msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 46s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-03 18:27:28 +02:00
parent f1bff90643
commit be05b5a127
6 changed files with 61 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
func/cdi_4300_network/4312_dropbear_setup.sh
View File

@@ -79,6 +79,8 @@ dropbear_setup() {
write_dropbear_conf write_dropbear_conf
### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs. ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-bottom/9999-fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-bottom/9999-fixpath"
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \ install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
"${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath" "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"

55
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -11,7 +11,7 @@
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command. # SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
#set -Ceuo pipefail set -Ceuo pipefail
####################################### #######################################
# Variable declaration # Variable declaration
@@ -46,7 +46,7 @@ ask_via_stdin() {
} }
####################################### #######################################
# Print-colored text. # Printed text in color.
# Arguments: # Arguments:
# 1: Color code. # 1: Color code.
# *: Text to print. # *: Text to print.
@@ -54,7 +54,7 @@ ask_via_stdin() {
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; } color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; }
####################################### #######################################
# Die helper: print and exit hard. # Die Helper: print and then exit hard.
# Globals: # Globals:
# NC # NC
# RED # RED
@@ -64,23 +64,24 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; } die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
####################################### #######################################
# Drop to bash environment. # Drop into the bash environment.
# Arguments: # Arguments:
# None # None
####################################### #######################################
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; } drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
####################################### #######################################
# Extract the 'nuke='-parameter from '/proc/cmdline'. # Extract the 'nuke=' parameter from '/proc/cmdline'.
# Globals: # Globals:
# GRE
# NUKE_ENABLED # NUKE_ENABLED
# NUKE_HASH # NUKE_HASH
# RED # RED
# REGEX
# Arguments: # Arguments:
# None # None
# Returns: # Returns:
# 0: if 'nuke=' was found and extracted. # 0: on success
# 1: if not found.
####################################### #######################################
extract_nuke_hash() { extract_nuke_hash() {
declare ARG="" CMDLINE="" declare ARG="" CMDLINE=""
@@ -97,7 +98,7 @@ extract_nuke_hash() {
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
declare -g NUKE_ENABLED="true" declare -g NUKE_ENABLED="true"
color_echo "${GRE}" "✅ Nuke Hash valid: [${REGEX}] [${NUKE_HASH}]." color_echo "${GRE}" "✅ System self check: [ok]"
return 0 return 0
else else
@@ -130,7 +131,7 @@ gather_luks_devices() {
while ((tries < 10)); do while ((tries < 10)); do
# shellcheck disable=SC2312 # shellcheck disable=SC2312
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort) mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
break break
@@ -146,7 +147,7 @@ gather_luks_devices() {
} }
####################################### #######################################
# Erase LUKS headers on all LUKS devices and shutdown system. # Erase the LUKS headers on all LUKS devices, then shut down the system.
# Globals: # Globals:
# DEVICES_LUKS # DEVICES_LUKS
# RED # RED
@@ -225,7 +226,7 @@ print_scr_err() {
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; } print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
####################################### #######################################
# Generates informative shell prompt. # Generates an informative shell prompt.
# Globals: # Globals:
# PS1 # PS1
# Arguments: # Arguments:
@@ -247,9 +248,8 @@ fi)\
} }
####################################### #######################################
# Read Passphrase interactively. # Read the passphrase interactively.
# Globals: # Globals:
# ASKPASS
# NUKE_ENABLED # NUKE_ENABLED
# NUKE_HASH # NUKE_HASH
# PASSPHRASE # PASSPHRASE
@@ -264,9 +264,6 @@ read_passphrase() {
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'. ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
ask_via_stdin "Enter passphrase: " PASSPHRASE ask_via_stdin "Enter passphrase: " PASSPHRASE
echo "Password : ${PASSPHRASE}"
echo "NUKE_ENABLED: ${NUKE_ENABLED}"
echo "NUKE_HASH : ${NUKE_HASH}"
### NUKE pre-check ### NUKE pre-check
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
@@ -276,12 +273,6 @@ read_passphrase() {
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")" SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}") CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
# TODO: DEBUGGER
echo "ROUNDS : ${ROUNDS}"
echo "SALT : ${SALT}"
echo "CAND : ${CAND}"
echo "NUKE_HASH : ${NUKE_HASH}"
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
echo "${CAND}" "==" "${NUKE_HASH}" echo "${CAND}" "==" "${NUKE_HASH}"
@@ -296,7 +287,7 @@ read_passphrase() {
} }
####################################### #######################################
# Securely unset the passphrase variable. # Securely unset the 'PASSPHRASE'-variable.
# Globals: # Globals:
# PASSPHRASE # PASSPHRASE
# Arguments: # Arguments:
@@ -323,8 +314,7 @@ trap_on_err() {
trap - ERR INT TERM trap - ERR INT TERM
stty echo stty echo
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}" print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
drop_bash power_off 16
#power_off 16
} }
####################################### #######################################
@@ -358,7 +348,7 @@ verify_script() {
# shellcheck disable=SC2312 # shellcheck disable=SC2312
dir="$(dirname "$(readlink -f "${0}")")" dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")" declare script; script="$(basename "${0}")"
declare -a algo=( "sha512" "sha384" ) declare -a algo=( "sha512" )
declare cmd="" computed="" expected="" hashfile="" item="" sigfile="" declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
for item in "${algo[@]}"; do for item in "${algo[@]}"; do
@@ -372,8 +362,7 @@ verify_script() {
if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
# TODO: DEBUGGER power_off 3
#power_off 3
else else
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful." color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
fi fi
@@ -387,8 +376,7 @@ verify_script() {
if [[ "${computed}" != "${expected}" ]]; then if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2 color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2 color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
# TODO: DEBUGGER power_off 3
#power_off 3
fi fi
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful." color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
@@ -398,7 +386,7 @@ verify_script() {
} }
####################################### #######################################
# Main Program Sequence # Main Program Sequence.
# Globals: # Globals:
# CURRENTDATE # CURRENTDATE
# DEVICES_LUKS # DEVICES_LUKS
@@ -442,15 +430,14 @@ main() {
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass secure_unset_pass
drop_bash exit 0
#exit 0
else else
printf "%b" "${NL}" printf "%b" "${NL}"
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'." color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..." color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'." color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
drop_bash drop_bash
fi fi

6
includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh
View File

@@ -13,6 +13,8 @@
set -e set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
case "${1}" in case "${1}" in
@@ -48,6 +50,10 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
copy_exec /usr/bin/busybox /usr/busybox copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m" printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
### Include GNU coreutils 'sort' (has -V)
copy_exec /usr/bin/sort /usr/bin/sort
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
### Include gpgv ### Include gpgv
copy_exec /usr/bin/gpgv /usr/bin/gpgv copy_exec /usr/bin/gpgv /usr/bin/gpgv
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m" printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"

2
includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh
View File

@@ -13,6 +13,8 @@
set -e set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
PREREQ="" PREREQ=""
prereqs() { echo "${PREREQ}"; } prereqs() { echo "${PREREQ}"; }
case "${1}" in case "${1}" in

26
includes/target/etc/initramfs-tools/scripts/init-bottom/9999-fixpath.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
set -e
PREREQ=""
prereqs() { echo "${PREREQ}"; }
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
### Make sure /usr/local/bin is in front of 'PATH'.
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
printf '%s\n' "${PATH}" >| /run/ciss/fixpath.final
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

6
includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh
View File

@@ -18,8 +18,10 @@ case "${1}" in
prereqs) prereqs; exit 0 ;; prereqs) prereqs; exit 0 ;;
esac esac
mkdir -p /run/ciss
printf '%s\n' "${PATH}" >| /run/ciss/fixpath.initial
### Make sure /usr/local/bin is in front of 'PATH'. ### Make sure /usr/local/bin is in front of 'PATH'.
#export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}" export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
export PATH="/usr/local/bin:/usr:/sbin:/usr/sbin:/bin:/usr/bin"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh