V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 46s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 46s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -11,7 +11,7 @@
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
|
||||
|
||||
#set -Ceuo pipefail
|
||||
set -Ceuo pipefail
|
||||
|
||||
#######################################
|
||||
# Variable declaration
|
||||
@@ -46,7 +46,7 @@ ask_via_stdin() {
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Print-colored text.
|
||||
# Printed text in color.
|
||||
# Arguments:
|
||||
# 1: Color code.
|
||||
# *: Text to print.
|
||||
@@ -54,7 +54,7 @@ ask_via_stdin() {
|
||||
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; }
|
||||
|
||||
#######################################
|
||||
# Die helper: print and exit hard.
|
||||
# Die Helper: print and then exit hard.
|
||||
# Globals:
|
||||
# NC
|
||||
# RED
|
||||
@@ -64,23 +64,24 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
|
||||
die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
|
||||
|
||||
#######################################
|
||||
# Drop to bash environment.
|
||||
# Drop into the bash environment.
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
|
||||
|
||||
#######################################
|
||||
# Extract the 'nuke='-parameter from '/proc/cmdline'.
|
||||
# Extract the 'nuke=' parameter from '/proc/cmdline'.
|
||||
# Globals:
|
||||
# GRE
|
||||
# NUKE_ENABLED
|
||||
# NUKE_HASH
|
||||
# RED
|
||||
# REGEX
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: if 'nuke=' was found and extracted.
|
||||
# 1: if not found.
|
||||
# 0: on success
|
||||
#######################################
|
||||
extract_nuke_hash() {
|
||||
declare ARG="" CMDLINE=""
|
||||
@@ -97,7 +98,7 @@ extract_nuke_hash() {
|
||||
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
|
||||
|
||||
declare -g NUKE_ENABLED="true"
|
||||
color_echo "${GRE}" "✅ Nuke Hash valid: [${REGEX}] [${NUKE_HASH}]."
|
||||
color_echo "${GRE}" "✅ System self check: [ok]"
|
||||
return 0
|
||||
|
||||
else
|
||||
@@ -130,7 +131,7 @@ gather_luks_devices() {
|
||||
while ((tries < 10)); do
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
|
||||
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
|
||||
|
||||
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
|
||||
break
|
||||
@@ -146,7 +147,7 @@ gather_luks_devices() {
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Erase LUKS headers on all LUKS devices and shutdown system.
|
||||
# Erase the LUKS headers on all LUKS devices, then shut down the system.
|
||||
# Globals:
|
||||
# DEVICES_LUKS
|
||||
# RED
|
||||
@@ -225,7 +226,7 @@ print_scr_err() {
|
||||
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
|
||||
|
||||
#######################################
|
||||
# Generates informative shell prompt.
|
||||
# Generates an informative shell prompt.
|
||||
# Globals:
|
||||
# PS1
|
||||
# Arguments:
|
||||
@@ -247,9 +248,8 @@ fi)\
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Read Passphrase interactively.
|
||||
# Read the passphrase interactively.
|
||||
# Globals:
|
||||
# ASKPASS
|
||||
# NUKE_ENABLED
|
||||
# NUKE_HASH
|
||||
# PASSPHRASE
|
||||
@@ -264,9 +264,6 @@ read_passphrase() {
|
||||
|
||||
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
|
||||
ask_via_stdin "Enter passphrase: " PASSPHRASE
|
||||
echo "Password : ${PASSPHRASE}"
|
||||
echo "NUKE_ENABLED: ${NUKE_ENABLED}"
|
||||
echo "NUKE_HASH : ${NUKE_HASH}"
|
||||
|
||||
### NUKE pre-check
|
||||
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
|
||||
@@ -276,12 +273,6 @@ read_passphrase() {
|
||||
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
|
||||
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
|
||||
|
||||
# TODO: DEBUGGER
|
||||
echo "ROUNDS : ${ROUNDS}"
|
||||
echo "SALT : ${SALT}"
|
||||
echo "CAND : ${CAND}"
|
||||
echo "NUKE_HASH : ${NUKE_HASH}"
|
||||
|
||||
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
|
||||
|
||||
echo "${CAND}" "==" "${NUKE_HASH}"
|
||||
@@ -296,7 +287,7 @@ read_passphrase() {
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Securely unset the passphrase variable.
|
||||
# Securely unset the 'PASSPHRASE'-variable.
|
||||
# Globals:
|
||||
# PASSPHRASE
|
||||
# Arguments:
|
||||
@@ -323,8 +314,7 @@ trap_on_err() {
|
||||
trap - ERR INT TERM
|
||||
stty echo
|
||||
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
|
||||
drop_bash
|
||||
#power_off 16
|
||||
power_off 16
|
||||
}
|
||||
|
||||
#######################################
|
||||
@@ -358,7 +348,7 @@ verify_script() {
|
||||
# shellcheck disable=SC2312
|
||||
dir="$(dirname "$(readlink -f "${0}")")"
|
||||
declare script; script="$(basename "${0}")"
|
||||
declare -a algo=( "sha512" "sha384" )
|
||||
declare -a algo=( "sha512" )
|
||||
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
|
||||
|
||||
for item in "${algo[@]}"; do
|
||||
@@ -372,8 +362,7 @@ verify_script() {
|
||||
if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
|
||||
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
|
||||
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
|
||||
# TODO: DEBUGGER
|
||||
#power_off 3
|
||||
power_off 3
|
||||
else
|
||||
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
|
||||
fi
|
||||
@@ -387,8 +376,7 @@ verify_script() {
|
||||
if [[ "${computed}" != "${expected}" ]]; then
|
||||
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
|
||||
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
|
||||
# TODO: DEBUGGER
|
||||
#power_off 3
|
||||
power_off 3
|
||||
fi
|
||||
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
|
||||
|
||||
@@ -398,7 +386,7 @@ verify_script() {
|
||||
}
|
||||
|
||||
#######################################
|
||||
# Main Program Sequence
|
||||
# Main Program Sequence.
|
||||
# Globals:
|
||||
# CURRENTDATE
|
||||
# DEVICES_LUKS
|
||||
@@ -442,15 +430,14 @@ main() {
|
||||
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
|
||||
|
||||
secure_unset_pass
|
||||
drop_bash
|
||||
#exit 0
|
||||
exit 0
|
||||
|
||||
else
|
||||
|
||||
printf "%b" "${NL}"
|
||||
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
|
||||
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
|
||||
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
|
||||
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
|
||||
drop_bash
|
||||
|
||||
fi
|
||||
|
||||
@@ -13,6 +13,8 @@
|
||||
|
||||
set -e
|
||||
|
||||
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
|
||||
|
||||
PREREQ=""
|
||||
prereqs() { echo "${PREREQ}"; }
|
||||
case "${1}" in
|
||||
@@ -48,6 +50,10 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
|
||||
copy_exec /usr/bin/busybox /usr/busybox
|
||||
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
|
||||
|
||||
### Include GNU coreutils 'sort' (has -V)
|
||||
copy_exec /usr/bin/sort /usr/bin/sort
|
||||
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
|
||||
|
||||
### Include gpgv
|
||||
copy_exec /usr/bin/gpgv /usr/bin/gpgv
|
||||
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
|
||||
|
||||
@@ -13,6 +13,8 @@
|
||||
|
||||
set -e
|
||||
|
||||
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
|
||||
|
||||
PREREQ=""
|
||||
prereqs() { echo "${PREREQ}"; }
|
||||
case "${1}" in
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
#!/bin/sh
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
set -e
|
||||
|
||||
PREREQ=""
|
||||
prereqs() { echo "${PREREQ}"; }
|
||||
case "${1}" in
|
||||
prereqs) prereqs; exit 0 ;;
|
||||
esac
|
||||
|
||||
### Make sure /usr/local/bin is in front of 'PATH'.
|
||||
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
|
||||
|
||||
printf '%s\n' "${PATH}" >| /run/ciss/fixpath.final
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
@@ -18,8 +18,10 @@ case "${1}" in
|
||||
prereqs) prereqs; exit 0 ;;
|
||||
esac
|
||||
|
||||
mkdir -p /run/ciss
|
||||
printf '%s\n' "${PATH}" >| /run/ciss/fixpath.initial
|
||||
|
||||
### Make sure /usr/local/bin is in front of 'PATH'.
|
||||
#export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
|
||||
export PATH="/usr/local/bin:/usr:/sbin:/usr/sbin:/bin:/usr/bin"
|
||||
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
|
||||
Reference in New Issue
Block a user