V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-17 13:42:37 +02:00
parent 81bcb407fd
commit 6a67646fb6
18 changed files with 239 additions and 213 deletions
--- a/func/1250_yaml_parser.sh
+++ b/func/1250_yaml_parser.sh
@@ -22,28 +22,24 @@ guard_sourcing
 #   VAR_PRESEED
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 yaml_parser() {
  cat "${DIR_CNF}/preseed.yaml" "${DIR_CNF}/partitioning.yaml" >| "${DIR_TMP}/combined.yaml"

  yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"

+  declare -agx ARY_NTPSRVR ARY_PACKAGES
  declare var_key var_value

  while IFS='=' read -r var_key var_value; do
-    if [[ ${var_key} =~ ^ntp_server_[0-9]+$ ]]; then
-        var_value=${var_value#\'}
-        var_value=${var_value%\'}
-        declare -agx ARY_NTPSRVR+=("${var_value}")
-    fi
-  done < "${VAR_PRESEED}"
-
-  while IFS='=' read -r var_key var_value; do
-    if [[ ${var_key} =~ ^software_[0-9]+$ ]]; then
-        var_value=${var_value#\'}
-        var_value=${var_value%\'}
-        declare -agx ARY_PACKAGES+=("${var_value}")
-    fi
+    var_value=${var_value#\'}
+    var_value=${var_value%\'}
+    case "${var_key}" in
+      ntp_server_[0-9]*) ARY_NTPSRVR+=("${var_value}") ;;
+      software_[0-9]*)   ARY_PACKAGES+=("${var_value}") ;;
+    esac
  done < "${VAR_PRESEED}"

  sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
@@ -53,6 +49,7 @@ yaml_parser() {
  sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
  ### Wrap each key=value by '' e.g., key='value'
  sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
+
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/1251_yaml_reader.sh
+++ b/func/1251_yaml_reader.sh
@@ -24,6 +24,8 @@ guard_sourcing
 #   VAR_RECIPE_TABLE
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 yaml_reader() {
  ### Declare and substitute input files
@@ -138,5 +140,7 @@ END { print max }
    do_log "info" "false" "Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."

  fi
+
+  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/4130_setup_network.sh
+++ b/func/4130_setup_network.sh
@@ -367,13 +367,19 @@ EOF
  ### Export hostname and IPv4 and IPv6 addresses for further processing according to dynamic results and preseed.yaml settings.
  if [[ "${network_autoconfig_enable,,}" == "true" ]]; then

+    declare -grx VAR_FINAL_NIC="${var_auto_nic}"
    declare -grx VAR_FINAL_FQDN="${var_auto_fqdn}"
    declare -grx VAR_FINAL_IPV4="${var_auto_ipv4}"
+    declare -grx VAR_FINAL_IPV4_GW="${var_auto_ipv4_gw}"
+    declare -grx VAR_FINAL_IPV4_SUBNET="${var_auto_ipv4_subnet}"

-  elif [[ "${network_autoconfig_enable,,}" == "false" ]]; then
+  else

+    declare -grx VAR_FINAL_NIC="${network_choose_interface_static}"
    declare -grx VAR_FINAL_FQDN="${network_hostname}"
    declare -grx VAR_FINAL_IPV4="${network_static_ipv4address}"
+    declare -grx VAR_FINAL_IPV4_GW="${network_static_ipv4gateway}"
+    declare -grx VAR_FINAL_IPV4_SUBNET="${network_static_ipv4netmask}"

  fi

--- a/func/4180_setup_ssh.sh
+++ b/func/4180_setup_ssh.sh
@@ -32,7 +32,13 @@ guard_sourcing
 setup_ssh() {
  do_in_target "${TARGET}" apt-get install -y ssh

-  rm -rf "${TARGET}/etc/ssh/ssh_host_*key*"
+  declare -a ary_user=()
+  ary_user+=("${user_user0_name}")
+  [[ -v "${user_user1_name}" ]] && ary_user+=("${user_user1_name}")
+  [[ -v "${user_user2_name}" ]] && ary_user+=("${user_user2_name}")
+  [[ -v "${user_user3_name}" ]] && ary_user+=("${user_user3_name}")
+
+  rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*

  do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
  do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
@@ -47,7 +53,7 @@ setup_ssh() {
  cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
  chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"

-  rm "${TARGET}/etc/ssh/sshd_config"
+  rm -f "${TARGET}/etc/ssh/sshd_config"

  cp "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
  chmod 0600 "${TARGET}/etc/ssh/sshd_config"
@@ -63,12 +69,17 @@ setup_ssh() {

  sed -i "s/Port                         MUST_BE_CHANGED/Port                         ${user_ssh_port}/" "${TARGET}/etc/ssh/sshd_config"

-  if [[ -n "${user_user0_name,,}" ]]; then
-    sed -i "s/AllowUsers                   root/AllowUsers                   root ${user_user0_name}/" "${TARGET}/etc/ssh/sshd_config"
+  if [[ -n "${user_user0_name}" ]]; then
+    sed -i "s/AllowUsers                   root/AllowUsers                   root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
  fi

-  do_in_target "${TARGET}" sshd -T >| "${DIR_LOG}/sshd_config.log"
-  do_in_target "${TARGET}" ssh-keygen -r "${VAR_FINAL_FQDN}." >| "${DIR_LOG}/ssh.log"
+  if [[ -n "${user_ssh_rootca}" ]]; then
+    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${user_ssh_rootca}" "${TARGET}/etc/ssh/"
+    sed -i "s/TrustedUserCAKeys            none/TrustedUserCAKeys            \/etc\/ssh\/${user_ssh_rootca}/" "${TARGET}/etc/ssh/sshd_config"
+  fi
+
+  do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
+  do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| ${DIR_LOG}/ssh.log"

  ###########################################################################################
  # The file /etc/profile.d/idle-users.sh is created to set two read-only                   #
--- a/func/4190_build_dropbear.sh
+++ b/func/4190_build_dropbear.sh
@@ -25,22 +25,31 @@ guard_sourcing
 #   0: on success
 #######################################
 build_dropbear() {
-  declare file
-  mkdir -p "${DIR_TMP}/build"
+  declare var_dropbear_version="2025.88"
+  declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+  declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"

-  cp "${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-2025.88.tar.bz2" "${DIR_TMP}/build"
-  tar xjf "${DIR_TMP}/build/dropbear-2025.88.tar.bz2"
-  cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${DIR_TMP}/build/dropbear-2025.88"
-  cd "${DIR_TMP}/build/dropbear-2025.88" || return "${ERR_PATH_NOT_VALID}"
+  mkdir -p "${DIR_TMP}/build"
+  cp "${var_tar}" "${DIR_TMP}/build"
+  tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}"
+  cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
+  cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
+
+  # Flag Purpose
+  #  -fPIE:               Generate position-independent executable code
+  #  -pie:                Link the executable as PIE (so that ASLR works)
+  #  -static:             Fully statically linked against musl
+  #  -s:                  Strip unnecessary symbols directly during linking
+  #  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)

  CC=musl-gcc \
-    CFLAGS="-Os -Wno-undef" \
-    LDFLAGS="-static -s -L/usr/local/lib" \
-    ./configure \
-      --enable-static \
-      --enable-openpty \
-      --disable-pam \
-      --disable-zlib
+  CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+  LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+  ./configure \
+    --enable-static \
+    --enable-openpty \
+    --disable-pam \
+    --disable-zlib

  make -j"$(nproc)"

--- a/func/4191_install_dropbear_initramfs.sh
+++ b/func/4191_install_dropbear_initramfs.sh
@@ -12,15 +12,27 @@

 guard_sourcing

-
+#######################################
+# Install Dropbear Initramfs and replace the binaries with the previous Ultra Hardened build.
+# Globals:
+#   DIR_TMP
+#   TARGET
+# Arguments:
+#   None
+# Returns:
 #   0: on success
 #######################################
 install_dropbear_initramfs() {
  declare var_file
  do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
+  do_in_target "${TARGET}" apt-mark hold -y dropbear dropbear-initramfs

-  for var_file in dbclient dropbear dropbearconvert dropbearkey; do
-    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/sbin/"
+  mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
+  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
+
+  for var_file in dbclient dropbearconvert dropbearkey; do
+    mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
+    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
  done

  return 0
--- a/func/4195_installation_dropbear.sh
+++ b/func/4195_installation_dropbear.sh
@@ -12,6 +12,46 @@

 guard_sourcing

+####
+setup_dropbear() {
+  rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+
+  do_in_target "${TARGET}" "${TARGET}/usr/bin/dropbearkey" -t rsa -s 4096 -f "${TARGET}/etc/dropbear/initramfs/dropbear_rsa_host_key"
+  do_in_target "${TARGET}" "${TARGET}/usr/bin/dropbearkey" -t ed25519 -f "${TARGET}/etc/dropbear/initramfs/dropbear_ed25519_host_key"
+
+  chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+  chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+
+  declare -a ary_user=()
+  ary_user+=("${user_root_ssh_pubkeys_0}")
+  [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
+  [[ -n "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
+  [[ -n "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
+
+  touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
+  printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
+
+  if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
+    declare network_static_ipv4ntpserver_0="192.53.103.108"
+    ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<NS 0 IP>:<NS 1 IP>:<NTP IP>"
+    printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
+      "${VAR_FINAL_IPV4}" \
+      "${VAR_FINAL_IPV4_GW}" \
+      "${VAR_FINAL_IPV4_SUBNET}" \
+      "${VAR_FINAL_FQDN}" \
+      "${VAR_FINAL_NIC}" \
+      "${network_static_ipv4nameserver_0}" \
+      "${network_static_ipv4nameserver_1}" \
+      "${network_static_ipv4ntpserver_0}" \
+      >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
+  else
+    ### "IP=:::::<NIC>:dhcp"
+    printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
+  fi
+
+}
+
 # TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
 # TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"