V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -114,11 +114,13 @@ dropbear:
   firewall: false              # Yet not implemented. MUST be "false".
                                # Additional ultra hardening of the dropbear initramfs environment via firewall.
                                # The "bastion_ipv4" MUST be provided.
-  pgp_key: "/.pubkey/marc_s_weidner_msw@coresecret.dev_0xE62E84F8_public.asc"
-                               # './path/to/pgp_public_key.asc' to check the signature of: 'unlock-wrapper.sh'
   port: 42137                  # SSH Port dropbear initramfs should listen.
-  sig_file: "/.preseed/unlock-wrapper.sh.sha512.sig"
-                               # './path/to/unlock-wrapper.sh.sha512.sig' to verify the integrity of: 'unlock-wrapper.sh'
+  pub_key: "/.preseed/unlock_wrapper_pubring.gpg"
+                               # './path/to/unlock_wrapper_pubring.pgp' to check the signature of: 'unlock-wrapper.sh.sha512.sig'
+  sha_file: "/.preseed/unlock_wrapper.sh.sha512"
+                               # './path/to/unlock_wrapper.sh.sha512' to verify the integrity of: 'unlock-wrapper.sh'
+  sig_file: "/.preseed/unlock_wrapper.sh.sha512.sig"
+                               # './path/to/unlock_wrapper.sh.sha512.sig' to verify the authenticity of: 'unlock-wrapper.sh.sha512'
 
 ################################################################################################################################
 # Grub Bootparameter
@@ -423,7 +425,7 @@ grub_parameter:
 grub:
   background:                  # RECOMMENDED settings: JPG 1280 x 1024 px or JPG 1920 x 1080 px
     enable: true               # If you want to add a GRUB background.
-    path: "/includes/target/etc/default/grub.d/hexagon_800_600.png"
+    path: "/includes/target/etc/default/grub.d/hexagon_1280_720.png"
   bootdev: "/dev/sda"          # Due notably to potential USB sticks, the location of the primary drive cannot be determined
                                # safely in general, so this needs to be specified.
   force_efi: true              # Force GRUB installation to the EFI removable media path?
@@ -441,6 +443,8 @@ grub:
                                # record if no other operating system is detected on the machine.
   other-os: true               # This one makes grub-installer install to the UEFI partition '/boot' record if it also finds
                                # some other OS, which is less safe as it might not be able to boot that other OS.
+  password: true               # If you want to set a password for GRUB. The password MUST be set at:
+                               # '/.preseed/password_grub.txt'.
   prober: false                # OS-prober did not detect any other operating systems on your computer at this time, but you
                                # may still wish to enable it in case you install more in the future.
   skip: false                  # Skip installing grub.

.preseed/unlock_wrapper.sh.sha512

@@ -0,0 +1 @@
+be5dfdaf07abdea07b6e683951fac60047ace3a01070918bf5d73f72ded156e17898b18ef28391752d4985338af7e2bb566fd9fa842bfe5fdce2defa11ce632e

ciss_debian_installer.sh

@@ -19,7 +19,7 @@
 # TODO: Implement this function 4470_hardening_openssl.sh
 # TODO: Update .dot files.
 # TODO: Update README.md for each lib and func dir.
-# TODO: Update MANPAGES.md for each func.
+# TODO: Update MANPAGE.md for each func.
 # TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
 # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
 # TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
@@ -291,8 +291,11 @@ info_echo "4220_installation_cryptsetup.sh"
 installation_cryptsetup
 info_echo "4230_installation_grub.sh"
 installation_grub
-info_echo "4240_update_grub_password.sh"
-update_grub_password
+
+if [[ "${VAR_GRUB_PASSWORD}" == "true" ]]; then
+  info_echo "4240_update_grub_password.sh"
+  update_grub_password
+fi
 info_echo "4250_update_grub_bootparameter.sh"
 update_grub_bootparameter
 

func/cdi_1250_yaml/1251_yaml_reader.sh

@@ -147,6 +147,9 @@ END { print max }
   # shellcheck disable=SC2034
   VAR_DROPBEAR="${dropbear_boot,,}"
 
+  # shellcheck disable=SC2034
+  VAR_GRUB_PASSWORD="${grub_password,,}"
+
   ### Extract chroot secure '/run' mounting strategy.
   # shellcheck disable=SC2034
   VAR_NEED_RUN_IN_TARGET="${needrun,,}"

func/cdi_4000_debootstrap/4000_debootstrap.sh

@@ -49,8 +49,9 @@ func_debootstrap() {
 
     do_log "info" "file_only" "4000() [${ary_cmd[*]}] successful."
     install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/backup"
-    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
     install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/hooks"
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/keys"
+    install -d -m 0700 -o root -g root "${var_target}/root/.ciss/cdi/log"
     guard_dir && return 0
 
   else

func/cdi_4200_boot/4230_installation_grub.sh

@@ -128,8 +128,8 @@ GRUB_BACKGROUND="/boot/grub/${var_background}"
 # The resolution used on graphical terminal
 # note that you can use only modes which your graphic card supports via VBE
 # you can see them in real GRUB with the command 'vbeinfo'
-# GRUB_GFXMODE=1920x1080,1280x1024,1024x768,800x600
-GRUB_GFXMODE=800x600
+# GRUB_GFXMODE=1920x1080,1280x1024,1280x720,1024x768,800x600,640x480
+GRUB_GFXMODE=1280x720
 GRUB_GFXPAYLOAD_LINUX=keep
 
 EOF

func/cdi_4200_boot/4240_update_grub_password.sh

@@ -28,17 +28,15 @@ update_grub_password() {
   declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
           var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
 
-  ### TODO: PASSWORD REMINDER START
   guard_trace on
 
   var_password=$(<"${var_password_file}") || return "${ERR_READ_GRUB_FILE}"
 
   var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
 
-  #### TODO: PASSWORD REMINDER STOP
   guard_trace off
 
-  ### Append if not already present
+  ### Append if not already present.
   if ! grep -q "set superusers=" "${var_of}"; then
     {
       echo ""

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -79,8 +79,8 @@ dropbear_setup() {
   write_dropbear_conf
 
   ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-bottom/9999-fixpath.sh" \
-    "${TARGET}/etc/initramfs-tools/scripts/init-bottom/9999-fixpath"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh" \
+    "${TARGET}/etc/initramfs-tools/scripts/init-premount/1000-fixpath"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
     "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"
 
@@ -95,6 +95,12 @@ dropbear_setup() {
   ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
     "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sha_file}" \
+    "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0640 -o root -g root "${VAR_SETUP_PATH}${dropbear_sig_file}" \
+    "${TARGET}/etc/initramfs-tools/files/"
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}${dropbear_pub_key}" \
+    "${TARGET}/root/.ciss/keys/"
 
   ### Install the script to be called inside the Host environment for signing 'unlock_wrapper.sh'-script.
   install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh" \

includes/target/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -345,7 +345,7 @@ trap_on_exit() {
 trap_on_term() {
   trap - ERR INT TERM
   stty echo
-  printf "%s" "${NL}"
+  printf "%b" "${NL}"
   color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
   # TODO: REMOVE DEBUGGER FOR PRODUCTION
   drop_bash
@@ -362,7 +362,6 @@ trap_on_term() {
 #   0: Script Name
 #######################################
 verify_script() {
-  # TODO: TEST THIS FUNC()
   declare     dir
   # shellcheck disable=SC2312
   dir="$(dirname "$(readlink -f "${0}")")"
@@ -378,10 +377,11 @@ verify_script() {
 
     color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
 
-    if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
+    if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
       color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
       color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
-      power_off 3
+      drop_bash
+      #power_off 3
     else
       color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
     fi
@@ -395,7 +395,8 @@ verify_script() {
     if [[ "${computed}" != "${expected}" ]]; then
       color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]" >&2
       color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
-      power_off 3
+      drop_bash
+      #power_off 3
     fi
     color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
 
@@ -422,13 +423,20 @@ main() {
   trap 'trap_on_exit' EXIT
   trap 'trap_on_term' INT TERM
 
+  if [[ -r /etc/dropbear/banner ]]; then
+    cat /etc/dropbear/banner >&2
+  elif [[ -r /etc/dropbear/initramfs/banner ]]; then
+    cat /etc/dropbear/initramfs/banner >&2
+  fi
+  uname -a
+
   printf "%b" "${NL}"
   color_echo "${RED}" "Coresecret Connection established."
   color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
 
   printf "%b" "${NL}"
   color_echo "${MAG}" "Integrity self-check ..."
-  #verify_script
+  verify_script
 
   ### Read newline-separated output into an array.
   printf "%b" "${NL}"

includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh

@@ -31,7 +31,6 @@ fi
 
 ### Ensure directory structure in initramfs
 mkdir -p "${DESTDIR}/usr/bin"
-mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
 mkdir -p "${DESTDIR}/etc/keys"
 mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
@@ -98,21 +97,22 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
 
-### Install Dropbear Cryptroot Unlock Wrapper
+### Install Dropbear 'cryptroot-unlock'-Wrapper
 install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
 printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
-# TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh
-#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
-#install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"
 
 ### Install PGP Signing Keys
-#install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg"
+install -m 0444 /root/.ciss/keys/unlock_wrapper_pubring.pgp "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
 
 ### Install Dropbear Banner
 install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
-install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/initramfs/banner"
-printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/initramfs/banner] \n\e[0m" "${DESTDIR}"
 
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
 

includes/target/etc/initramfs-tools/scripts/init-premount/1000-fixpath.sh

@@ -19,11 +19,11 @@ case "${1}" in
 esac
 
 mkdir -p /run/ciss
-printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_bottom_early.log
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
 
 ### Make sure /usr/local/bin is in front of 'PATH'.
 export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 
-printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_bottom_late.log
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_late.log
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/global.var.sh

@@ -67,4 +67,7 @@ declare -gx VAR_CHROOT_ACTIVATED="false"
 ### 4120_installation_kernel.sh
 declare -gx VAR_KERNEL=""
 
+### 4240_update_grub_password.sh
+declare -gx VAR_GRUB_PASSWORD="false"
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh