V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/initramfs-tools/files/dropbear_fw.cnf

@@ -0,0 +1,14 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+DROPBEAR_FIREWALL_ENABLED=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/dropbear_fw.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Firewall script for Dropbear SSH inside initramfs.
+# This script runs at the "init-bottom" stage of the early boot process.
+#
+# It configures basic iptables rules to restrict SSH access to Dropbear
+# while the system is in the pre-boot phase (before root is decrypted).
+#
+# IPv6 is not supported in initramfs at this stage due to complexity.
+# Only trusted IPv4 addresses are allowed.
+#
+# ┌─────────────────────────────────────────────────────────────┐
+# │ ACCESS LOGIC:                                               │
+# │                                                             │
+# │ - If is_jump_host = true:                                   │
+# │     then allow all IPv4 connections to the Dropbear port    │
+# │                                                             │
+# │ - If is_jump_host = false:                                  │
+# │     then allow only the bastion/jump-server IPv4 address    │
+# └─────────────────────────────────────────────────────────────┘
+
+PREREQ="dropbear"
+
+prereqs() { echo "$PREREQ"; }
+
+case "$1" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Check if the firewall is enabled via the config file.
+DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+if [ -f "${DROPBEAR_FW_CONF}" ]; then
+  # shellcheck disable=SC1090
+  . "${DROPBEAR_FW_CONF}"
+fi
+
+### Abort if the firewall flag is not set or disabled.
+if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
+  echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
+  exit 0
+fi
+
+### Ensure iptables is available.
+if command -v iptables >/dev/null 2>&1; then
+
+  ### Reset any existing rules.
+  iptables -F
+  iptables -X
+
+  ### Default policy: block everything unless explicitly allowed.
+  iptables -P INPUT DROP
+  iptables -P FORWARD DROP
+  iptables -P OUTPUT ACCEPT
+
+  ### Allow local loopback.
+  iptables -A INPUT -i lo -j ACCEPT
+
+  ### Access control based on the host role.
+  if [ "${DROPBEAR_BASTION_ENABLE}" = true ]; then
+
+    ### SSH Bastion Host: allow any source IP on the dropbear SSH port.
+    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -j ACCEPT
+
+  else
+
+    ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
+    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
+  fi
+
+fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/unlock_wrapper.sh

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 IFS=$(printf ' \n\t')
 
 # shellcheck disable=SC2155

includes/initramfs-tools/hooks/custom-initramfs.sh

@@ -20,15 +20,19 @@ esac
 
 . /usr/share/initramfs-tools/hook-functions
 
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/dropbear/initramfs" "${DESTDIR}/etc/keys"
+# Ensure directory structure in initramfs
+mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
+mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
+
+### Include Bash
+copy_exec /usr/bin/bash /usr/bin
 
 ### Include Busybox
 copy_exec /usr/bin/busybox /usr/bin
 copy_exec /usr/bin/busybox /bin
 
-### Include Bash
-copy_exec /usr/bin/bash /usr/bin
-
 ### Include lsblk (block device info tool)
 copy_exec /usr/bin/lsblk /usr/bin
 
@@ -42,11 +46,18 @@ copy_exec /usr/bin/sha384sum /usr/bin
 ### Include Signature-Verifier
 copy_exec /usr/bin/gpgv /usr/bin
 
+### Link busybox applets for compatibility
 for dir in bin usr/bin; do
   ln -sf busybox "${DESTDIR}/${dir}/cat"
   ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 
+### Install Dropbear firewall configuration
+install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+
+### Install Dropbear configuration
+install -m 0444 /etc/initramfs-tools/files/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
+
 install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"

includes/initramfs-tools/modules

@@ -0,0 +1,64 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# List of modules that you want to include in your initramfs.
+# They will be loaded at boot time in the order below.
+#
+# Syntax:  module_name [args ...]
+#
+# You must run update-initramfs(8) to effect this change.
+#
+# Examples:
+#
+# raid1
+# sd_mod
+
+### QEMU Bochs-compatible virtual machine support
+bochs
+
+### Device-mapper core module (required for all dm_* features)
+dm_mod
+
+### Device-mapper integrity target (provides integrity checking)
+dm-integrity
+
+### Device-mapper crypt target (provides disk encryption)
+dm-crypt
+
+### Generic AES block cipher implementation (used by dm-crypt)
+aes_generic
+
+### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
+sha256_generic
+
+### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
+sha384_generic
+
+### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
+sha512_generic
+
+### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
+crc32c_generic
+
+### Main btrfs filesystem module
+btrfs
+
+### Zstandard compression support for btrfs
+zstd_compress
+
+### XOR parity implementation for RAID functionality
+xor
+
+### RAID6 parity generation module
+raid6_pq
+
+### Combined RAID4/5/6 support module
+raid456

includes/initramfs-tools/scripts/init-top/fixpath.sh

@@ -10,6 +10,9 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH"
+set -e
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/usr/share/initramfs-tools/scripts/init-premount/dropbear

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+PREREQ="udev"
+
+prereqs() {
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+[ -x /sbin/dropbear ] || exit 0
+
+
+run_dropbear() {
+    # Remove old flags for dropbear version 2022.83
+    # only accepts flags from /etc/dropbear/dropbear.conf
+    #local flags="Fs"
+    #[ "$debug" != y ] || flags="E$flags" # log to standard error
+
+    # always run configure_networking() before dropbear(8); on NFS
+    # mounts this has been done already
+    [ "$BOOT" = nfs ] || configure_networking
+
+    log_begin_msg "Starting dropbear"
+    # using exec and keeping dropbear in the foreground enables the
+    # init-bottom script to kill the remaining ipconfig processes if
+    # someone unlocks the rootfs from the console while the network is
+    # being configured
+    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
+}
+
+if [ -e /etc/dropbear/dropbear.conf ]; then
+    . /etc/dropbear/dropbear.conf
+fi
+. /scripts/functions
+
+# On NFS mounts, wait until the network is configured.  On local mounts,
+# configure the network in the background (in run_dropbear()) so someone
+# with console access can enter the passphrase immediately.  (With the
+# default ip=dhcp, configure_networking hangs for 5mins or so when the
+# network is unavailable, for instance.)
+[ "$BOOT" != nfs ] || configure_networking
+
+run_dropbear &
+echo $! >/run/dropbear.pid