V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-03 11:53:29 +02:00
parent 5b978207a1
commit e74d6a5b69
5 changed files with 46 additions and 32 deletions
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -44,7 +44,7 @@ write_fstab() {
 }

 #######################################
-# Generate target '/etc/fstab' entries.
+# Generate the '/etc/fstab' target entries.
 # Globals:
 #   ARY_PATHS_SORTED
 #   HMP_EPHEMERAL_ENCLABEL
@@ -52,7 +52,6 @@ write_fstab() {
 #   HMP_FSTAB_MOUNT_OPTS
 #   HMP_PATH_FSUUID
 #   TARGET
-#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -34,7 +34,7 @@ write_crypttab() {
 }

 #######################################
-# Generate target '/etc/crypttab' entries.
+# Generate the '/etc/crypttab' target entries.
 # Globals:
 #   HMP_EPHEMERAL_ENCLABEL
 #   HMP_PATH_ENCLABEL
@@ -42,8 +42,6 @@ write_crypttab() {
 #   HMP_PATH_LUKSUUID
 #   TARGET
 #   VAR_DROPBEAR
-#   VAR_NUKE
-#   VAR_VERSION
 # Arguments:
 #  None
 # Returns:
@@ -88,16 +86,6 @@ EOF
      case  "${var_key,,}" in

        "/")
-          mkdir -p "${TARGET}/etc/initramfs-tools/files"
-          mkdir -p "${TARGET}/usr/lib/cryptsetup/scripts"
-
-          ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
-          #install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
-          #  "${TARGET}/etc/initramfs-tools/files/"
-          #install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
-          #  "${TARGET}/lib/cryptsetup/scripts/"
-
-          #write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
          write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
          ;;

--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -16,14 +16,17 @@
 guard_sourcing

 #######################################
-# Hardening Grub boot parameter.
+# Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
 # Globals:
 #   ARY_BOOTPARAM
+#   HMP_PATH_ENCLABEL
 #   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
+#   VAR_CRYPT_ROOT
+#   VAR_DROPBEAR
 #   VAR_NUKE
 #   VAR_NUKE_HASH
+#   VV_GRUB_CMDLINE_LINUX
+#   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
 #   None
 # Returns:
--- a/func/cdi_4300_network/4320_update_initramfs.sh
+++ b/func/cdi_4300_network/4320_update_initramfs.sh
@@ -13,7 +13,7 @@
 guard_sourcing

 #######################################
-# Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
+# Deploy all changes made using the 'update-grub' and 'update-initramfs' commands.
 # Globals:
 #   TARGET
 # Arguments:
--- a/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -16,7 +16,7 @@
 #######################################
 # Variable declaration
 #######################################
-declare -r ASKPASS='/lib/cryptsetup/askpass'
+#declare -r ASKPASS='/lib/cryptsetup/askpass'
 # shellcheck disable=SC2016
 declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
 # shellcheck disable=SC2155
@@ -30,6 +30,22 @@ declare -g NUKE_ENABLED='false'
 declare -g NUKE_HASH=''
 declare -g PASSPHRASE=''

+#######################################
+# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
+# Arguments:
+#   1: Prompt to print on terminal
+#   2: Variable name to capture passphrase
+#######################################
+ask_via_stdin() {
+  declare -r  prompt="$1"
+  declare -r  varname="$2"
+  ### Prompt to STDERR so pipes don't capture it.
+  printf "%s" "${prompt}" >&2
+  ### Silent, canonical read from FD 0 (SSH channel when forced-command).
+  IFS= read -r -s "${varname?}" <&0
+  printf "\n" >&2
+}
+
 #######################################
 # Print-colored text.
 # Arguments:
@@ -78,7 +94,7 @@ extract_nuke_hash() {
    case "${ARG,,}" in

      nuke=*)
-        NUKE_HASH="${ARG#nuke=}"
+        NUKE_HASH="${ARG#*=}"
        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then

          NUKE_ENABLED="true"
@@ -246,25 +262,33 @@ fi)\
 #   0: on success
 #######################################
 read_passphrase() {
-  declare -a  METHODS=( "sha512crypt" )
-  declare     METHOD="" SALT=""
+  declare -i  ROUNDS=0
+  declare     CAND="" SALT=""

-  PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
+  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
+  ask_via_stdin "Enter passphrase: " PASSPHRASE

-  if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
+  ### NUKE pre-check
+  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then

-    SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="${ROUNDS#rounds=}"
+    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"

-    for METHOD in "${METHODS[@]}"; do
+    CAND="$(mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}" 2>/dev/null)"

-      # shellcheck disable=SC2312
-      if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
+    # TODO: DEBUGGER
+    echo "${ROUNDS}"
+    echo "${SALT}"
+    echo "${CAND}"

-        nuke
+    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then

-      fi
+      echo "${CAND}" "==" "${NUKE_HASH}"

-    done
+      nuke
+
+    fi

  fi