msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m24s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-06-29 19:27:00 +02:00
parent ea2454dd66
commit b1be218ea0
5 changed files with 76 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
func/2010_validation_ip.sh
View File

@@ -47,7 +47,7 @@ validation_ipv6() {
declare var_addr="${var_ip%%\%*}" declare var_addr="${var_ip%%\%*}"
declare var_has_double_colon=0 declare var_has_double_colon=0
### Step 1 IPv4-mapped / -embedded addresses (::ffff:192.0.2.1) ### Step 1 - IPv4-mapped / -embedded addresses (::ffff:192.0.2.1)
if [[ "${var_addr}" == *.* ]]; then if [[ "${var_addr}" == *.* ]]; then
declare var_ipv4_part="${var_addr##*:}" declare var_ipv4_part="${var_addr##*:}"
validation_ipv4 "${var_ipv4_part}" || exit "${ERR_INVALID_IPV6}" validation_ipv4 "${var_ipv4_part}" || exit "${ERR_INVALID_IPV6}"
@@ -55,26 +55,26 @@ validation_ipv6() {
var_addr="${var_addr%:*}:0:0" var_addr="${var_addr%:*}:0:0"
fi fi
### Step 2 Detect forbidden multiple '::' ### Step 2 - Detect forbidden multiple '::'
if [[ "${var_addr}" == *::* ]]; then if [[ "${var_addr}" == *::* ]]; then
var_has_double_colon=1 var_has_double_colon=1
### Remove first '::' and check there is no second one. ### Remove first '::' and check there is no second one.
[[ ${var_addr#*::*} == *::* ]] && exit "${ERR_INVALID_IPV6}" [[ ${var_addr#*::*} == *::* ]] && exit "${ERR_INVALID_IPV6}"
fi fi
### Step 3 Split into hextets and validate format. ### Step 3 - Split into hextets and validate format.
declare var_hextet declare var_hextet
declare -a var_segments declare -a var_segments
IFS=':' read -ra var_segments <<< "${var_addr}" IFS=':' read -ra var_segments <<< "${var_addr}"
declare seg_count=${#var_segments[@]} declare seg_count=${#var_segments[@]}
for var_hextet in "${var_segments[@]}"; do for var_hextet in "${var_segments[@]}"; do
### Empty part of '::' compression ### Empty part of '::' compression
[[ -z "${var_hextet}" ]] && continue [[ -z "${var_hextet}" ]] && continue
[[ "${var_hextet}" =~ ^[0-9a-fA-F]{1,4}$ ]] || exit "${ERR_INVALID_IPV6}" [[ "${var_hextet}" =~ ^[0-9a-fA-F]{1,4}$ ]] || exit "${ERR_INVALID_IPV6}"
done done
### Step 4 Check total hextet count. ### Step 4 - Check total hextet count.
if (( var_has_double_colon )); then if (( var_has_double_colon )); then
(( seg_count <= 8 )) || exit "${ERR_INVALID_IPV6}" (( seg_count <= 8 )) || exit "${ERR_INVALID_IPV6}"
else else

2
func/2019_helper_yaml.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing guard_sourcing
####################################### #######################################
# yq_val <YQ expression> <file> Returns value, converts null to "" # yq_val <YQ expression> <file> - Returns value, converts null to ""
# Arguments: # Arguments:
# $1: Key String to evaluate # $1: Key String to evaluate
# $2: YAML File # $2: YAML File

241
func/3220_partition_encryption.sh
View File

@@ -21,7 +21,6 @@ guard_sourcing
# HMP_EPHEMERAL_DEV # HMP_EPHEMERAL_DEV
# HMP_EPHEMERAL_ENCLABEL # HMP_EPHEMERAL_ENCLABEL
# HMP_MOUNTPATH_ENCRYPTIONLABEL # HMP_MOUNTPATH_ENCRYPTIONLABEL
# RECIPE_STRING
# VAR_CRYPT_ROOT # VAR_CRYPT_ROOT
# VAR_RECIPE_STRING # VAR_RECIPE_STRING
# VAR_SETUP_PART # VAR_SETUP_PART
@@ -62,201 +61,95 @@ partition_encryption() {
var_filesystem_label=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label" "${VAR_SETUP_PART}") var_filesystem_label=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label" "${VAR_SETUP_PART}")
var_mount_path=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}") var_mount_path=$(yq_val e ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
if [[ "${var_encryption_enable,,}" == "true" ]]; then if [[ "${var_encryption_enable,,}" != "true" ]]; then
continue
fi
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then declare -a ary_luks_opts=(
--key-file="${DIR_CNF}/password.txt"
--type luks2
--cipher "${var_encryption_cipher}"
--hash "${var_encryption_hash}"
--iter-time "${var_encryption_iter}"
--key-size "${var_encryption_key}"
--label "${var_encryption_label}"
--luks2-metadata-size "${var_encryption_meta}"
--pbkdf "${var_encryption_pbkdf}"
--"${var_encryption_rng}"
--batch-mode --verbose
)
if [[ "${var_mount_path}" == "SWAP" ]]; then [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=(--integrity hmac-sha512)
if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
case "${var_mount_path}" in
SWAP|/tmp)
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
do_log "info" "false" "Ephemeral 'SWAP' prepared on: '/dev/${var_dev}${var_part}'." do_log "info" "false" "Ephemeral: '${var_mount_path}' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}" HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}" HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'" do_log "info" "false" "Stored in HashMap [HMP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'" do_log "info" "false" "Stored in HashMap [HMP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
continue
;;
elif [[ "${var_mount_path}" == "/tmp" ]]; then *)
do_log "error" "false" "Invalid mount path: '${var_mount_path}' for partition: '/dev/${var_dev}${var_part}'."
continue
;;
mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M esac
do_log "info" "false" "Ephemeral '/tmp' prepared on: '/dev/${var_dev}${var_part}'."
HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}" fi
HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_DEV] : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
do_log "info" "false" "Stored in HashMap [MAP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
else cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}${var_part}"
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'MOUNT_PATH': '${var_mount_path}'." if [[ "${var_encryption_integrity,,}" == "true" ]]; then
fi do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
elif [[ "${var_encryption_ephemeral,,}" == "false" ]]; then
if [[ "${var_encryption_integrity,,}" == "true" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ "${var_encryption_nuke,,}" == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--integrity hmac-sha512 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
elif [[ "${var_encryption_integrity,,}" == "false" ]]; then
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
cryptsetup luksAddKey "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted and 'Nuke-Key' added."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
elif [[ ${var_encryption_nuke,,} == "false" ]]; then
cryptsetup luksFormat "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
--type luks2 \
--cipher "${var_encryption_cipher}" \
--hash "${var_encryption_hash}" \
--iter-time "${var_encryption_iter}" \
--key-size "${var_encryption_key}" \
--label "${var_encryption_label}" \
--luks2-metadata-size "${var_encryption_meta}" \
--pbkdf "${var_encryption_pbkdf}" \
--"${var_encryption_rng}" \
--batch-mode --verbose
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
cryptsetup luksHeaderBackup "/dev/${var_dev}${var_part}" \
--header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '/${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'NUKE_ENABLE': '${var_encryption_nuke}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'INTEGRITY_ENABLE': '${var_encryption_integrity}'."
fi
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
else else
do_log "error" "true" "Partition: '/dev/${var_dev}${var_part}' Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}'." do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' encrypted."
fi fi
if [[ "${var_encryption_nuke,,}" == "true" ]]; then
cryptsetup luksAddKey \
--key-file="${DIR_CNF}/password.txt" \
--new-keyfile="${DIR_CNF}/password_nuke.txt" \
--new-key-slot 31 \
--batch-mode --verbose \
"/dev/${var_dev}${var_part}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' 'Nuke-Key' added."
fi
cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
### Opening encrypted partition. ### Opening encrypted partition.
if [[ "${var_encryption_enable,,}" == "true" && ${var_encryption_ephemeral,,} == "false" ]]; then cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
--key-file="${DIR_CNF}/password.txt" \
"${var_encryption_label}"
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
cryptsetup luksOpen "/dev/${var_dev}${var_part}" \ ### Store UUID of the encrypted partition
--key-file="${DIR_CNF}/password.txt" \ # shellcheck disable=SC2155
"${var_encryption_label}" declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'." # shellcheck disable=SC2155
[[ "${var_mount_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
### Store UUID of the encrypted partition HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
# shellcheck disable=SC2155 HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
declare var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}") do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
if [[ "${var_mount_path}" = "/" ]]; then do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
# shellcheck disable=SC2155
declare -grx VAR_CRYPT_ROOT="$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")"
fi
HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]="${var_uuid}"
HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]="${var_encryption_label}"
do_log "info" "false" "Saved in HashMap [HMP_ENCRYPTIONLABEL_UUID] : '${var_encryption_label}' -> '${HMP_ENCRYPTIONLABEL_UUID["${var_encryption_label}"]}'"
do_log "info" "false" "Saved in HashMap [HMP_MOUNTPATH_ENCRYPTIONLABEL] : '${var_mount_path}' -> '${HMP_MOUNTPATH_ENCRYPTIONLABEL["${var_mount_path}"]}'"
else
do_log "error" "false" "Partition: '/dev/${var_dev}${var_part}' Opening encrypted partition - Invalid value for 'ENCRYPTION_ENABLE': '${var_encryption_enable}' and 'EPHEMERAL_ENABLE': '${var_encryption_ephemeral}'."
fi
done done

2
func/9999_coresecret.sh
View File

@@ -3,7 +3,7 @@
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 20242025; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE # SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework. # SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.

4
lib/1000_usage.sh
View File

@@ -39,8 +39,8 @@ $(echo -e "\e[93m ⚡ All data on the disks specified in './.preseed/partitio
--debug, -d <MODE> --debug, -d <MODE>
Whereas <MODE> can be one or both of the following: 'TRAP' or 'XTRACE'. Whereas <MODE> can be one or both of the following: 'TRAP' or 'XTRACE'.
XTRACE uses the 'set -x' capability to trace every command executed. - XTRACE uses the 'set -x' capability to trace every command executed.
TRAP uses the bash 'trap DEBUG' capability. - TRAP uses the bash 'trap DEBUG' capability.
$(echo -e "\e[93m Detailed debugging information is written to:\e[0m") $(echo -e "\e[93m Detailed debugging information is written to:\e[0m")
- /tmp/ciss_debian_installer_$$_debug.log - /tmp/ciss_debian_installer_$$_debug.log
- /tmp/ciss_debian_installer_$$_trace.log - /tmp/ciss_debian_installer_$$_trace.log