V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m40s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m40s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -9,7 +9,7 @@
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
|
||||
# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
|
||||
|
||||
set -Ceu -o pipefail -o ignoreeof
|
||||
shopt -s failglob
|
||||
@@ -49,6 +49,7 @@ ask_via_stdin() {
|
||||
### Silent, canonical read from FD 0 (SSH channel when forced-command).
|
||||
IFS= read -r -s "${varname?}" <&0
|
||||
printf "\n" >&2
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
@@ -57,7 +58,7 @@ ask_via_stdin() {
|
||||
# 1: Color code.
|
||||
# *: Text to print.
|
||||
#######################################
|
||||
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; }
|
||||
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
|
||||
|
||||
#######################################
|
||||
# Die Helper: print and then exit hard.
|
||||
@@ -74,7 +75,7 @@ die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3;
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
|
||||
drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
|
||||
|
||||
#######################################
|
||||
# Extract the 'nuke=' parameter from '/proc/cmdline'.
|
||||
@@ -122,6 +123,7 @@ extract_nuke_hash() {
|
||||
done
|
||||
|
||||
color_echo "${GRE}" "✅ No Nuke Hash found. Proceeding."
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
@@ -139,7 +141,8 @@ gather_luks_devices() {
|
||||
# shellcheck disable=SC2312
|
||||
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
|
||||
|
||||
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
|
||||
if [[ "${curr[*]}" == "${prev[*]}" ]]; then
|
||||
#if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
|
||||
break
|
||||
fi
|
||||
|
||||
@@ -150,6 +153,8 @@ gather_luks_devices() {
|
||||
done
|
||||
|
||||
printf '%s\n' "${curr[@]}"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
@@ -220,6 +225,8 @@ print_scr_err() {
|
||||
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
|
||||
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
|
||||
printf "%b" "${NL}"
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
@@ -277,8 +284,9 @@ read_passphrase() {
|
||||
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
|
||||
ROUNDS="${ROUNDS#rounds=}"
|
||||
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
|
||||
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
|
||||
CAND=$(/usr/bin/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
|
||||
|
||||
### NUKE final check.
|
||||
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
|
||||
|
||||
nuke
|
||||
@@ -297,7 +305,7 @@ read_passphrase() {
|
||||
# Arguments:
|
||||
# None
|
||||
#######################################
|
||||
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
|
||||
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
|
||||
|
||||
#######################################
|
||||
# Trap function to be called on 'ERR'.
|
||||
@@ -317,7 +325,7 @@ trap_on_err() {
|
||||
declare -g ERRTRAP='true'
|
||||
|
||||
trap - ERR INT TERM
|
||||
stty echo
|
||||
stty echo 2>/dev/null || true
|
||||
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
|
||||
power_off 16
|
||||
}
|
||||
@@ -344,7 +352,7 @@ trap_on_exit() {
|
||||
#######################################
|
||||
trap_on_term() {
|
||||
trap - ERR INT TERM
|
||||
stty echo
|
||||
stty echo 2>/dev/null || true
|
||||
printf "%b" "${NL}"
|
||||
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
|
||||
power_off 3
|
||||
@@ -383,22 +391,32 @@ verify_script() {
|
||||
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
|
||||
fi
|
||||
|
||||
|
||||
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
|
||||
|
||||
# shellcheck disable=SC2312
|
||||
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
|
||||
expected=$(cat "${hashfile}")
|
||||
|
||||
read -r computed _ < <("${cmd}" "${dir}/${script}")
|
||||
read -r expected < "${hashfile}"
|
||||
if [[ "${computed}" != "${expected}" ]]; then
|
||||
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
|
||||
color_echo "${RED}" "✘ System Power Off in 3 seconds." >&2
|
||||
power_off 3
|
||||
fi
|
||||
|
||||
#color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
|
||||
#computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
|
||||
#expected=$(cat "${hashfile}")
|
||||
#if [[ "${computed}" != "${expected}" ]]; then
|
||||
# color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
|
||||
# color_echo "${RED}" "✘ System Power Off in 3 seconds." >&2
|
||||
# power_off 3
|
||||
#fi
|
||||
|
||||
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
|
||||
|
||||
done
|
||||
|
||||
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
|
||||
return 0
|
||||
}
|
||||
|
||||
#######################################
|
||||
@@ -415,6 +433,8 @@ verify_script() {
|
||||
# None
|
||||
#######################################
|
||||
main() {
|
||||
exec 1>&2
|
||||
|
||||
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
|
||||
trap 'trap_on_exit' EXIT
|
||||
trap 'trap_on_term' INT TERM
|
||||
@@ -424,7 +444,7 @@ main() {
|
||||
elif [[ -r /etc/dropbear/initramfs/banner ]]; then
|
||||
cat /etc/dropbear/initramfs/banner >&2
|
||||
fi
|
||||
uname -a
|
||||
uname -a >&2
|
||||
|
||||
printf "%b" "${NL}"
|
||||
color_echo "${RED}" "Coresecret Connection established."
|
||||
@@ -461,10 +481,13 @@ main() {
|
||||
|
||||
else
|
||||
|
||||
secure_unset_pass
|
||||
|
||||
printf "%b" "${NL}"
|
||||
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
|
||||
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
|
||||
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
|
||||
color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..."
|
||||
color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
|
||||
|
||||
drop_bash
|
||||
|
||||
fi
|
||||
|
||||
@@ -72,6 +72,8 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \
|
||||
### Include mkpasswd
|
||||
copy_exec /usr/bin/mkpasswd /usr/mkpasswd
|
||||
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
|
||||
copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
|
||||
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
|
||||
|
||||
|
||||
### Include udevadm (udev management tool)
|
||||
|
||||
Reference in New Issue
Block a user