V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/4195_setup_dropbear.sh

@@ -15,12 +15,15 @@ guard_sourcing
 #######################################
 # Setup Dropbear Initramfs Environment.
 # Globals:
+#   HMP_PATH_ENCLABEL
 #   TARGET
+#   VAR_CRYPT_ROOT
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV4_GW
 #   VAR_FINAL_IPV4_SUBNET
 #   VAR_FINAL_NIC
+#   VAR_GRUB_CMDLINE_LINUX
 #   VAR_SETUP_PATH
 #   network_static_ipv4nameserver_0
 #   network_static_ipv4nameserver_1
@@ -35,6 +38,7 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_dropbear() {
+  ### Prepare strong dropbear host keys
   rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
 
   do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
@@ -43,6 +47,7 @@ setup_dropbear() {
   chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
   chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
 
+  ### Prepare dropbear authorized_keys
   declare -a ary_user=()
   ary_user+=("${user_root_ssh_pubkeys_0}")
   [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
@@ -53,6 +58,7 @@ setup_dropbear() {
   printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
 
+  ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
   if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
     declare network_static_ipv4ntpserver_0="192.53.103.108"
     ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
@@ -71,27 +77,83 @@ setup_dropbear() {
     printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
   fi
 
+  ### Generate dropbear configuration file
   write_dropbear_conf
 
-  ### Options in "GRUB_CMDLINE_LINUX" are always effective.
-  ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
+  ### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
+  # Options in "GRUB_CMDLINE_LINUX" are always effective.
+  # Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
   grub_extract_current_string
   declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
   VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
   grub_finalize_string
 
+  ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
     "${TARGET}/includes/initramfs-tools/scripts/init-top/"
 
+  ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
+    "${TARGET}/includes/initramfs-tools/hooks/"
+
+  ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
     "${TARGET}/includes/initramfs-tools/hooks/"
 
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \
-    "${TARGET}/includes/initramfs-tools/hooks/"
-
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
+  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
     "${TARGET}/includes/initramfs-tools/files/"
 
+  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
+  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
+    "${TARGET}/includes/initramfs-tools/"
+
+  declare var_modules; var_modules=$(grep_nic_driver_modules)
+
+  cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
+### Custom NIC driver
+${var_modules}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  ### Install the script to be called inside initramfs environment for preparing dropbear execution.
+  do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
+
+  ### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  ### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  if [[ "${user_dropbear_fw,,}" == "true" && -n "${user_bastion_ipv4_0}" ]]; then
+
+    sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+    sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+
+    cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+DROPBEAR_PORT=${user_ssh_port}
+DROPBEAR_JUMP_SERVER_IP=${user_bastion_ipv4_0}
+DROPBEAR_BASTION_ENABLE=${user_bastion_enable}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  fi
+
+
+  ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
+  do_in_target "${TARGET}" update-grub
+  do_in_target "${TARGET}" update-initramfs -u -v -k all
+
   return 0
 }
 
@@ -151,4 +213,39 @@ EOF
   do_log "info" "true" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
   return 0
 }
+
+#######################################
+# Collect NIC driver modules for initramfs installation.
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+grep_nic_driver_modules() {
+  ### Collect all ethernet driver names and sort them uniquely.
+  declare -a _mods
+  declare var_nic_module var_nic_modules
+  readarray -t _mods < <(
+    lspci -k \
+      | grep -A2 -i ethernet \
+      | grep 'Kernel driver in use' \
+      | awk '{print $5}' \
+      | sort -u
+  )
+
+  ### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
+  if [[ "${#_mods[@]}" -eq 1 ]]; then
+    var_nic_module="${_mods[0]}"
+  else
+    var_nic_modules="${_mods[*]}"
+  fi
+
+  if [[ -n "$var_nic_module" ]]; then
+    echo "${var_nic_module}"
+  else
+    echo "${var_nic_modules}"
+  fi
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh