msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-25 17:28:11 +02:00
parent 5496977d6a
commit 804788b38b
6 changed files with 312 additions and 348 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
func/3200_partitioning_new.sh → .archive/func/0000_partitioning.sh
View File

93
func/3200_partitioning.sh
View File

@@ -14,93 +14,88 @@
# Function that generates each partition on each device according to the chosen recipe string. # Function that generates each partition on each device according to the chosen recipe string.
# Globals: # Globals:
# ERR_PARTITIONTBL # ERR_PARTITIONTBL
# HMP_RECIPE_DEV_PARTITIONS # ERR_READ_PARTTBL
# HMP_UUID_PARTITION # HMP_UUID_PARTITION
# RECIPE_STRING # RECIPE_STRING
# RECIPE_TABLE
# VAR_RECIPE_TABLE # VAR_RECIPE_TABLE
# VAR_SETUP_PART
# Arguments: # Arguments:
# None # None
####################################### #######################################
partitioning() { partitioning() {
### REMINDER ### Declare Arrays and Variables.
# HashMap : "${!HMP_RECIPE_DEV_PARTITIONS[@]}" declare -Ag HMP_UUID_PARTITION
# ${DEVICE}: "${HMP_RECIPE_DEV_PARTITIONS[$DEVICE]}" declare var_dev var_part var_begin var_end var_fs var_boot var_pri var_uuid
declare var_dev var_partition var_partition_number ### Iterate over all devices in the recipe.
for var_dev in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}"); do
### Iterate through each device.
for var_dev in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
var_partition_number=${HMP_RECIPE_DEV_PARTITIONS[${var_dev}]}
### All current data for the respective device will be deleted. ### All current data for the respective device will be deleted.
blkdiscard /dev/"${var_dev}" blkdiscard "/dev/${var_dev}" \
|| { do_log "fatal" "false" "Partition table deletion '/dev/${var_dev}' failed."; exit "${ERR_READ_PARTTBL}"; }
do_log "info" "false" "Partition table of '/dev/${var_dev}' discarded." do_log "info" "false" "Partition table of '/dev/${var_dev}' discarded."
if [[ ${VAR_RECIPE_TABLE} == "gpt" ]]; then if [[ "${VAR_RECIPE_TABLE}" == "gpt" ]]; then
parted -s /dev/"${var_dev}" mklabel gpt parted -s "/dev/${var_dev}" mklabel gpt \
|| { do_log "fatal" "false" "Partition table creation '/dev/${var_dev}' failed."; exit "${ERR_READ_PARTTBL}"; }
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated." do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
elif [[ ${VAR_RECIPE_TABLE} == "mbr" ]]; then elif [[ "${VAR_RECIPE_TABLE}" == "mbr" ]]; then
parted -s /dev/"${var_dev}" mklabel mbr parted -s "/dev/${var_dev}" mklabel mbr \
|| { do_log "fatal" "false" "Partition table creation '/dev/${var_dev}' failed."; exit "${ERR_READ_PARTTBL}"; }
do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated." do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
else else
do_log "fatal" "false" "No valid partition table chosen. String was '${VAR_RECIPE_TABLE}'. Exiting setup." do_log "fatal" "false" "No valid partition table chosen. String was '${VAR_RECIPE_TABLE}'."
exit "${ERR_PARTITIONTBL}" exit "${ERR_PARTITIONTBL}"
fi fi
### Iterate through each partition on the current device. ### Iterate over all partitions for this device.
for (( var_partition=1; var_partition<=var_partition_number; var_partition++ )); do for var_part in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}"); do
#for var_partition in $(seq 1 "${var_partition_number}"); do
### Generate variables for the current partition. ### Extract parameters from YAML.
declare begin_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_begin" var_begin=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.begin" "${VAR_SETUP_PART}")
declare end_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_end" var_end=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.end" "${VAR_SETUP_PART}")
declare bootable_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_bootable" var_fs=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
declare primary_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_primary" var_boot=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.bootable" "${VAR_SETUP_PART}")
declare filesystem_var="recipe_${RECIPE_STRING}_dev_${var_dev}_${var_partition}_filesystem_version" var_pri=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.primary" "${VAR_SETUP_PART}")
### Initialise variables.
declare BEGIN=${!begin_var}
declare END=${!end_var}
declare BOOTABLE=${!bootable_var}
declare PRIMARY=${!primary_var}
declare FILESYSTEM=${!filesystem_var}
### Generate partition. ### Generate partition.
if [[ ${END} == "-1" ]]; then if [[ "${var_end}" == "-1" ]]; then
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" 100% parted -s /dev/"${var_dev}" mkpart "${var_pri}" "${var_fs}" "${var_begin}" "100%" \
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: 100 % of remaining disk." || { do_log "fatal" "false" "Partition creation '/dev/${var_dev}${var_part}' failed."; exit "${ERR_READ_PARTTBL}"; }
do_log "info" "false" "Partition generated: '${var_part}' | on device '/dev/${var_dev}' | begin: '${var_begin}' | end: 100 % of remaining disk."
else else
parted -s /dev/"${var_dev}" mkpart "${PRIMARY}" "${FILESYSTEM}" "${BEGIN}" "${END}" parted -s /dev/"${var_dev}" mkpart "${var_pri}" "${var_fs}" "${var_begin}" "${var_end}" \
do_log "info" "false" "Partition generated: '${var_partition}' | on device '/dev/${var_dev}' | begin: '${BEGIN}' | end: '${END}'." || { do_log "fatal" "false" "Partition creation '/dev/${var_dev}${var_part}' failed."; exit "${ERR_READ_PARTTBL}"; }
do_log "info" "false" "Partition generated: '${var_part}' | on device '/dev/${var_dev}' | begin: '${var_begin}' | end: '${var_end}'."
fi fi
### Set the bootable flag if necessary. ### Set the bootable flag if necessary.
if [[ "${BOOTABLE,,}" == true ]]; then if [[ "${var_boot,,}" == "true" ]]; then
parted -s "/dev/${var_dev}" set "${var_partition}" boot on parted -s "/dev/${var_dev}" set "${var_part}" boot on
do_log "info" "false" "Partition: '/dev/${var_dev}${var_partition}' marked as bootable." do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' marked as bootable."
fi fi
if [[ "${PRIMARY,,}" == logical ]]; then ### Read UUID of the newly created partition
parted -s "/dev/${var_dev}" set "${var_partition}" "${FILESYSTEM}" on var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}${var_part}")
if [[ -z "${var_uuid}" ]]; then
do_log "fatal" "false" "WARNING: could not read UUID for '/dev/${var_dev}${var_part}'."
exit "${ERR_READ_PARTTBL}"
else
### Store UUID in an associative array.
HMP_UUID_PARTITION["UUID_${var_dev}${var_part}"]="${var_uuid}"
do_log "info" "false" "Saved in HashMap HMP_UUID_PARTITION: 'UUID_${var_dev}${var_part}' -> '${var_uuid}'."
fi fi
### Save UUID of the generated partition
# shellcheck disable=SC2155
declare UUID=$(blkid -s UUID -o value "/dev/${var_dev}${var_partition}")
HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]="${UUID}"
do_log "info" "false" "Saved in HashMap HMP_UUID_PARTITION: 'UUID_${var_dev}${var_partition}' -> '${HMP_UUID_PARTITION["UUID_${var_dev}${var_partition}"]}'"
done done
done done

247
func/3220_partition_encryption.sh Normal file
View File

@@ -0,0 +1,247 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# Function to encrypt the respective partition on each device according to the chosen recipe string.
partition_encryption() {
### Declare Arrays and Variables.
declare -Ag HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL
declare -Ag HMP_ENCRYPTIONLABEL_UUID HMP_MOUNTPATH_ENCRYPTIONLABEL
declare var_dev var_part \
var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_nuke var_encryption_cipher \
var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path
### Iterate over all devices in the recipe.
for var_dev in $(yq e ".recipe.${RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}"); do
### Iterate over all partitions for this device.
for var_part in $(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}"); do
### Extract parameters from YAML.
var_encryption_enable=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
var_encryption_ephemeral=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
var_encryption_integrity=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
var_encryption_nuke=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.nuke" "${VAR_SETUP_PART}")
var_encryption_cipher=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher" "${VAR_SETUP_PART}")
var_encryption_hash=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash" "${VAR_SETUP_PART}")
var_encryption_iter=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime" "${VAR_SETUP_PART}")
var_encryption_key=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.key" "${VAR_SETUP_PART}")
var_encryption_label=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label" "${VAR_SETUP_PART}")
var_encryption_meta=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.metadatasize" "${VAR_SETUP_PART}")
var_encryption_pbkdf=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.pbkdf" "${VAR_SETUP_PART}")
var_encryption_rng=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.rng" "${VAR_SETUP_PART}")
var_filesystem_label=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label" "${VAR_SETUP_PART}")
var_mount_path=$(yq e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
if [[ "${var_encryption_enable,,}" == "true" ]]; then
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
if [[ "${var_mount_path}" == "SWAP" ]]; then
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral 'SWAP' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
elif [[ "${var_mount_path}" == "/tmp" ]]; then
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral '/tmp' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'MOUNT_PATH': '${var_mount_path}'."
fi
elif [[ "${var_encryption_ephemeral,,}" == "false" ]]; then
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ "${var_encryption_nuke,,}" == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
elif [[ "${var_encryption_integrity,,}" == "false" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ ${var_encryption_nuke,,} == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'INTEGRITY_ENABLE': '${var_encryption_integrity}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
else
do_log "error" "true" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}'."
fi
### Opening encrypted partition.
if [[ "${var_encryption_enable,,}" == "true" && ${var_encryption_ephemeral,,} == "false" ]]; then
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
### Store UUID of the encrypted partition
# shellcheck disable=SC2155
declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
if [[ "${var_mount_path}" = "/" ]]; then
# shellcheck disable=SC2155
declare -grx VAR_CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")"
fi
HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}' and 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
done
done
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

286
source/func/3.5.1.functions_installation_partition_encryption.sh
View File

@@ -1,286 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.5.1. Functions - installation - partition encryption #
###########################################################################################
###########################################################################################
# Function to encrypt the respective partition on each device according to the recipe string chosen.
# Globals:
# DIR_BAK
# DIR_CNF
# MAP_EPHEMERAL_DEV
# MAP_EPHEMERAL_ENCLABEL
# MAP_PATH_CRYPT
# MAP_UUID_CRYPT
# MODULE_ERR
# MODULE_TXT
# RECIPE_DEV_PARTITIONS
# RECIPE_STRING
# Arguments:
# None
###########################################################################################
3_5_1_functions_installation_partition_encryption() {
declare -g -x MODULE_ERR="3_5_1_functions_installation_partition_encryption"
declare -g -x MODULE_TXT="Encrypting each partition on each device"
do_show_header "${MODULE_TXT}"
### Reminder ###
# Array: "${!RECIPE_DEV_PARTITIONS[@]}"
# ${DEVICE}: "${RECIPE_DEV_PARTITIONS[${DEVICE}]}"
# Declare local variables
declare DEV
declare NUM_PARTITIONS
declare PARTITION
# Iterate through each device
for DEV in "${!RECIPE_DEV_PARTITIONS[@]}"; do
NUM_PARTITIONS=${RECIPE_DEV_PARTITIONS[${DEV}]}
# Iterate through each partition of the current device
for PARTITION in $(seq 1 "${NUM_PARTITIONS}"); do
# Generate vars for the current partition
declare ENCRYPTION_ENABLE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_enable"
declare ENCRYPTION_EPHEMERAL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_ephemeral"
declare ENCRYPTION_INTEGRITY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_integrity"
declare ENCRYPTION_NUKE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_nuke"
declare ENCRYPTION_CIPHER_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_cipher"
declare ENCRYPTION_HASH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_hash"
declare ENCRYPTION_ITERTIME_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_itertime"
declare ENCRYPTION_KEY_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_key"
declare ENCRYPTION_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_label"
declare ENCRYPTION_METADATASIZE_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_metadatasize"
declare ENCRYPTION_PBKDF_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_pbkdf"
declare ENCRYPTION_RNG_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_encryption_rng"
declare FILESYSTEM_LABEL_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_filesystem_label"
declare MOUNT_PATH_VAR="recipe_${RECIPE_STRING}_dev_${DEV}_${PARTITION}_mount_path"
# Initialize variables
declare ENCRYPTION_ENABLE=${!ENCRYPTION_ENABLE_VAR}
declare EPHEMERAL_ENABLE=${!ENCRYPTION_EPHEMERAL_VAR}
declare INTEGRITY_ENABLE=${!ENCRYPTION_INTEGRITY_VAR}
declare ENCRYPTION_CIPHER=${!ENCRYPTION_CIPHER_VAR}
declare ENCRYPTION_HASH=${!ENCRYPTION_HASH_VAR}
declare ENCRYPTION_ITERTIME=${!ENCRYPTION_ITERTIME_VAR}
declare ENCRYPTION_KEY=${!ENCRYPTION_KEY_VAR}
declare ENCRYPTION_LABEL=${!ENCRYPTION_LABEL_VAR}
declare ENCRYPTION_METADATASIZE=${!ENCRYPTION_METADATASIZE_VAR}
declare ENCRYPTION_PBKDF=${!ENCRYPTION_PBKDF_VAR}
declare ENCRYPTION_RNG=${!ENCRYPTION_RNG_VAR}
declare FILESYSTEM_LABEL=${!FILESYSTEM_LABEL_VAR}
declare MOUNT_PATH=${!MOUNT_PATH_VAR}
declare NUKE_ENABLE=${!ENCRYPTION_NUKE_VAR}
# Encrypting partition
if [[ ${ENCRYPTION_ENABLE,,} == "true" ]]; then
if [[ ${EPHEMERAL_ENABLE,,} == "true" ]]; then
if [[ ${MOUNT_PATH} == "SWAP" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
do_log "info" "false" "Ephemeral SWAP prepared on: '/dev/${DEV}${PARTITION}'."
MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
elif [[ ${MOUNT_PATH} == "/tmp" ]]; then
mkfs.ext4 -L "${FILESYSTEM_LABEL}" /dev/"${DEV}""${PARTITION}" 1M
do_log "info" "false" "Ephemeral /tmp prepared on: '/dev/${DEV}${PARTITION}'."
MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]="/dev/${DEV}${PARTITION}"
MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_DEV: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_DEV["${MOUNT_PATH}"]}'"
do_log "info" "false" "Saved in HashMap MAP_EPHEMERAL_ENCLABEL: '${MOUNT_PATH}' -> '${MAP_EPHEMERAL_ENCLABEL["${MOUNT_PATH}"]}'"
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'MOUNT_PATH': '${MOUNT_PATH}'."
fi
elif [[ ${EPHEMERAL_ENABLE,,} == "false" ]]; then
if [[ ${INTEGRITY_ENABLE,,} == "true" ]]; then
if [[ ${NUKE_ENABLE,,} == "true" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--new-keyfile="${DIR_CNF}"password_nuke.txt \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' dm-integrity encrypted."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
fi
elif [[ ${INTEGRITY_ENABLE,,} == "false" ]]; then
if [[ ${NUKE_ENABLE,,} == "true" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--batch-mode --verbose
cryptsetup luksAddKey /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--new-keyfile="${DIR_CNF}"password_nuke.txt \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
elif [[ ${NUKE_ENABLE,,} == "false" ]]; then
cryptsetup luksFormat /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
--type luks2 \
--cipher "${ENCRYPTION_CIPHER}" \
--hash "${ENCRYPTION_HASH}" \
--iter-time "${ENCRYPTION_ITERTIME}" \
--key-size "${ENCRYPTION_KEY}" \
--label "${ENCRYPTION_LABEL}" \
--luks2-metadata-size "${ENCRYPTION_METADATASIZE}" \
--pbkdf "${ENCRYPTION_PBKDF}" \
--"${ENCRYPTION_RNG}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' encrypted."
cryptsetup luksHeaderBackup /dev/"${DEV}""${PARTITION}" \
--header-backup-file=/"${DIR_BAK}"/luks_header_"${DEV}""${PARTITION}".bak
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' LUKS Header saved: '/${DIR_BAK}/luks_header_${DEV}${PARTITION}.bak'."
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'NUKE_ENABLE': '${NUKE_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'INTEGRITY_ENABLE': '${INTEGRITY_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
fi
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}'."
fi
# Opening encrypted partition
if [[ ${ENCRYPTION_ENABLE,,} == "true" && ${EPHEMERAL_ENABLE,,} == "false" ]]; then
cryptsetup luksOpen /dev/"${DEV}""${PARTITION}" \
--key-file="${DIR_CNF}"password.txt \
"${ENCRYPTION_LABEL}"
do_log "info" "false" "Partition: '/dev/${DEV}${PARTITION}' opened as '/dev/mapper/${ENCRYPTION_LABEL}'."
# Save UUID of the encrypted partition
declare UUID
UUID=$(blkid -s UUID -o value /dev/mapper/"${ENCRYPTION_LABEL}")
if [[ "${MOUNT_PATH}" = "/" ]]; then
CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${ENCRYPTION_LABEL}")"
declare -g -r CRYPT_ROOT
fi
MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]="${UUID}"
MAP_PATH_CRYPT["${MOUNT_PATH}"]="${ENCRYPTION_LABEL}"
do_log "info" "false" "Saved in HashMap MAP_UUID_CRYPT: '${ENCRYPTION_LABEL}' -> '${MAP_UUID_CRYPT["${ENCRYPTION_LABEL}"]}'"
do_log "info" "false" "Saved in HashMap MAP_PATH_CRYPT: '${MOUNT_PATH}' -> '${MAP_PATH_CRYPT["${MOUNT_PATH}"]}'"
else
do_log "error" "true" "Partition: '/dev/${DEV}${PARTITION}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${ENCRYPTION_ENABLE}' and 'EPHEMERAL_ENABLE': '${EPHEMERAL_ENABLE}'."
fi
done
done
do_show_footer
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

19
var/errors.var.sh
View File

@@ -11,21 +11,22 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
### Definition of error codes ### Definition of error codes
declare -girx ERR_UNSUPPORTED_BASH=255 # Unsupported Bash. declare -girx ERR_UNSUPPORTED_BASH=255 # The Bash is not supported.
declare -girx ERR_USER_IS_NOT_ROOT=254 # Not running as root. declare -girx ERR_USER_IS_NOT_ROOT=254 # Not running as root.
declare -girx ERR_UNSAFE_CHARACTER=253 # Invalid Character used. declare -girx ERR_UNSAFE_CHARACTER=253 # An invalid character has been used.
declare -girx ERR_UNBOUND_VARIABLE=252 # Unbound Variable declare -girx ERR_UNBOUND_VARIABLE=252 # Unbound variable.
declare -girx ERR_TRAPPED_SIG_INT=251 # Installer caught an INT and confirmed by User. declare -girx ERR_TRAPPED_SIG_INT=251 # The installer detected an INT, which was then confirmed by the user.
declare -girx ERR_FLOCK_PROTECTED=250 # Cannot open lockfile for writing. declare -girx ERR_FLOCK_PROTECTED=250 # The lock file cannot be opened for writing.
declare -girx ERR_FLOCK_COLLISION=249 # The Script is already running. declare -girx ERR_FLOCK_COLLISION=249 # The script is already running.
declare -girx ERR_NO_DOWNLOAD_ARG=248 # 'scurl()' or 'swget()': No arguments specified. declare -girx ERR_NO_DOWNLOAD_ARG=248 # 'scurl()' or 'swget()': No arguments specified.
declare -girx ERR_DOWNLOAD_FAILED=247 # 'scurl()' or 'swget()': Download failed. declare -girx ERR_DOWNLOAD_FAILED=247 # 'scurl()' or 'swget()': Download failed.
declare -girx ERR_NO_VALID_RECIPE=246 # No valid RECIPE string found in partitioning.yaml declare -girx ERR_NO_VALID_RECIPE=246 # No valid 'recipe' string was found in the partitioning.yaml file.
declare -girx ERR_INVALID_IPV4=245 # IPv4 validation failure. declare -girx ERR_INVALID_IPV4=245 # IPv4 validation failure.
declare -girx ERR_INVALID_IPV6=244 # IPv6 validation failure. declare -girx ERR_INVALID_IPV6=244 # IPv6 validation failure.
declare -girx ERR_INVALID_PORT=243 # Port validation failure. declare -girx ERR_INVALID_PORT=243 # Port validation failure.
declare -girx ERR_ARG_MISMATCH=242 # Wrong Number of optional Arguments provided. declare -girx ERR_ARG_MISMATCH=242 # The wrong number of optional arguments has been provided.
declare -girx ERR_PARTITIONTBL=241 # Not allowed Partition-table provided. declare -girx ERR_PARTITIONTBL=241 # The partition table is not allowed.
declare -girx ERR_READ_PARTTBL=240 # The partition could not be deleted, created, or the UUID of the partition could not be read.

15
var/global.var.sh
View File

@@ -65,13 +65,20 @@ declare -gx VAR_RECIPE_STRING=""
### Variable partition table ("gpt" || "mbr") ### Variable partition table ("gpt" || "mbr")
declare -gx VAR_RECIPE_TABLE="" declare -gx VAR_RECIPE_TABLE=""
### Assoziative Array (HashMap) for devices and accompanying partitions ### Assoziative Array (HashMap) for devices and accompanying partitions
declare -Agx HMP_RECIPE_DEV_PARTITIONS=() declare -Ag HMP_RECIPE_DEV_PARTITIONS
### 3200_partitioning.sh: ### 3200_partitioning.sh
### Assoziative Array (HashMap) to store UUIDs for each partition ### Assoziative Array (HashMap) to store UUIDs for each partition
### HMP_UUID_PARTITION["UUID_${DEV}${PARTITION}"]="${UUID}" ### HMP_UUID_PARTITION["UUID_${var_dev}${var_part}"]="${var_uuid}"
declare -Ag HMP_UUID_PARTITION=() declare -Ag HMP_UUID_PARTITION
### 3220_partition_encryption.sh
### Assoziative Array (HashMap) to store UUIDs for each partition
declare -Ag HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL
declare -Ag HMP_ENCRYPTIONLABEL_UUID HMP_MOUNTPATH_ENCRYPTIONLABEL
### TODO ### TODO