msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-17 22:05:53 +02:00
parent 4ac221fddc
commit ad083796f1
10 changed files with 364 additions and 279 deletions
Download Patch File Download Diff File Expand all files Collapse all files

286
.archive/func/4195_setup_dropbear.sh
View File

@@ -10,270 +10,28 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)' ### Remarks
# lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
# readelf -h /bin/busybox | grep Type
# command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 ...
# /usr/share/initramfs-tools/scripts/init-premount
# /dev/sdaN: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
# GRUB_CMDLINE_LINUX="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
# declare var_nic_module; var_nic_module=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
# echo "${var_nic_module}"
### Nuke Hints
# /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
# Before (Default)
# ASKPASS=/lib/cryptsetup/askpass
# After
# ASKPASS=/lib/cryptsetup/askpass.cryptsetup
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root # apt-get cryptsetup-nuke-password
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none" # dpkg-reconfigure cryptsetup-nuke-password
#debconf-set-selections << END
#cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
#cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root #END
#sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
/usr/share/initramfs-tools/scripts/init-premount
***
run.coresecret.dev
/dev/sda5: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
echo "IP=65.21.249.232::172.31.1.1:255.255.255.255:run.coresecret.dev:enp1s0:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
***
/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
# Vorher (Standard)
ASKPASS=/lib/cryptsetup/askpass
# Danach
ASKPASS=/lib/cryptsetup/askpass.cryptsetup
apt-get cryptsetup-nuke-password
dpkg-reconfigure cryptsetup-nuke-password
debconf-set-selections << END
cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
END
sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
rm -f /etc/dropbear/initramfs/dropbear*key
dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
chmod 600 /etc/dropbear/initramfs/dropbear*key
chown root:root /etc/dropbear/initramfs/dropbear*key
cp -af ~/.ssh/authorized_keys /etc/dropbear/initramfs
echo "IP=152.53.110.40::152.53.108.1:255.255.252.0:git.coresecret.dev:ens3:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
sed -i 's|#DROPBEAR_OPTIONS=""|DROPBEAR_OPTIONS="-p 37768 -s -j -k -I 300 -c coresecret.sh"|g' /etc/dropbear/initramfs/dropbear.conf
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root"
update-initramfs -u -v -k all
NIC_MODULE=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
echo "$NIC_MODULE"
grep_nic_driver_modules() {
# Alle Treibernamen sammeln und unique sortieren
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
| grep 'Kernel driver in use' \
| awk '{print $5}' \
| sort -u
)
# Wenn nur ein Eintrag übrig bleibt, in NIC_MODULE speichern,
# sonst alternativ alle Module in NIC_MODULES
if [ "${#_mods[@]}" -eq 1 ]; then
NIC_MODULE="${_mods[0]}"
else
NIC_MODULES="${_mods[*]}"
fi
# Ausgabe zur Kontrolle
if [ -n "$NIC_MODULE" ]; then
echo "Einzelnes Modul: $NIC_MODULE"
else
echo "Mehrere Module: $NIC_MODULES"
fi
}
###########################################################################################
# Installation of the specified kernel incl. dropbear SSH, LUKS Nuke.
# Globals:
# MODULE_ERR
# MODULE_TXT
# TARGET
# kernel
# Arguments:
# None
###########################################################################################
3_7_7_functions_installation_kernel() {
declare -g -x MODULE_ERR="3_7_7_functions_installation_kernel"
declare -g -x MODULE_TXT="Install kernel: '${kernel}'"
do_show_header "${MODULE_TXT}"
# Installing the chosen Kernel Image according to preseed.yaml
do_in_target "${TARGET}" apt-get install -y "${kernel}"
if [[ ${accounts_dropbear_ssh,,} == "true" ]]; then
do_in_target "${TARGET}" apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
echo "DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300\"" > "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
cat > "${TARGET}/etc/dropbear/initramfs/authorized_keys" << EOF
command="/bin/security-rescue-shell",no-port-forwarding,no-pty,no-X11-forwarding ${accounts_dropbear_pubkey}
EOF
chmod 0644 "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
chown root:root "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
chown root:root "${TARGET}/etc/dropbear/initramfs/authorized_keys"
do_log "info" "true" "Command: 'echo \"DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300 -K curve25519-sha256 -c aes256-gcm@openssh.com -m hmac-sha2-256,hmac-sha2-512\" > ${TARGET}/etc/dropbear/initramfs/dropbear.conf' executed in: '${TARGET}'."
do_log "info" "true" "Command: 'echo ${accounts_dropbear_pubkey} > ${TARGET}/etc/dropbear/initramfs/authorized_keys' executed in: '${TARGET}'."
# Network-Pre-Script for initramfs DHCP
cat > "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network" << 'EOF'
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
PREREQ=""
prereqs() { echo "${PREREQ}"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
# NIC without ":" and VLAN-Suffix
iface=$(grep -E '^(eth|en)[^:.]*$' /sys/class/net | head -n1)
[ -n "${iface}" ] || exit 0
# Setup Link and dhclient or udhcpc
ip link set "${iface}" up
if command -v dhclient >/dev/null 2>&1; then
dhclient "${iface}"
else
udhcpc -i "${iface}"
fi
exit 0
EOF
chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network"
do_log "info" "true" "Generated: '${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network: '${TARGET}'."
cat > "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw" << EOF
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
if command -v iptables >/dev/null 2>&1; then
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv4}" -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
fi
if command -v ip6tables >/dev/null 2>&1; then
ip6tables -F
ip6tables -P INPUT DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD DROP
ip6tables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv6}" -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
fi
EOF
chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw"
cat > "${TARGET}/bin/remote-nuke.sh" << EOF
#!/bin/sh
# ^^ no bash in initramfs environment, only BusyBox
# remote-nuke.sh to be executed at the end of Initramfs
PREREQ="local-bottom"
prereqs() { echo "${PREREQ}"; }
case $1 in
prereqs) prereqs; exit 0 ;;
esac
message() {
if [ ${#*} -lt 76 ]; then
echo "$*" 1>&2
else
# use busybox's fold(1) and sed(1) at initramfs stage
echo "$*" | fold -s | sed '1! s/^/ /' 1>&2
fi
return 0
}
. /scripts/functions # delivers log_* und ASKPASS
# Brief break, to ensure all devices are mapped
sleep 1
readonly MAX_RETRIES=5
for DEV in /dev/sd*[0-9]; do
[ -b "${DEV}" ] || continue
DEV_NAME=$(basename "${DEV}" | tr -cs 'a-zA-Z0-9' '_')
NUKE_MAP="nuke_${DEV_NAME}"
TRY_MAP="try_${DEV_NAME}"
ASKPASS=/usr/bin/ssh-askpass
password="$(${ASKPASS} "Enter LUKS passphrase: ")"
message "Checking ${DEV} ..."
if ! cryptsetup isLuks "${DEV}" 2>/dev/null; then
message "${DEV} is not a LUKS-Container skipped."
continue
fi
# Verify, if LUKS Key Slot #31 exists
if cryptsetup luksDump "${DEV}" 2>/dev/null | grep -q '^Key Slot 31: *ENABLED'; then
has_slot31="yes"
else
has_slot31="no"
fi
attempt=1
while [ ${attempt} -le ${MAX_RETRIES} ]; do
message "Attempt '${attempt}/${MAX_RETRIES}' for opening ${DEV} ..."
if [ "${has_slot31}" = yes ]; then
if echo "${password}" | cryptsetup open --test-passphrase --key-slot 31 "${DEV}" "${NUKE_MAP}" 2>/dev/null; then
echo YES | cryptsetup erase "${DEV}"
message "Slot 31 of ${DEV} exists. Cleaning OK successful."
break
fi
fi
if echo "$((password))" | cryptsetup open "${DEV}" "crypt_${NAME}" 2>/dev/null; then
decrypted_any=yes
break
fi
# 2) Normales Entschlüsseln (jeder Slot)
echo "$password" | cryptsetup open \
--test-passphrase \
"$DEV" nuke_tmp 2>/dev/null
if [ $? -eq 0 ]; then
log_success_msg "Normales Test-Passphrase erfolgreich"
cryptsetup erase "$DEV" && \
log_success_msg "LUKS-Header von $DEV gelöscht"
break
else
log_warning_msg "Normales Test-Passphrase fehlgeschlagen"
fi
attempt=$((attempt + 1))
if [ $attempt -le $MAX_RETRIES ]; then
log_begin_msg "Warte 1s vor erneutem Versuch für $DEV…"
sleep 1
else
log_error_msg "Maximale Versuche für $DEV erreicht überspringe"
fi
done
# Aufräumen: falls ein Mapper existiert, schließen
if [ -e /dev/mapper/nuke_tmp ]; then
cryptsetup close nuke_tmp
fi
done
log_end_msg 0
exit 0
EOF
chmod +x "${TARGET}/bin/security-rescue-shell"
# Regenerate Initramfs incl. Dropbear SSH, Scripts and Keys
do_in_target "${TARGET}" update-initramfs -u
fi
do_log "info" "true" "Dropbear SSH in initramfs des Targets installiert und konfiguriert (Port: ${accounts_ssh_port}, CA aktiviert, RateLimit & Nuke-Key)."
do_show_footer "${MODULE_TXT}"
}

13
.preseed/preseed.yaml
View File

@@ -372,13 +372,20 @@ ntp:
################################################################################################################################ ################################################################################################################################
user: user:
allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'. allow_policies: true # For additional hardening of SSH connections '/etc/hosts.allow'.
# If "allow_policies" = "true", at least one IP MUST be provided: # If "allow_policies" = "true", at least one 'bastion_ipv4' MUST be provided.
allow_ipv4: # One or multiple Domains could be provided as well 'allow_domain'.
bastion_enable: false # In case 'bastion_ipv4' and 'bastion_ipv6' are SSH Bastion IPs set this to "true".
# If these are Jump Server and / or static VPN-Exit-Nodes, set this to "false".
bastion_ipv4: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4.
- 202.61.246.50 - 202.61.246.50
allow_ipv6: bastion_ipv6: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6.
- 2a03:4000:53:f:abcd:9494:0:2 - 2a03:4000:53:f:abcd:9494:0:2
allow_domain: # Provide Bastion / Jump-Server / static VPN-Exit-Nodes Domains.
- vpn00.x448.eu
dropbear_boot: true # Dropbear initramfs integration. dropbear_boot: true # Dropbear initramfs integration.
dropbear_dhcp: true # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP. dropbear_dhcp: true # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP.
dropbear_fw: true # Additional ultra hardening of the dropbear initramfs environment via firewall.
# The "bastion_ipv4" MUST be provided.
ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used. ssh_port: 42137 # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
ssh_rootca: "/.preseed/ssh_root_ca.pub" ssh_rootca: "/.preseed/ssh_root_ca.pub"

109
func/4195_setup_dropbear.sh
View File

@@ -15,12 +15,15 @@ guard_sourcing
####################################### #######################################
# Setup Dropbear Initramfs Environment. # Setup Dropbear Initramfs Environment.
# Globals: # Globals:
# HMP_PATH_ENCLABEL
# TARGET # TARGET
# VAR_CRYPT_ROOT
# VAR_FINAL_FQDN # VAR_FINAL_FQDN
# VAR_FINAL_IPV4 # VAR_FINAL_IPV4
# VAR_FINAL_IPV4_GW # VAR_FINAL_IPV4_GW
# VAR_FINAL_IPV4_SUBNET # VAR_FINAL_IPV4_SUBNET
# VAR_FINAL_NIC # VAR_FINAL_NIC
# VAR_GRUB_CMDLINE_LINUX
# VAR_SETUP_PATH # VAR_SETUP_PATH
# network_static_ipv4nameserver_0 # network_static_ipv4nameserver_0
# network_static_ipv4nameserver_1 # network_static_ipv4nameserver_1
@@ -35,6 +38,7 @@ guard_sourcing
# 0: on success # 0: on success
####################################### #######################################
setup_dropbear() { setup_dropbear() {
### Prepare strong dropbear host keys
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
@@ -43,6 +47,7 @@ setup_dropbear() {
chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
### Prepare dropbear authorized_keys
declare -a ary_user=() declare -a ary_user=()
ary_user+=("${user_root_ssh_pubkeys_0}") ary_user+=("${user_root_ssh_pubkeys_0}")
[[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}") [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
@@ -53,6 +58,7 @@ setup_dropbear() {
printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys" printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/" install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
declare network_static_ipv4ntpserver_0="192.53.103.108" declare network_static_ipv4ntpserver_0="192.53.103.108"
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>" ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
@@ -71,27 +77,83 @@ setup_dropbear() {
printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip" printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
fi fi
### Generate dropbear configuration file
write_dropbear_conf write_dropbear_conf
### Options in "GRUB_CMDLINE_LINUX" are always effective. ### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode). # Options in "GRUB_CMDLINE_LINUX" are always effective.
# Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
grub_extract_current_string grub_extract_current_string
declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}" declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}" VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
grub_finalize_string grub_finalize_string
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
"${TARGET}/includes/initramfs-tools/scripts/init-top/" "${TARGET}/includes/initramfs-tools/scripts/init-top/"
### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
"${TARGET}/includes/initramfs-tools/hooks/"
### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
"${TARGET}/includes/initramfs-tools/hooks/" "${TARGET}/includes/initramfs-tools/hooks/"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \ ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
"${TARGET}/includes/initramfs-tools/hooks/" install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
"${TARGET}/includes/initramfs-tools/files/" "${TARGET}/includes/initramfs-tools/files/"
### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
"${TARGET}/includes/initramfs-tools/files/"
### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
"${TARGET}/includes/initramfs-tools/"
declare var_modules; var_modules=$(grep_nic_driver_modules)
cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
### Custom NIC driver
${var_modules}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
### Install the script to be called inside initramfs environment for preparing dropbear execution.
do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
"${TARGET}/includes/initramfs-tools/files/"
### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
"${TARGET}/includes/initramfs-tools/files/"
if [[ "${user_dropbear_fw,,}" == "true" && -n "${user_bastion_ipv4_0}" ]]; then
sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
DROPBEAR_PORT=${user_ssh_port}
DROPBEAR_JUMP_SERVER_IP=${user_bastion_ipv4_0}
DROPBEAR_BASTION_ENABLE=${user_bastion_enable}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
fi
### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
do_in_target "${TARGET}" update-grub
do_in_target "${TARGET}" update-initramfs -u -v -k all
return 0 return 0
} }
@@ -151,4 +213,39 @@ EOF
do_log "info" "true" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'." do_log "info" "true" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
return 0 return 0
} }
#######################################
# Collect NIC driver modules for initramfs installation.
# Arguments:
# None
# Returns:
# 0: on success
#######################################
grep_nic_driver_modules() {
### Collect all ethernet driver names and sort them uniquely.
declare -a _mods
declare var_nic_module var_nic_modules
readarray -t _mods < <(
lspci -k \
| grep -A2 -i ethernet \
| grep 'Kernel driver in use' \
| awk '{print $5}' \
| sort -u
)
### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
if [[ "${#_mods[@]}" -eq 1 ]]; then
var_nic_module="${_mods[0]}"
else
var_nic_modules="${_mods[*]}"
fi
if [[ -n "$var_nic_module" ]]; then
echo "${var_nic_module}"
else
echo "${var_nic_modules}"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

14
includes/initramfs-tools/files/dropbear_fw.cnf Normal file
View File

@@ -0,0 +1,14 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
DROPBEAR_FIREWALL_ENABLED=0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

81
includes/initramfs-tools/files/dropbear_fw.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# Firewall script for Dropbear SSH inside initramfs.
# This script runs at the "init-bottom" stage of the early boot process.
#
# It configures basic iptables rules to restrict SSH access to Dropbear
# while the system is in the pre-boot phase (before root is decrypted).
#
# IPv6 is not supported in initramfs at this stage due to complexity.
# Only trusted IPv4 addresses are allowed.
#
# ┌─────────────────────────────────────────────────────────────┐
# │ ACCESS LOGIC: │
# │ │
# │ - If is_jump_host = true: │
# │ then allow all IPv4 connections to the Dropbear port │
# │ │
# │ - If is_jump_host = false: │
# │ then allow only the bastion/jump-server IPv4 address │
# └─────────────────────────────────────────────────────────────┘
PREREQ="dropbear"
prereqs() { echo "$PREREQ"; }
case "$1" in
prereqs) prereqs; exit 0 ;;
esac
### Check if the firewall is enabled via the config file.
DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
if [ -f "${DROPBEAR_FW_CONF}" ]; then
# shellcheck disable=SC1090
. "${DROPBEAR_FW_CONF}"
fi
### Abort if the firewall flag is not set or disabled.
if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
exit 0
fi
### Ensure iptables is available.
if command -v iptables >/dev/null 2>&1; then
### Reset any existing rules.
iptables -F
iptables -X
### Default policy: block everything unless explicitly allowed.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
### Allow local loopback.
iptables -A INPUT -i lo -j ACCEPT
### Access control based on the host role.
if [ "${DROPBEAR_BASTION_ENABLE}" = true ]; then
### SSH Bastion Host: allow any source IP on the dropbear SSH port.
iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -j ACCEPT
else
### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
fi
fi
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
includes/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -11,7 +11,7 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
set -C -e -u -o pipefail set -Ceuo pipefail
IFS=$(printf ' \n\t') IFS=$(printf ' \n\t')
# shellcheck disable=SC2155 # shellcheck disable=SC2155

19
includes/initramfs-tools/hooks/dropbear.sh → includes/initramfs-tools/hooks/custom-initramfs.sh
View File

@@ -20,15 +20,19 @@ esac
. /usr/share/initramfs-tools/hook-functions . /usr/share/initramfs-tools/hook-functions
mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/dropbear/initramfs" "${DESTDIR}/etc/keys" # Ensure directory structure in initramfs
mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
### Include Bash
copy_exec /usr/bin/bash /usr/bin
### Include Busybox ### Include Busybox
copy_exec /usr/bin/busybox /usr/bin copy_exec /usr/bin/busybox /usr/bin
copy_exec /usr/bin/busybox /bin copy_exec /usr/bin/busybox /bin
### Include Bash
copy_exec /usr/bin/bash /usr/bin
### Include lsblk (block device info tool) ### Include lsblk (block device info tool)
copy_exec /usr/bin/lsblk /usr/bin copy_exec /usr/bin/lsblk /usr/bin
@@ -42,11 +46,18 @@ copy_exec /usr/bin/sha384sum /usr/bin
### Include Signature-Verifier ### Include Signature-Verifier
copy_exec /usr/bin/gpgv /usr/bin copy_exec /usr/bin/gpgv /usr/bin
### Link busybox applets for compatibility
for dir in bin usr/bin; do for dir in bin usr/bin; do
ln -sf busybox "${DESTDIR}/${dir}/cat" ln -sf busybox "${DESTDIR}/${dir}/cat"
ln -sf busybox "${DESTDIR}/${dir}/sleep" ln -sf busybox "${DESTDIR}/${dir}/sleep"
done done
### Install Dropbear firewall configuration
install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
### Install Dropbear configuration
install -m 0444 /etc/initramfs-tools/files/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh" install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512" install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"

64
includes/initramfs-tools/modules Normal file
View File

@@ -0,0 +1,64 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# List of modules that you want to include in your initramfs.
# They will be loaded at boot time in the order below.
#
# Syntax: module_name [args ...]
#
# You must run update-initramfs(8) to effect this change.
#
# Examples:
#
# raid1
# sd_mod
### QEMU Bochs-compatible virtual machine support
bochs
### Device-mapper core module (required for all dm_* features)
dm_mod
### Device-mapper integrity target (provides integrity checking)
dm-integrity
### Device-mapper crypt target (provides disk encryption)
dm-crypt
### Generic AES block cipher implementation (used by dm-crypt)
aes_generic
### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
sha256_generic
### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
sha384_generic
### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
sha512_generic
### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
crc32c_generic
### Main btrfs filesystem module
btrfs
### Zstandard compression support for btrfs
zstd_compress
### XOR parity implementation for RAID functionality
xor
### RAID6 parity generation module
raid6_pq
### Combined RAID4/5/6 support module
raid456

5
includes/initramfs-tools/scripts/init-top/fixpath.sh
View File

@@ -10,6 +10,9 @@
# SPDX-PackageName: CISS.debian.installer # SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH" set -e
### Make sure /usr/local/bin is in front of 'PATH'.
export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

50
includes/usr/share/initramfs-tools/scripts/init-premount/dropbear Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/sh
PREREQ="udev"
prereqs() {
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
[ -x /sbin/dropbear ] || exit 0
run_dropbear() {
# Remove old flags for dropbear version 2022.83
# only accepts flags from /etc/dropbear/dropbear.conf
#local flags="Fs"
#[ "$debug" != y ] || flags="E$flags" # log to standard error
# always run configure_networking() before dropbear(8); on NFS
# mounts this has been done already
[ "$BOOT" = nfs ] || configure_networking
log_begin_msg "Starting dropbear"
# using exec and keeping dropbear in the foreground enables the
# init-bottom script to kill the remaining ipconfig processes if
# someone unlocks the rootfs from the console while the network is
# being configured
exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
}
if [ -e /etc/dropbear/dropbear.conf ]; then
. /etc/dropbear/dropbear.conf
fi
. /scripts/functions
# On NFS mounts, wait until the network is configured. On local mounts,
# configure the network in the background (in run_dropbear()) so someone
# with console access can enter the passphrase immediately. (With the
# default ip=dhcp, configure_networking hangs for 5mins or so when the
# network is unavailable, for instance.)
[ "$BOOT" != nfs ] || configure_networking
run_dropbear &
echo $! >/run/dropbear.pid