V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4300_network/4312_dropbear_setup.sh

@@ -79,6 +79,8 @@ dropbear_setup() {
   write_dropbear_conf
 
   ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-bottom/9999-fixpath.sh" \
+    "${TARGET}/etc/initramfs-tools/scripts/init-bottom/9999-fixpath"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh" \
     "${TARGET}/etc/initramfs-tools/scripts/init-top/0000-fixpath"
 

includes/target/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
 
-#set -Ceuo pipefail
+set -Ceuo pipefail
 
 #######################################
 # Variable declaration
@@ -46,7 +46,7 @@ ask_via_stdin() {
 }
 
 #######################################
-# Print-colored text.
+# Printed text in color.
 # Arguments:
 #   1: Color code.
 #   *: Text to print.
@@ -54,7 +54,7 @@ ask_via_stdin() {
 color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; }
 
 #######################################
-# Die helper: print and exit hard.
+# Die Helper: print and then exit hard.
 # Globals:
 #   NC
 #   RED
@@ -64,23 +64,24 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
 die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
 
 #######################################
-# Drop to bash environment.
+# Drop into the bash environment.
 # Arguments:
 #   None
 #######################################
 drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
 
 #######################################
-# Extract the 'nuke='-parameter from '/proc/cmdline'.
+# Extract the 'nuke=' parameter from '/proc/cmdline'.
 # Globals:
+#   GRE
 #   NUKE_ENABLED
 #   NUKE_HASH
 #   RED
+#   REGEX
 # Arguments:
 #   None
 # Returns:
-#   0: if 'nuke=' was found and extracted.
-#   1: if not found.
+#   0: on success
 #######################################
 extract_nuke_hash() {
   declare     ARG="" CMDLINE=""
@@ -97,7 +98,7 @@ extract_nuke_hash() {
         if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
 
           declare -g NUKE_ENABLED="true"
-          color_echo "${GRE}" "✅ Nuke Hash valid: [${REGEX}] [${NUKE_HASH}]."
+          color_echo "${GRE}" "✅ System self check: [ok]"
           return 0
 
         else
@@ -130,7 +131,7 @@ gather_luks_devices() {
   while ((tries < 10)); do
 
     # shellcheck disable=SC2312
-    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
+    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
 
     if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
       break
@@ -146,7 +147,7 @@ gather_luks_devices() {
 }
 
 #######################################
-# Erase LUKS headers on all LUKS devices and shutdown system.
+# Erase the LUKS headers on all LUKS devices, then shut down the system.
 # Globals:
 #   DEVICES_LUKS
 #   RED
@@ -225,7 +226,7 @@ print_scr_err() {
 print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
 
 #######################################
-# Generates informative shell prompt.
+# Generates an informative shell prompt.
 # Globals:
 #   PS1
 # Arguments:
@@ -247,9 +248,8 @@ fi)\
 }
 
 #######################################
-# Read Passphrase interactively.
+# Read the passphrase interactively.
 # Globals:
-#   ASKPASS
 #   NUKE_ENABLED
 #   NUKE_HASH
 #   PASSPHRASE
@@ -264,9 +264,6 @@ read_passphrase() {
 
   ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
   ask_via_stdin "Enter passphrase: " PASSPHRASE
-  echo "Password    : ${PASSPHRASE}"
-  echo "NUKE_ENABLED: ${NUKE_ENABLED}"
-  echo "NUKE_HASH   : ${NUKE_HASH}"
 
   ### NUKE pre-check
   if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
@@ -276,12 +273,6 @@ read_passphrase() {
     SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
     CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
 
-    # TODO: DEBUGGER
-    echo "ROUNDS    : ${ROUNDS}"
-    echo "SALT      : ${SALT}"
-    echo "CAND      : ${CAND}"
-    echo "NUKE_HASH : ${NUKE_HASH}"
-
     if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
 
       echo "${CAND}" "==" "${NUKE_HASH}"
@@ -296,7 +287,7 @@ read_passphrase() {
 }
 
 #######################################
-# Securely unset the passphrase variable.
+# Securely unset the 'PASSPHRASE'-variable.
 # Globals:
 #   PASSPHRASE
 # Arguments:
@@ -323,8 +314,7 @@ trap_on_err() {
   trap - ERR INT TERM
   stty echo
   print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
-  drop_bash
-  #power_off 16
+  power_off 16
 }
 
 #######################################
@@ -358,7 +348,7 @@ verify_script() {
   # shellcheck disable=SC2312
   dir="$(dirname "$(readlink -f "${0}")")"
   declare     script; script="$(basename "${0}")"
-  declare -a  algo=( "sha512" "sha384" )
+  declare -a  algo=( "sha512" )
   declare     cmd="" computed="" expected="" hashfile="" item="" sigfile=""
 
   for item in "${algo[@]}"; do
@@ -372,8 +362,7 @@ verify_script() {
     if ! gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}"; then
       color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
       color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
-      # TODO: DEBUGGER
-      #power_off 3
+      power_off 3
     else
       color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
     fi
@@ -387,8 +376,7 @@ verify_script() {
     if [[ "${computed}" != "${expected}" ]]; then
       color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]" >&2
       color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
-      # TODO: DEBUGGER
-      #power_off 3
+      power_off 3
     fi
     color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
 
@@ -398,7 +386,7 @@ verify_script() {
 }
 
 #######################################
-# Main Program Sequence
+# Main Program Sequence.
 # Globals:
 #   CURRENTDATE
 #   DEVICES_LUKS
@@ -442,15 +430,14 @@ main() {
   if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
 
     secure_unset_pass
-    drop_bash
-    #exit 0
+    exit 0
 
   else
 
     printf "%b" "${NL}"
     color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
     color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
-    color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
+    color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
     drop_bash
 
   fi

includes/target/etc/initramfs-tools/hooks/9999-custom-initramfs.sh

@@ -13,6 +13,8 @@
 
 set -e
 
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
+
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 case "${1}" in
@@ -48,6 +50,10 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
 copy_exec /usr/bin/busybox /usr/busybox
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
 
+### Include GNU coreutils 'sort' (has -V)
+copy_exec /usr/bin/sort /usr/bin/sort
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
+
 ### Include gpgv
 copy_exec /usr/bin/gpgv /usr/bin/gpgv
 printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"

includes/target/etc/initramfs-tools/hooks/9999-custom-prompt.sh

@@ -13,6 +13,8 @@
 
 set -e
 
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
+
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 case "${1}" in

includes/target/etc/initramfs-tools/scripts/init-bottom/9999-fixpath.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath.final
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/scripts/init-top/0000-fixpath.sh

@@ -18,8 +18,10 @@ case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
+mkdir -p /run/ciss
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath.initial
+
 ### Make sure /usr/local/bin is in front of 'PATH'.
-#export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
-export PATH="/usr/local/bin:/usr:/sbin:/usr/sbin:/bin:/usr/bin"
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh