msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🔁 Render Graphviz Diagrams. / 🔁 Render Graphviz Diagrams. (push) Successful in 39s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m45s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-20 19:43:09 +02:00
parent 55a0cb6884
commit e1f09ca170
27 changed files with 1100 additions and 909 deletions
Download Patch File Download Diff File Expand all files Collapse all files

589
includes/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -9,14 +9,184 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
set -Ceuo pipefail
IFS=$(printf ' \n\t')
#######################################
# Variable declaration
#######################################
declare -r ASKPASS='/lib/cryptsetup/askpass'
declare -r REGEX='^\$[a-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+$'
# shellcheck disable=SC2155
declare -gr CURRENTDATE=$(date +"%F %T")
declare -gir MAX_RETRIES=2
declare -r CURRENTDATE=$(date +"%F %T")
declare -r GRE='\e[0;92m'
declare -r MAG='\e[0;95m'
declare -r RED='\e[0;91m'
declare -r RES='\e[0m'
declare -r NL='\n'
declare -g NUKE_ENABLED='false'
declare -g NUKE_HASH=''
declare -g PASSPHRASE=''
#######################################
# Print-colored text.
# Arguments:
# 1: Color code.
# *: Text to print.
#######################################
color_echo() { declare c="$1"; shift; declare msg="${*}"; printf "%s%s %s%s" "${c}" "${msg}" "${RES}" "${NL}"; }
#######################################
# Die helper: print and exit hard.
# Globals:
# NC
# RED
# Arguments:
# 1: Message string to print.
#######################################
die() { printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2; power_off 3; }
#######################################
# Drop to bash environment.
# Arguments:
# None
#######################################
drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
#######################################
# Extract the 'nuke='-parameter from '/proc/cmdline'.
# Globals:
# NUKE_ENABLED
# NUKE_HASH
# RED
# Arguments:
# None
# Returns:
# 0: if 'nuke=' was found and extracted.
# 1: if not found.
#######################################
extract_nuke_hash() {
declare ARG="" CMDLINE=""
### Read '/proc/cmdline' into a single line safely.
read -r CMDLINE < /proc/cmdline
for ARG in ${CMDLINE}; do
case "${ARG}" in
nuke=*)
NUKE_HASH="${ARG#nuke=}"
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
NUKE_ENABLED="true"
return 0
else
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2
color_echo "${RED}" "✘ Dropping to bash ...:" >&2
drop_bash
fi
;;
esac
done
### No 'nuke=HASH' entry found.
return 1
}
#######################################
# Gather information of all LUKS Devices available on the system.
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=()
declare -i tries=0
while ((tries < 10)); do
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
printf '%s\n' "${curr[@]}"
}
#######################################
# Erase LUKS headers on all LUKS devices and shutdown system.
# Globals:
# DEVICES_LUKS
# RED
# Arguments:
# None
#######################################
nuke() {
declare dev=""
for dev in "${DEVICES_LUKS[@]}"; do
cryptsetup erase --batch-mode "${dev}" || true
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
done
secure_unset_pass
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
}
#######################################
# Unified power-off routine.
# Arguments:
# 1: Sleep time before power-off in seconds (Default to 0 seconds).
#######################################
power_off() {
declare -r wait="${1:-0}"
sleep "${wait}"
sync
echo 1 >| /proc/sys/kernel/sysrq
echo o >| /proc/sysrq-trigger
### The System powers off immediately; no further code is executed.
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# NL
# RED
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "%s" "${NL}"
color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
printf "%s" "${NL}"
color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2
color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2
color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
printf "%s" "${NL}"
}
#######################################
# Print Error Message for '0'-Exit-Code on Terminal.
# Globals:
# GRE
# Arguments:
# None
#######################################
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
#######################################
# Generates informative shell prompt.
@@ -40,14 +210,56 @@ fi)\
|~\$ "
}
#######################################
# Read Passphrase interactively.
# Globals:
# ASKPASS
# NUKE_ENABLED
# NUKE_HASH
# PASSPHRASE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
read_passphrase() {
declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt")
declare METHOD="" SALT=""
PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
### Validate NUKE_HASH format (e.g., $id$salt$hash)
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
for METHOD in "${METHODS[@]}"; do
if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
nuke
fi
done
fi
fi
return 0
}
#######################################
# Securely unset the passphrase variable.
# Globals:
# PASSPHRASE
# Arguments:
# None
#######################################
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
#######################################
# Trap function to be called on 'ERR'.
# Arguments:
# $1: ${?}
# $2: ${BASH_SOURCE[0]}
# $3: ${LINENO}
# $4: ${FUNCNAME[0]:-main}
# $5: ${BASH_COMMAND}
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -r errcode="$1"
@@ -55,322 +267,127 @@ trap_on_err() {
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
trap - ERR
trap - ERR INT TERM
stty echo
if [[ ${errcode} -eq 0 ]]; then
print_scr_scc
prompt_string
exit 0
else
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
sleep 15
sync
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
}
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the Nuke Routine
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
# Globals:
# DEVICES_LUKS
# DEVICES_NUKE
# NL
# RED
# Arguments:
# None
# None
#######################################
trap_on_term() {
trap - INT
trap - ERR INT TERM
stty echo
printf "\n"
printf "\e[0;91m✘ System caught a 'SIGINT'. System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
}
#######################################
# Print Error Message for 'non-0' Trap on 'EXIT' on Terminal.
# Arguments:
# $1: ${?}
# $2: ${BASH_SOURCE[0]}
# $3: ${LINENO}
# $4: ${FUNCNAME[0]:-main}
# $5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "\n"
printf "\e[0;91m✘ System caught an 'ERROR'. System Power Off in 15 seconds. \e[0m\n" >&2
printf "\n"
printf "\e[0;91m✘ Error : %s \e[0m\n" "${scr_err_errcode}" >&2
printf "\e[0;91m✘ Line : %s \e[0m\n" "${scr_err_errline}" >&2
printf "\e[0;91m✘ Script : %s \e[0m\n" "${scr_err_errscrt}" >&2
printf "\e[0;91m✘ Function : %s \e[0m\n" "${scr_err_errfunc}" >&2
printf "\e[0;91m✘ Command : %s \e[0m\n" "${scr_err_errcmmd}" >&2
printf "\n"
}
#######################################
# Print Error Message for '0' Trap on 'ERR' on Terminal.
# Arguments:
# none
#######################################
print_scr_scc() {
printf "\e[0;92m✅ Script exited successfully. Proceeding with booting. \e[0m\n"
printf "\n"
}
#######################################
# Gather information of all LUKS Devices available on the system
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=() dev="" tries=0
while ((tries < 10)); do
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device)
if [[ ${curr[*]} == "${prev[*]}" ]]; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
### Print one device per line for mapfile compatibility
for dev in "${curr[@]}"; do
printf '%s\n' "${dev}"
done
}
#######################################
# Gather information of all NUKE Devices available on the system
# Globals:
# DEVICES_LUKS
# Arguments:
# None
#######################################
gather_nuke_devices() {
### 'DEVICES_LUKS' must already be a bash array of device paths
declare dev=""
declare result=()
for dev in "${DEVICES_LUKS[@]}"; do
### Check slot 31 for 'luks2'
if cryptsetup luksDump "${dev}" 2> /dev/null | grep -qE '^[[:space:]]*31: luks2'; then
result+=("${dev}")
fi
done
### Print one device per line for mapfile compatibility
for dev in "${result[@]}"; do
printf '%s\n' "${dev}"
done
}
#######################################
# Read passphrase interactively.
# Arguments:
# None
#######################################
passphrase_ask() {
declare -g PASSPHRASE=""
printf "\n"
stty -echo
printf "\e[0;95m🔐 Enter passphrase for decryption: \e[0m\n"
read -r PASSPHRASE
stty echo
printf "\n"
}
#######################################
# Test the entered passphrase against the dedicated Nuke Keyslot #31.
# Arguments:
# $1: DEVICE
# $2: PASSWD
#######################################
passphrase_test() {
declare -r DEVICE="$1"
declare -r PASPHR="$2"
printf '%s' "${PASPHR}" | cryptsetup open --batch-mode --test-passphrase --key-slot 31 "${DEVICE}" > /dev/null 2>&1
printf "%s" "${NL}"
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
power_off 3
}
#######################################
# Check the integrity and authenticity of this script itself.
# Globals:
# GRE
# MAG
# RED
# Arguments:
# $0: Script Name
# 0: Script Name
#######################################
verify_coresecret() {
### Directory of this script
# shellcheck disable=SC2155
declare dir="$(dirname "$(readlink -f "${0}")")"
# shellcheck disable=SC2155
declare script="$(basename "${0}")"
declare algo
verify_script() {
declare dir; dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")"
declare -a algo=("sha512" "sha384")
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
for algo in sha512 sha384; do
# shellcheck disable=SC2155
declare hashfile="${dir}/${script}.${algo}"
# shellcheck disable=SC2155
declare sigfile="${hashfile}.sig"
# shellcheck disable=SC2155
declare cmd="${algo}sum"
for item in "${algo[@]}"; do
hashfile="${dir}/${script}.${item}"
sigfile="${hashfile}.sig"
cmd="${item}sum"
printf "\e[0;95m🔏 Verifying signature of: [%s] \e[0m\n" "${hashfile}"
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
printf "\e[0;91m✘ Signature verification failed for: [%s] \e[0m\n" "${hashfile}" >&2
printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
power_off 3
}
printf "\e[0;92m🔏 Verifying signature of: [%s] successful. \e[0m\n" "${hashfile}"
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
printf "\e[0;95m🔢 Recomputing Hash: [%s] \e[0m\n" "${algo}"
# shellcheck disable=SC2155
declare computed=$($cmd "${dir}/${script}" | awk '{print $1}')
# shellcheck disable=SC2155
declare expected=$(cat "${hashfile}")
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
expected=$(cat "${hashfile}")
if [[ ${computed} != "${expected}" ]]; then
printf "\e[0;91m✘ Hash mismatch for: [%s] \e[0m\n" "${algo}" >&2
printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
sync
sleep 3
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
power_off 3
fi
printf "\e[0;92m🔢 Recomputing Hash: [%s] successful. \e[0m\n" "${algo}"
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
done
printf "\e[0;92m🔏 All signatures and hashes verified successfully. Proceeding. \e[0m\n"
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
}
### Main Programm
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_term' INT TERM
#######################################
# Main Programm Sequence
# Globals:
# CURRENTDATE
# DEVICES_LUKS
# GRE
# MAG
# NL
# PASSPHRASE
# RED
# Arguments:
# None
#######################################
main() {
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_term' INT TERM
printf "\e[0;91mCoresecret Connection established.\e[0m\n"
printf "\e[0;91mStarting Time: %s\e[0m\n" "${CURRENTDATE}"
printf "\n"
color_echo "${RED}" "Coresecret Connection established."
color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
color_echo "${MAG}" "Integrity self-check ..."
printf "%s" "${NL}"
verify_coresecret
verify_script
### Read newline-separated output into an array
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
mapfile -t DEVICES_NUKE < <(gather_nuke_devices)
### Read newline-separated output into an array.
color_echo "${MAG}" "Scanning for LUKS devices ..."
printf "%s" "${NL}"
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### Debug output: list each element with its index
#for idx in "${!DEVICES_LUKS[@]}"; do
# printf 'Luks[%d]: %s\n' "${idx}" "${DEVICES_LUKS[${idx}]}"
#done
### If there are no LUKS devices at all, drop to bash.
if (( ${#DEVICES_LUKS[@]} == 0 )); then
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
drop_bash
fi
### Debug output: list each element with its index
#for idx in "${!DEVICES_NUKE[@]}"; do
# printf 'Nuke[%d]: %s\n' "${idx}" "${DEVICES_NUKE[${idx}]}"
#done
### Extract the 'nuke='-parameter from '/proc/cmdline'.
extract_nuke_hash
### # If there are no LUKS devices at all, drop to bash
[[ -n ${DEVICES_LUKS[*]} ]] || {
printf "\e[0;92m✘ No LUKS Devices found. Dropping to bash ... \e[0m\n"
prompt_string
exec /bin/bash -i
}
### Read passphrase interactively.
read_passphrase
### If there are LUKS devices but no Nuke devices, try unlocking flow
if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then
### Attempt interactive unlock with cryptroot-unlock
if cryptroot-unlock; then
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass
exit 0
else
printf "\n"
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
printf "%s" "${NL}"
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
drop_bash
fi
}
elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
declare -i attempt=1
declare NUKED=false
declare TEST_DEV="${DEVICES_NUKE[0]}"
while ((attempt <= MAX_RETRIES)); do
printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}"
passphrase_ask
declare -g PASSWD="${PASSPHRASE}"
if passphrase_test "${TEST_DEV}" "${PASSWD}"; then
for dev in "${DEVICES_NUKE[@]}"; do
cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1
printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}"
done
declare -r NUKED=true
unset PASSWD
break
else
declare code="$?"
case "${code}" in
1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;;
2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;;
3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;;
*) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;;
esac
fi
attempt=$((attempt + 1))
done
if [[ ${NUKED} == true ]]; then
stty echo
sleep 3
sync
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
if cryptroot-unlock; then
exit 0
else
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
fi
fi
main "${@}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

447
includes/initramfs-tools/files/unlock_wrapper_advanced.sh
View File

@@ -1,447 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_advanced.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
set -Ceuo pipefail
#######################################
# Variable declaration
#######################################
declare -ir MAX_RETRIES=2
declare -r ASKPASS='/lib/cryptsetup/askpass'
# shellcheck disable=SC2155
declare -r CURRENTDATE=$(date +"%F %T")
# shellcheck disable=SC2155
declare -r IFS=$(printf ' \n\t')
declare -r GRE='\e[0;92m'
declare -r MAG='\e[0;95m'
declare -r RED='\e[0;91m'
declare -r RES='\e[0m'
declare -r NL='\n'
declare -g NUKE_ENABLED='false'
declare -g NUKE_HASH=''
declare -g PASSPHRASE=''
#######################################
# Print-colored text.
# Arguments:
# $1 - color code
# $@ - text to print
#######################################
color_echo() { declare c="$1"; shift; printf "%s%s %s%s" "${c}" "${*}" "${RES}" "${NL}"; }
#######################################
# Die helper: print and exit hard.
# Globals:
# NC
# RED
# Arguments:
# 1: Message string to print.
#######################################
die() { printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2; power_off 3; }
#######################################
# Drop to bash environment.
# Arguments:
# None
#######################################
drop_bash() { prompt_string; exec /bin/bash -i; }
#######################################
# Extract the 'nuke='-parameter from '/proc/cmdline'.
# Globals:
# NL
# NUKE_ENABLED
# NUKE_HASH
# RED
# RES
# Arguments:
# None
# Returns:
# 0: if 'nuke=' was found and extracted.
# 1: if not found.
#######################################
extract_nuke_hash() {
declare ARG="" CMDLINE="" REGEX='(\$[^$]+){3,}'
### Read '/proc/cmdline' into a single line safely.
read -r CMDLINE < /proc/cmdline
for ARG in ${CMDLINE}; do
case "${ARG}" in
nuke=*)
NUKE_HASH="${ARG#nuke=}"
if echo "${NUKE_HASH}" | grep -qE "${REGEX}"; then
NUKE_ENABLED="true"
return 0
else
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2
color_echo "${RED}" "✘ Dropping to bash ...:" >&2
drop_bash
fi
;;
esac
done
### No 'nuke=HASH' entry found.
return 1
}
#######################################
# Gather information of all LUKS Devices available on the system.
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=()
declare -i tries=0
while ((tries < 10)); do
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
printf '%s\n' "${curr[@]}"
}
#######################################
# Erase LUKS headers on all LUKS devices and shutdown system.
# Globals:
# NUKE_DEVICES
#######################################
nuke() {
declare dev=""
for dev in "${DEVICES_LUKS[@]}"; do
cryptsetup erase --batch-mode "${dev}" || true
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
done
secure_unset_pass
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
}
#######################################
# Unified power-off routine.
# Arguments:
# 1: Sleep time before power-off in seconds (Default to 0 seconds).
#######################################
power_off() {
declare -r wait="${1:-0}"
sleep "${wait}"
sync
echo 1 >| /proc/sys/kernel/sysrq
echo o >| /proc/sysrq-trigger
# The System powers off immediately; no further code is executed.
}
#######################################
# Generates informative shell prompt.
# Globals:
# PS1
# Arguments:
# None
#######################################
prompt_string() {
declare -gx PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
# Show exit status in green if zero
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
# Show exit status in red otherwise
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
|~\$ "
}
#######################################
# Trap function to be called on 'ERR'.
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -r errcode="$1"
declare -r errscrt="$2"
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
trap - ERR INT TERM
stty echo
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
}
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
# Globals:
# NL
# RED
# RES
# Arguments:
# None
#######################################
trap_on_term() {
trap - ERR INT TERM
stty echo
printf "%s" "${NL}"
color_echo "${RED}" "✘ System caught a 'SIGINT'. System Power Off in 3 seconds." >&2
power_off 3
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# NL
# RED
# RES
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "%s" "${NL}"
color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
printf "%s" "${NL}"
color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2
color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2
color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
printf "%s" "${NL}"
}
#######################################
# Print Error Message for '0'-Exit-Code on Terminal.
# Arguments:
# none
#######################################
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
#######################################
# Read Passphrase interactively.
# Globals:
# ASKPASS
# NUKE_ENABLED
# NUKE_HASH
# PASSPHRASE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
read_passphrase() {
declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt")
declare METHOD="" SALT=""
PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
### Validate NUKE_HASH format (e.g., $id$salt$hash)
if [[ "${NUKE_HASH}" =~ ^\$[a-z0-9]+\$[a-zA-Z0-9./]+\$ ]]; then
SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
for METHOD in "${METHODS[@]}"; do
if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
nuke
fi
done
fi
fi
printf "%s" "${PASSPHRASE}"
return 0
}
#######################################
# Securely unset the passphrase variable.
# Globals:
# PASSPHRASE
#######################################
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
#######################################
# Check the integrity and authenticity of this script itself.
# Arguments:
# 0: Script Name
#######################################
verify_script() {
declare dir; dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")"
declare -a algo=("sha512" "sha384")
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
for item in "${algo[@]}"; do
hashfile="${dir}/${script}.${item}"
sigfile="${hashfile}.sig"
cmd="${item}sum"
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
power_off 3
}
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
expected=$(cat "${hashfile}")
if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2
color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
power_off 3
fi
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
done
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
}
### Main Programm Sequence ###
main() {
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_term' INT TERM
color_echo "${RED}" "Coresecret Connection established."
color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
color_echo "${MAG}" "Integrity self-check ..."
printf "%s" "${NL}"
verify_script
### Read newline-separated output into an array.
color_echo "${MAG}" "Scanning for LUKS devices ..."
printf "%s" "${NL}"
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### If there are no LUKS devices at all, drop to bash.
if (( ${#DEVICES_LUKS[@]} == 0 )); then
printf "%s✘ No LUKS Devices found. Dropping to bash ... %s %s" "${RED}" "${RES}" "${NC}"
drop_bash
fi
### Extract the 'nuke='-parameter from '/proc/cmdline'.
extract_nuke_hash
### Read passphrase interactively.
read_passphrase
### If there are LUKS devices but no Nuke devices, try unlocking flow
if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then
### Attempt interactive unlock with cryptroot-unlock
if cryptroot-unlock; then
exit 0
else
printf "\n"
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
fi
elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
declare -i attempt=1
declare NUKED=false
declare TEST_DEV="${DEVICES_NUKE[0]}"
while ((attempt <= MAX_RETRIES)); do
printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}"
passphrase_ask
declare -g PASSWD="${PASSPHRASE}"
if passphrase_test "${TEST_DEV}" "${PASSWD}"; then
for dev in "${DEVICES_NUKE[@]}"; do
cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1
printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}"
done
declare -r NUKED=true
unset PASSWD
break
else
declare code="$?"
case "${code}" in
1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;;
2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;;
3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;;
*) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;;
esac
fi
attempt=$((attempt + 1))
done
if [[ ${NUKED} == true ]]; then
stty echo
sleep 3
sync
set +C
echo 1 > /proc/sys/kernel/sysrq
echo o > /proc/sysrq-trigger
fi
if cryptroot-unlock; then
exit 0
else
printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
prompt_string
exec /bin/bash -i
fi
fi
}
main "$@"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
includes/initramfs-tools/hooks/custom-initramfs.sh
View File

@@ -9,6 +9,7 @@
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: Hook script (initramfs) for setting up the CISS.debian.installer hardened dropbear environment, incl. Luks Nuke.
set -e
@@ -20,6 +21,11 @@ esac
. /usr/share/initramfs-tools/hook-functions
if [ ! -e /etc/initramfs-tools/files/unlock-wrapper.sh ]; then
echo "Missing unlock-wrapper.sh in /etc/initramfs-tools/files/"
exit 1
fi
### Ensure directory structure in initramfs
mkdir -p "${DESTDIR}/etc/dropbear"
mkdir -p "${DESTDIR}/etc/keys"
@@ -76,6 +82,6 @@ install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTD
install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg"
### Install Dropbear Banner
install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/initramfs/banner"
install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh