V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
396
includes/etc/initramfs-tools/files/unlock_wrapper.sh
Normal file
396
includes/etc/initramfs-tools/files/unlock_wrapper.sh
Normal file
@@ -0,0 +1,396 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
|
||||
|
||||
set -Ceuo pipefail
|
||||
|
||||
#######################################
|
||||
# Variable declaration
|
||||
#######################################
|
||||
declare -r ASKPASS='/lib/cryptsetup/askpass'
|
||||
declare -r REGEX='^\$[a-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+$'
|
||||
# shellcheck disable=SC2155
|
||||
declare -r CURRENTDATE=$(date +"%F %T")
|
||||
declare -r GRE='\e[0;92m'
|
||||
declare -r MAG='\e[0;95m'
|
||||
declare -r RED='\e[0;91m'
|
||||
declare -r RES='\e[0m'
|
||||
declare -r NL='\n'
|
||||
declare -g NUKE_ENABLED='false'
|
||||
declare -g NUKE_HASH=''
|
||||
declare -g PASSPHRASE=''
|
||||
|
||||
#######################################
|
||||
# Print-colored text.
|
||||
# Arguments:
|
||||
# 1: Color code.
|
||||
# *: Text to print.
|
||||
#######################################
|
||||
color_echo() { declare c="$1"; shift; declare msg="${*}"; printf "%s%s %s%s" "${c}" "${msg}" "${RES}" "${NL}"; }
|
||||
|
||||
#######################################
|
||||
# Die helper: print and exit hard.
|
||||
# Globals:
|
||||
# NC
|
||||
# RED
|
||||
# Arguments:
|
||||
# 1: Message string to print.
|
||||
#######################################
|
||||
die() { printf "%s✘ %s %s%s" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
|
||||
|
||||
#######################################
|
||||
# Drop to bash environment.
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
|
||||
|
||||
#######################################
|
||||
# Extract the 'nuke='-parameter from '/proc/cmdline'.
|
||||
# Globals:
|
||||
# NUKE_ENABLED
|
||||
# NUKE_HASH
|
||||
# RED
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: if 'nuke=' was found and extracted.
|
||||
# 1: if not found.
|
||||
#######################################
|
||||
extract_nuke_hash() {
|
||||
declare ARG="" CMDLINE=""
|
||||
|
||||
### Read '/proc/cmdline' into a single line safely.
|
||||
read -r CMDLINE < /proc/cmdline
|
||||
for ARG in ${CMDLINE}; do
|
||||
case "${ARG}" in
|
||||
nuke=*)
|
||||
NUKE_HASH="${ARG#nuke=}"
|
||||
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
|
||||
NUKE_ENABLED="true"
|
||||
return 0
|
||||
else
|
||||
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
|
||||
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2
|
||||
color_echo "${RED}" "✘ Dropping to bash ...:" >&2
|
||||
drop_bash
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
done
|
||||
### No 'nuke=HASH' entry found.
|
||||
return 1
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Gather information of all LUKS Devices available on the system.
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
gather_luks_devices() {
|
||||
declare prev=() curr=()
|
||||
declare -i tries=0
|
||||
|
||||
while ((tries < 10)); do
|
||||
# shellcheck disable=SC2312
|
||||
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
|
||||
|
||||
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
|
||||
break
|
||||
fi
|
||||
|
||||
prev=("${curr[@]}")
|
||||
tries=$((tries + 1))
|
||||
sleep 1
|
||||
|
||||
done
|
||||
|
||||
printf '%s\n' "${curr[@]}"
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Erase LUKS headers on all LUKS devices and shutdown system.
|
||||
# Globals:
|
||||
# DEVICES_LUKS
|
||||
# RED
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
nuke() {
|
||||
declare dev=""
|
||||
for dev in "${DEVICES_LUKS[@]}"; do
|
||||
cryptsetup erase --batch-mode "${dev}" || true
|
||||
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
|
||||
done
|
||||
secure_unset_pass
|
||||
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
|
||||
power_off 16
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Unified power-off routine.
|
||||
# Arguments:
|
||||
# 1: Sleep time before power-off in seconds (Default to 0 seconds).
|
||||
#######################################
|
||||
power_off() {
|
||||
declare -r wait="${1:-0}"
|
||||
sleep "${wait}"
|
||||
sync
|
||||
echo 1 >| /proc/sys/kernel/sysrq
|
||||
echo o >| /proc/sysrq-trigger
|
||||
### The System powers off immediately; no further code is executed.
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Print Error Message for Trap on 'ERR' on Terminal.
|
||||
# Globals:
|
||||
# NL
|
||||
# RED
|
||||
# Arguments:
|
||||
# 1: ${?}
|
||||
# 2: ${BASH_SOURCE[0]}
|
||||
# 3: ${LINENO}
|
||||
# 4: ${FUNCNAME[0]:-main}
|
||||
# 5: ${BASH_COMMAND}
|
||||
#######################################
|
||||
print_scr_err() {
|
||||
declare -r scr_err_errcode="$1"
|
||||
declare -r scr_err_errscrt="$2"
|
||||
declare -r scr_err_errline="$3"
|
||||
declare -r scr_err_errfunc="$4"
|
||||
declare -r scr_err_errcmmd="$5"
|
||||
printf "%s" "${NL}"
|
||||
color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
|
||||
printf "%s" "${NL}"
|
||||
color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2
|
||||
color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2
|
||||
color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2
|
||||
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
|
||||
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
|
||||
printf "%s" "${NL}"
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Print Error Message for '0'-Exit-Code on Terminal.
|
||||
# Globals:
|
||||
# GRE
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
|
||||
|
||||
#######################################
|
||||
# Generates informative shell prompt.
|
||||
# Globals:
|
||||
# PS1
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
prompt_string() {
|
||||
declare -gx PS1="\
|
||||
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
|
||||
\[\033[1;95m\]\h\[\033[0m\]:\
|
||||
\[\033[1;96m\]\w\[\033[0m\]/>>\
|
||||
\$(if [[ \$? -eq 0 ]]; then \
|
||||
# Show exit status in green if zero
|
||||
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
|
||||
else \
|
||||
# Show exit status in red otherwise
|
||||
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
|
||||
fi)\
|
||||
|~\$ "
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Read Passphrase interactively.
|
||||
# Globals:
|
||||
# ASKPASS
|
||||
# NUKE_ENABLED
|
||||
# NUKE_HASH
|
||||
# PASSPHRASE
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
read_passphrase() {
|
||||
declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt")
|
||||
declare METHOD="" SALT=""
|
||||
|
||||
PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
|
||||
|
||||
if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
|
||||
### Validate NUKE_HASH format (e.g., $id$salt$hash)
|
||||
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
|
||||
SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
|
||||
for METHOD in "${METHODS[@]}"; do
|
||||
if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
|
||||
nuke
|
||||
fi
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Securely unset the passphrase variable.
|
||||
# Globals:
|
||||
# PASSPHRASE
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
|
||||
|
||||
#######################################
|
||||
# Trap function to be called on 'ERR'.
|
||||
# Arguments:
|
||||
# 1: ${?}
|
||||
# 2: ${BASH_SOURCE[0]}
|
||||
# 3: ${LINENO}
|
||||
# 4: ${FUNCNAME[0]:-main}
|
||||
# 5: ${BASH_COMMAND}
|
||||
#######################################
|
||||
trap_on_err() {
|
||||
declare -r errcode="$1"
|
||||
declare -r errscrt="$2"
|
||||
declare -r errline="$3"
|
||||
declare -r errfunc="$4"
|
||||
declare -r errcmmd="$5"
|
||||
trap - ERR INT TERM
|
||||
stty echo
|
||||
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
|
||||
power_off 16
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
|
||||
# Globals:
|
||||
# NL
|
||||
# RED
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
trap_on_term() {
|
||||
trap - ERR INT TERM
|
||||
stty echo
|
||||
printf "%s" "${NL}"
|
||||
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
|
||||
power_off 3
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Check the integrity and authenticity of this script itself.
|
||||
# Globals:
|
||||
# GRE
|
||||
# MAG
|
||||
# RED
|
||||
# Arguments:
|
||||
# 0: Script Name
|
||||
#######################################
|
||||
verify_script() {
|
||||
declare dir
|
||||
# shellcheck disable=SC2312
|
||||
dir="$(dirname "$(readlink -f "${0}")")"
|
||||
declare script; script="$(basename "${0}")"
|
||||
declare -a algo=("sha512" "sha384")
|
||||
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
|
||||
|
||||
for item in "${algo[@]}"; do
|
||||
hashfile="${dir}/${script}.${item}"
|
||||
sigfile="${hashfile}.sig"
|
||||
cmd="${item}sum"
|
||||
|
||||
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
|
||||
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
|
||||
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
|
||||
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
|
||||
power_off 3
|
||||
}
|
||||
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
|
||||
|
||||
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
|
||||
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
|
||||
expected=$(cat "${hashfile}")
|
||||
|
||||
if [[ "${computed}" != "${expected}" ]]; then
|
||||
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
|
||||
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
|
||||
power_off 3
|
||||
fi
|
||||
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
|
||||
done
|
||||
|
||||
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Main Program Sequence
|
||||
# Globals:
|
||||
# CURRENTDATE
|
||||
# DEVICES_LUKS
|
||||
# GRE
|
||||
# MAG
|
||||
# NL
|
||||
# PASSPHRASE
|
||||
# RED
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
main() {
|
||||
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
|
||||
trap 'trap_on_term' INT TERM
|
||||
|
||||
color_echo "${RED}" "Coresecret Connection established."
|
||||
color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
|
||||
color_echo "${MAG}" "Integrity self-check ..."
|
||||
printf "%s" "${NL}"
|
||||
|
||||
verify_script
|
||||
|
||||
### Read newline-separated output into an array.
|
||||
color_echo "${MAG}" "Scanning for LUKS devices ..."
|
||||
printf "%s" "${NL}"
|
||||
# shellcheck disable=SC2312
|
||||
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
|
||||
|
||||
### If there are no LUKS devices at all, drop to bash.
|
||||
if (( ${#DEVICES_LUKS[@]} == 0 )); then
|
||||
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
|
||||
drop_bash
|
||||
fi
|
||||
|
||||
### Extract the 'nuke='-parameter from '/proc/cmdline'.
|
||||
extract_nuke_hash
|
||||
|
||||
### Read passphrase interactively.
|
||||
read_passphrase
|
||||
|
||||
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
|
||||
|
||||
secure_unset_pass
|
||||
exit 0
|
||||
|
||||
else
|
||||
|
||||
printf "%s" "${NL}"
|
||||
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
|
||||
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
|
||||
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
|
||||
drop_bash
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
main "${@}"
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user