sh Normal file
View File

@@ -0,0 +1,204 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Wrapper to write '/etc/fstab' entries.
# Globals:
# TARGET
# Arguments:
# 1: UUID or /dev/mapper
# 2: Mount Path
# 3: Filesystem
# 4: Mount Options
# 5: Pass value, while Dump value is hardcoded always "0".
# Returns:
# 0: on success
#######################################
write_fstab() {
declare write_maps="$1" write_path="$2" write_type="$3" write_opts="$4" write_pass="$5"
if [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}$ ]] || [[ "${write_maps}" =~ ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "UUID=${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4200() fstab entry generated: [UUID=${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
elif [[ "${write_maps}" == /dev/mapper/* ]]; then
printf "%-43s%-28s%-18s%-100s0 %s\n" "${write_maps}" "${write_path}" "${write_type}" "${write_opts}" "${write_pass}" >> "${TARGET}/etc/fstab"
do_log "info" "file_only" "4200() fstab entry generated: [${write_maps} ${write_path} ${write_type} ${write_opts} 0 ${write_pass}]."
fi
return 0
}
#######################################
# Generate target '/etc/fstab' entries.
# Globals:
# ARY_PATHS_SORTED
# HMP_EPHEMERAL_ENCLABEL
# HMP_FSTAB_MOUNT_FTYPE
# HMP_FSTAB_MOUNT_OPTS
# HMP_PATH_FSUUID
# TARGET
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_fstab() {
### Declare Arrays, HashMaps, and Variables.
declare var_path="" var_dmapper="" var_fs_uuid="" var_fs_path="" var_fs_type="" var_fs_opts="" var_fs_pass=""
### Generate '${TARGET}/etc/fstab' header.
: >| "${TARGET}/etc/fstab"
chmod 0600 "${TARGET}/etc/fstab"
cat << EOF >> "${TARGET}/etc/fstab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/fstab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information '/etc/fstab'.
#
# Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
# name devices that work even if disks are added and removed. See fstab(5).
#
# 'systemd' generates mount units based on this file. See systemd.mount(5). Please run 'systemctl daemon-reload' after making
# changes here.
#
# <file system UUID> <mount point> <type> <options> <dump> <pass>
EOF
### Generate dynamic '${TARGET}/etc/fstab' entries.
for var_path in "${ARY_PATHS_SORTED[@]}"; do
case "${var_path,,}" in
swap|SWAP) continue;;
/tmp)
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["${var_path}"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
var_fs_pass="0"
;;
*)
var_fs_uuid="${HMP_PATH_FSUUID["${var_path}"]}"
var_fs_path="${var_path}"
var_fs_type="${HMP_FSTAB_MOUNT_FTYPE["${var_path}"]}"
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}"]}"
case "${var_path,,}" in
/) var_fs_pass="1" ;;
/boot/efi) var_fs_pass="0" ;;
*) var_fs_pass="2" ;;
esac
;;
esac
case "${var_fs_type,,}" in
btrfs)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
if [[ -v HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"] ]]; then
var_fs_opts="${HMP_FSTAB_MOUNT_OPTS["${var_path}/.snapshots"]}"
if [[ "${var_fs_path}" == "/" ]]; then
write_fstab "${var_fs_uuid}" "/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
else
write_fstab "${var_fs_uuid}" "${var_fs_path}/.snapshots" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
fi
fi
continue
;;
ext4)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
fat32)
write_fstab "${var_fs_uuid}" "${var_fs_path}" "vfat" "${var_fs_opts}" "${var_fs_pass}"
continue
;;
esac
done
### Generate separate SWAP entry.
var_dmapper="${HMP_EPHEMERAL_ENCLABEL["SWAP"]}"
var_fs_uuid="/dev/mapper/${var_dmapper}"
var_fs_path="none"
var_fs_type="swap"
var_fs_opts="defaults"
var_fs_pass="0"
write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"
cat << 'EOF' >> "${TARGET}/etc/fstab"
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
EOF
do_log "info" "file_only" "4200() fstab entry generated: '/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0'."
cat << 'EOF' >> "${TARGET}/etc/fstab"
### Secure tmpfs mounts for a hardened system
# Mount the 'proc' filesystem to provide process and kernel information.
# Mount 'sysfs' to expose kernel device information to user space.
# Mount the 'devpts' filesystem to enable pseudo-terminal support for user sessions.
# Restrict '/dev/shm' to shared memory, limit size, prevent code execution.
# System runtime directory in RAM. Do not set 'noexec' here for compatibility.
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
sysfs /sys sysfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid,relatime,size=1G 0 0
tmpfs /run tmpfs mode=0755,nodev,nosuid 0 0
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

141
func/cdi_4200_boot_installation/4210_generate_crypttab.sh Normal file
View File

@@ -0,0 +1,141 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# '/etc/crypttab' entry writer and logger.
# Globals:
# TARGET
# Arguments:
# 1: Encryption Label
# 2: LUKS Container UUID
# 3: Keyfile or none
# 4: LUKS Options
# Returns:
# 0: on success
#######################################
write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4210() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0
}
#######################################
# Generate target '/etc/crypttab' entries.
# Globals:
# HMP_EPHEMERAL_ENCLABEL
# HMP_PATH_ENCLABEL
# HMP_PATH_FSUUID
# HMP_PATH_LUKSUUID
# TARGET
# VAR_NUKE
# VAR_VERSION
# dropbear_boot
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_crypttab() {
### Declare Arrays, HashMaps, and Variables.
declare var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_uuid=""
### Generate '${TARGET}/etc/crypttab' header.
: >| "${TARGET}/etc/crypttab"
chmod 0600 "${TARGET}/etc/crypttab"
cat << EOF >> "${TARGET}/etc/crypttab"
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# /etc/crypttab : Generated by CISS.debian.installer ${VAR_VERSION}
# Architecture : ${VAR_ARCHITECTURE}
# Distribution : ${VAR_CODENAME}
# Static file system information: '/etc/crypttab'.
#
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
# 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
# the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
# whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
#
# RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective.
#
# <name> <device> <password-file-or-none> <options>
EOF
### Generate '${TARGET}/etc/crypttab' entries.
for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${dropbear_boot,,}" == "true" ]]; then
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
else
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
fi
done
### Generate '${TARGET}/etc/crypttab' ephemeral entries.
for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
var_host_uuid="${HMP_PATH_FSUUID["${var_key}"]}"
case "${var_key}" in
SWAP)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096"
;;
/tmp)
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_uuid}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4"
;;
*)
do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue
;;
esac
done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

30
func/cdi_4200_boot_installation/4220_update_initramfs.sh Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Calling 'update-initramfs -u -v -k all' inside Target.
# Globals:
# TARGET
# VAR_ARCHITECTURE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_initramfs() {
do_in_target "${TARGET}" update-initramfs -u -v -k all
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

339
func/cdi_4200_boot_installation/4230_update_grub.sh Normal file
View File

@@ -0,0 +1,339 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
# --- UEFI GRUB Installation Strategy ---
#
# We explicitly install GRUB using '--no-nvram' to avoid modifying NVRAM entries inside the chroot environment, which is
# unreliable and can break host firmware boot order. Instead of relying on '--removable', we manually copy the GRUB EFI binary
# to the fallback location 'EFI/BOOT/BOOTX64.EFI'. This mirrors the behavior of '--removable', but gives us more control over
# the bootloader ID and file paths.
# Result:
# - GRUB is available under 'EFI/debian/grubx64.efi' (for manual boot entries).
# - GRUB is also available as 'EFI/BOOT/BOOTX64.EFI' (UEFI fallback path, no NVRAM needed).
# This setup ensures compatibility with systems that do not retain NVRAM entries (e.g., removable drives, VM firmware).
#######################################
# Installation and setup of the GRUB2 (backported) version.
# The backported version MUST be installed for LUKS2 '/boot' encryption.
# Globals:
# ERR_GRUB_BACKGROUND
# ERR_GRUB_EFI_FORCE
# TARGET
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_TABLE
# grub_background_enable
# grub_background_path
# grub_bootdev
# grub_force_efi
# grub_latest
# grub_prober
# grub_skip
# Arguments:
# None
# Returns:
# ERR_GRUB_BACKGROUND
# ERR_GRUB_EFI_FORCE
# 0: on success
#######################################
update_grub() {
declare -gx var_update_grub_required="false"
get_all_boot_devs
if [[ "${grub_skip,,}" != "true" ]]; then
### Install GRUB2 package
if [[ "${grub_latest,,}" == "true" ]]; then
### Install the GRUB2 backported version from the Bookworm backports repository.
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "file_only" "4140() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y -t bookworm-backports grub2 grub2-common grub-pc
fi
else
### Install the GRUB2 stable version.
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-amd64 ;;
arm64) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-arm64 ;;
i386) do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-efi-ia32 ;;
*) do_log "emergency" "file_only" "4140() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y grub2 grub2-common grub-pc
fi
fi
### Install grub on the specific device.
if [[ "${grub_force_efi,,}" == "false" ]]; then
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
install_grub_uefi_all
elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
install_grub_bios_all
fi
elif [[ "${grub_force_efi,,}" == "true" ]]; then
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
do_in_target "${TARGET}" grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Debian --no-nvram --modules="btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 part_gpt" --force-extra-removable
var_update_grub_required="true"
else
do_log "emergency" "file_only" "4140() Unsupported combination of partition table: '${VAR_RECIPE_TABLE,,}' and setting: grub_force_efi '${grub_force_efi,,}'."
return "${ERR_GRUB_EFI_FORCE}"
fi
fi
### Enable booting from LUKS encrypted devices by default.
cat << EOF >> "${TARGET}/etc/default/grub"
# Enable booting from LUKS encrypted devices by default.
GRUB_ENABLE_CRYPTODISK=y
EOF
var_update_grub_required="true"
### Install a boot menu background.
if [[ "${grub_background_enable,,}" == "true" ]]; then
declare var_background
var_background=$(basename "${grub_background_path}")
cp --no-preserve=ownership "${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}" || return "${ERR_GRUB_BACKGROUND}"
chmod 0640 "${TARGET}/etc/default/grub.d/${var_background}" || return "${ERR_GRUB_BACKGROUND}"
cat << EOF >> "${TARGET}/etc/default/grub"
# Enable boot menu background.
GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command 'vbeinfo'
GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
GRUB_GFXPAYLOAD_LINUX=keep
EOF
var_update_grub_required="true"
fi
### Change GRUB OS detection configuration accordingly.
if [[ "${grub_prober,,}" == "true" ]]; then
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=false
EOF
var_update_grub_required="true"
elif [[ "${grub_prober,,}" == "false" ]]; then
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
# probably want to run os-prober. However, if your computer is a host
# for guest OSes installed via LVM or raw disk devices, running
# os-prober can cause damage to those guest OSes as it mounts
# filesystems to look for things.
GRUB_DISABLE_OS_PROBER=true
EOF
var_update_grub_required="true"
fi
else
do_log "info" "file_only" "414() GRUB2 setup skipped."
fi
[[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub
### Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them.
chown root:root "${TARGET}/boot/grub/grub.cfg"
chmod 0640 "${TARGET}/boot/grub/grub.cfg"
chmod -R 0700 "${TARGET}/etc/grub.d"
return 0
}
#######################################
# Detects and collects all boot devices for GRUB installation.
# Supports /dev/sdX, /dev/vdX, /dev/hdX, /dev/nvmeXn1, /dev/mmcblkX.
# Globals:
# VAR_RECIPE_HIGHEST_DEVICE
# ary_bootdev_all
# grub_bootdev
# Arguments:
# None
# Returns:
# 0: on success
#######################################
get_all_boot_devs() {
declare -ag ary_bootdev_all=()
declare dev="" dev_prefix="" dev_path="" letter=""
declare -i ascii=0 ascii_end=0 ascii_start=0
### Determine prefix from grub_bootdev (e.g., "sd", "vd", "nvme", "mmcblk")
dev_prefix=$(basename "${grub_bootdev}" | sed -E 's/^([a-z]+)[a-z0-9]*$/\1/')
case "${dev_prefix}" in
sd|vd|hd)
ascii_start=$(printf '%d' "'a")
ascii_end=$(printf '%d' "'${VAR_RECIPE_HIGHEST_DEVICE}")
for ((ascii = ascii_start; ascii <= ascii_end; ascii++)); do
letter=$(printf "%b" "\\$(printf '%03o' "${ascii}")")
dev_path="/dev/${dev_prefix}${letter}"
[[ -b "${dev_path}" ]] && ary_bootdev_all+=("${dev_path}")
done
;;
nvme)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^nvme[0-9]+n1$')
;;
mmcblk)
# shellcheck disable=SC2312
while read -r dev; do
ary_bootdev_all+=("/dev/${dev}")
done < <(lsblk -dn -o NAME | grep -E '^mmcblk[0-9]+$')
;;
*)
do_log "warning" "file_only" "Unrecognized boot device prefix: ${dev_prefix}"
;;
esac
return 0
}
#######################################
# Installs GRUB in BIOS mode on all block devices.
# Globals:
# TARGET
# VAR_RECIPE_TABLE
# ary_bootdev_all
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_PARTITIONTBL on failure
#######################################
install_grub_bios_all() {
declare dev="" partmod=""
case "${VAR_RECIPE_TABLE,,}" in
gpt) partmod="part_gpt" ;;
msdos|mbr) partmod="part_msdos" ;;
*) do_log "emergency" "file_only" "4140() Unknown partition table type: '${VAR_RECIPE_TABLE}'."; return "${ERR_PARTITIONTBL}" ;;
esac
declare var_modules="biosdisk btrfs cryptodisk luks2 gcry_rijndael gcry_sha256 gcry_sha512 ${partmod}"
declare -a args=(--target=i386-pc --boot-directory=/boot "--modules=${var_modules}")
args+=(--recheck)
for dev in "${ary_bootdev_all[@]}"; do
do_in_target "${TARGET}" grub-install "${args[@]}" "${dev}"
do_log "info" "file_only" "Installed: GRUB on Device: '${dev}' (BIOS)."
var_update_grub_required="true"
done
return 0
}
#######################################
# Installs GRUB to all ESPs in UEFI mode.
# Globals:
# TARGET
# VAR_RECIPE_TABLE
# ary_bootdev_all
# var_update_grub_required
# Arguments:
# None
# Returns:
# 0: on success
# ERR_PARTITIONTBL on failure
#######################################
install_grub_uefi_all() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_uefi_arg=()
declare var_uefi_dev="" var_uefi_mod=""
### Cryptographic modules.
var_uefi_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2"
### Filesystem modules.
var_uefi_mod+="btrfs ext2"
### Partitioning / Device / GPT
var_uefi_mod+="biosdisk mdraid1x part_gpt part_msdos"
### Device / Terminal modules.
var_uefi_mod+="boot linux efi_gop efi_uga gfxterm gfxterm_background gfxterm_menu normal search search_fs_uuid search_label"
### Debug modules.
var_uefi_mod+="cat echo hexdump ls test terminfo"
[[ "${grub_force_efi,,}" == "true" ]] && ary_uefi_arg+=( --force-extra-removable )
[[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=Debian "--modules=${var_uefi_mod}" )
for var_uefi_dev in "${ary_bootdev_all[@]}"; do
ary_uefi_arg+=( "--recheck ${var_uefi_dev}" )
do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}"
do_log "info" "file_only" "4140() Installed: GRUB on Device: '${var_uefi_dev}' (UEFI)."
var_update_grub_required="true"
done
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

88
func/cdi_4200_boot_installation/4240_update_grub_password.sh Normal file
View File

@@ -0,0 +1,88 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Append GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals:
# DIR_CNF
# ERR_READ_GRUB_FILE
# TARGET
# VAR_DEBUG_TRACE
# Arguments:
# None
# Returns:
# 0: on success
# ERR_READ_GRUB_FILE
#######################################
update_grub_password() {
declare var_username="superadmin"
declare var_password=""
declare var_password_file="${DIR_CNF}/password_grub.txt"
declare var_of="${TARGET}/etc/grub.d/40_custom"
declare var_grub_entry
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
return "${ERR_READ_GRUB_FILE}"
fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
### Append if not already present
if ! grep -q "set superusers=" "${var_of}"; then
{
echo ""
echo "### Added by CISS.debian.installer ###"
echo "${var_grub_entry}"
echo "### End by CISS.debian.installer ###"
} >> "${var_of}"
fi
do_in_target "${TARGET}" update-grub
return 0
}
#######################################
# Generate PBKDF2 password hash for GRUB.
# Arguments:
# 1: Username (default to superadmin).
# 2: User password.
# Returns:
# 0: on success
#######################################
generate_grub_password_pbkdf2() {
declare var_user="${1:-superadmin}"
declare var_pass="${2:?error: password required}"
expect <<EOF
log_user 0
spawn grub-mkpasswd-pbkdf2 --iteration-count=131072 --salt=64 --buflen=64
expect "Enter password:"
send "${var_pass}\r"
expect "Reenter password:"
send "${var_pass}\r"
expect {
-re {PBKDF2 hash of your password is (\S+)} {
puts "set superusers=\"${var_user}\"\npassword_pbkdf2 ${var_user} \$expect_out(1,string)"
}
}
EOF
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

63
func/cdi_4200_boot_installation/4250_update_grub_bootparameter.sh Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "GRUB_CMDLINE_LINUX" are always effective.
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
guard_sourcing
#######################################
# Hardening Grub boot parameter.
# Globals:
# ARY_BOOTPARAM
# TARGET
# VAR_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_grub_bootparameter() {
declare var_nuke_string="" var_param=""
grub_extract_current_string
for var_param in "${ARY_BOOTPARAM[@]}"; do
if [[ -z "${var_param}" ]]; then
do_log "warn" "file_only" "Empty GRUB parameter detected and skipped."
continue
fi
if grep -q --word-regexp "${var_param%%=*}" <<< "${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"; then
do_log "info" "file_only" "Skipping duplicate kernel parameter: '${var_param}'."
continue
fi
VAR_GRUB_CMDLINE_LINUX_DEFAULT+=" ${var_param}"
done
if [[ "${VAR_NUKE}" == "true" ]]; then
var_nuke_string="nuke=${VAR_NUKE_HASH}"
VAR_GRUB_CMDLINE_LINUX+=" ${var_nuke_string}"
fi
grub_finalize_string
do_in_target "${TARGET}" update-grub
do_log "info" "file_only" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX_DEFAULT}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh