msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m52s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-17 17:58:02 +02:00
parent 2f456451d5
commit 8542205aeb
6 changed files with 94 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
func/4195_setup_dropbear.sh
View File

@@ -89,6 +89,9 @@ setup_dropbear() {
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \
"${TARGET}/includes/initramfs-tools/hooks/" "${TARGET}/includes/initramfs-tools/hooks/"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
"${TARGET}/includes/initramfs-tools/files/"
return 0 return 0
} }
@@ -119,7 +122,7 @@ write_dropbear_conf() {
# -K: Keepalive interval in seconds # -K: Keepalive interval in seconds
# -p: Specify port (and optionally address) # -p: Specify port (and optionally address)
# -w: Disable root login (SHOULD NOT be implemented for initramfs) # -w: Disable root login (SHOULD NOT be implemented for initramfs)
DROPBEAR_OPTIONS="-b /etc/dropbear/initramfs/banner -E -I 300 -K 60 -p ${user_ssh_port:-2222}" DROPBEAR_OPTIONS="-b /etc/dropbear/initramfs/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${user_ssh_port:-2222}"
# #
# On local (non-NFS) mounts, interfaces matching this pattern are # On local (non-NFS) mounts, interfaces matching this pattern are

4
func/9999_coresecret.sh → includes/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -9,7 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: coresecret.sh to be executed after dropbear SSH login # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
set -C -e -u -o pipefail set -C -e -u -o pipefail
IFS=$(printf ' \n\t') IFS=$(printf ' \n\t')
@@ -373,4 +373,4 @@ elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
fi fi
fi fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

78
includes/initramfs-tools/files/unlock_wrapper_signer.sh Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
set -Ceuo pipefail
### Paths
declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
declare -r GNUPGHOME="/root/.ciss/gnupg"
### Output Files
declare -r HASH384="${SCRIPT}.sha384"
declare -r HASH512="${SCRIPT}.sha512"
declare -r SIG384="${HASH384}.sig"
declare -r SIG512="${HASH512}.sig"
### Ensure GNUPGHOME exists with secure permissions
mkdir -p "${GNUPGHOME}"
chmod 0700 "${GNUPGHOME}"
### Import private key only if not already present
if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
printf "\e[0;92m✅ Importing private key ... \e[0m\n"
gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
else
printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
fi
### Extract fingerprint of the first secret key
# shellcheck disable=SC2155
declare -r FPR=$(gpg --homedir "$GNUPGHOME" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
if [[ -z "${FPR}" ]]; then
printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
exit 1
fi
printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
### Hashing (only the hash value, no filename)
printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
fi
if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
fi
printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
### Signing Hashes
printf "\e[0;95m✍ Signing hashes ... \e[0m\n"
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
fi
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
fi
printf "\e[0;92m✍ Signing hashes done. \e[0m\n"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/initramfs-tools/hooks/custom-prompt.sh
View File

@@ -30,3 +30,5 @@ export PS1='$( STATUS=$?; \
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \ printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
fi; ) ' fi; ) '
EOF EOF
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

12
includes/initramfs-tools/hooks/dropbear.sh
View File

@@ -47,13 +47,15 @@ for dir in bin usr/bin; do
ln -sf busybox "${DESTDIR}/${dir}/sleep" ln -sf busybox "${DESTDIR}/${dir}/sleep"
done done
install -m 0555 /etc/initramfs-tools/files/coresecret.sh "${DESTDIR}/usr/local/bin/coresecret.sh" install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha384 "${DESTDIR}/usr/local/bin/coresecret.sh.sha384" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha512 "${DESTDIR}/usr/local/bin/coresecret.sh.sha512" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha384.sig "${DESTDIR}/usr/local/bin/coresecret.sh.sha384.sig" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384.sig"
install -m 0444 /etc/initramfs-tools/files/coresecret.sh.sha512.sig "${DESTDIR}/usr/local/bin/coresecret.sh.sha512.sig" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512.sig"
cp -a /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/" cp -a /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/"
chmod 0444 "${DESTDIR}/etc/keys/pubring.gpg" chmod 0444 "${DESTDIR}/etc/keys/pubring.gpg"
cp -a /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/initramfs/banner" cp -a /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/initramfs/banner"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/initramfs-tools/scripts/init-top/fixpath.sh
View File

@@ -10,6 +10,6 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
export PATH=/usr/bin:/bin:/sbin:/usr/sbin:$PATH export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh