V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-07 00:27:27 +01:00
parent ac32202060
commit 89e5a0b72a
5 changed files with 29 additions and 17 deletions
--- a/func/cdi_3200_partitioning/3220_partition_encryption.sh
+++ b/func/cdi_3200_partitioning/3220_partition_encryption.sh
@@ -141,14 +141,14 @@ partition_encryption() {

          var_filesystem_label=$(get_label "${var_encryption_path}" "${var_fs}" "file")

-          mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
-          do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."
+          #mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}" 1M
+          #do_log "info" "file_only" "3220() Ephemeral: '${var_encryption_path}' prepared on: '/dev/${var_dev}'."

-          var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
+          #var_fs_uuid=$(blkid -s UUID -o value "/dev/${var_dev}")
          ### Gathering information for '/etc/fstab'-generation in 4040() and '/etc/crypttab'-generation in 4060().
          # shellcheck disable=SC2034
-          HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
-          do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"
+          #HMP_PATH_FSUUID["${var_encryption_path}"]="${var_fs_uuid}"
+          #do_log "debug" "file_only" "3220() [HMP_PATH_FSUUID]       : '${var_encryption_path}' -> '${HMP_PATH_FSUUID["${var_encryption_path}"]}'"

          HMP_EPHEMERAL_ENCLABEL["${var_encryption_path}"]="${var_encryption_label}"
          HMP_EPHEMERAL_FS_LABEL["${var_encryption_path}"]="${var_filesystem_label}"
--- a/func/cdi_3200_partitioning/3240_partition_formatting.sh
+++ b/func/cdi_3200_partitioning/3240_partition_formatting.sh
@@ -59,7 +59,7 @@ partition_formatting() {

    case "${var_format_path,,}" in
      swap|/tmp)
-        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption already prepared in 3220(): '${var_format_path}'."
+        do_log "info" "file_only" "3240() Partition: '/dev/${var_dev}' ephemeral encryption devices do not need formatting: '${var_format_path}'."
        ### Nothing more to do here.
        continue
        ;;
--- a/func/cdi_3200_partitioning/3280_mount_partition.sh
+++ b/func/cdi_3200_partitioning/3280_mount_partition.sh
@@ -187,7 +187,7 @@ mount_partition() {
  declare     var_mount_path="" var_dev_part="" var_dev="" var_btrfs_options="" \
              var_encryption_label="" var_fs_btrfs_compress="" var_fs_btrfs_level="" var_fs_btrfs_snapshot="" \
              var_fs_btrfs_subvolume="" var_fs_version="" var_mount_options="" var_mount_optsnap="" var_mount_path="" \
-              var_snapshot="" var_fs_uuid=""
+              var_snapshot="" var_fs_uuid="" var_partuuid=""

  declare -a  ary_cmd=() ary_cmd_mount=()

@@ -213,6 +213,7 @@ mount_partition() {
    fi

    var_fs_uuid="${HMP_PATH_FSUUID["${var_mount_path}"]}"
+    var_partuuid="${HMP_PATH_PARTUUID["${var_mount_path}"]}"

    if [[ -z "${var_fs_uuid}" ]]; then
      do_log "error" "file_only" "3280() FS-UUID for mount path: '${var_mount_path}' not found in: 'HMP_PATH_FSUUID'."
@@ -222,9 +223,14 @@ mount_partition() {
    ### Mounting of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
    if [[ "${var_mount_path,,}" == "swap" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      #cryptsetup open --type plain --key-file /dev/random \
+      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+
+      cryptsetup open --type plain --hash=plain \
+        --key-file /dev/random --keyfile-size 256 \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

      mkswap "/dev/mapper/${var_encryption_label}"
      do_log "debug" "file_only" "3280() [mkswap /dev/mapper/${var_encryption_label}]."
@@ -239,9 +245,14 @@ mount_partition() {

    elif [[ "${var_mount_path,,}" == "/tmp" ]]; then

-      cryptsetup open --type plain --key-file /dev/random \
-        --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
-        --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+      #cryptsetup open --type plain --key-file /dev/random \
+      #  --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+      #  --sector-size 4096 "/dev/disk/by-uuid/${var_fs_uuid}" "${var_encryption_label}"
+
+      cryptsetup open --type plain --hash=plain \
+        --key-file /dev/random --keyfile-size 256 \
+        --cipher aes-xts-plain64 --key-size 512 \
+        "/dev/disk/by-partuuid/${var_partuuid}" "${var_encryption_label}"

      mkdir -p "${TARGET}/tmp"

--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -155,7 +155,7 @@ EOF
  var_fs_uuid="/dev/mapper/${var_dmapper}"
  var_fs_path="none"
  var_fs_type="swap"
-  var_fs_opts="defaults,discard,nofail,x-systemd.device-timeout=2s"
+  var_fs_opts="defaults,discard,nofail,x-systemd.device-timeout=10s"
  var_fs_pass="0"
  write_fstab "${var_fs_uuid}" "${var_fs_path}" "${var_fs_type}" "${var_fs_opts}" "${var_fs_pass}"

--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -52,7 +52,8 @@ readonly -f write_crypttab
 #######################################
 generate_crypttab() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label=""
+  declare     var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label="" \
+              var_host_partuuid=""

  ensure_lowercase "VAR_DROPBEAR"

@@ -125,12 +126,12 @@ EOF

      swap)
        #write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard"
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/urandom" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,swap"
        ;;

      /tmp)
        #write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,tmp=ext4"
-        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/urandom" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard"
+        write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard"
        chroot_script "${TARGET}" "systemctl disable tmp.mount"
        do_log "info" "file_only" "4210() Masked: [tmp.mount]"
        ;;