#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### # Generates 'nuke=HASH' Bootparameter. # Globals: # DIR_CNF # VAR_NUKE_HASH # Arguments: # None # Returns: # 0: on success # ERR_GENERATE_SALT # ERR_READ_NUKE_FILE ####################################### nuke_passphrase() { declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt" declare var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds="" # shellcheck disable=SC2312 var_nuke_rounds="$( yq -r ' .recipe | to_entries[] # iterate recipe items | .value # the map under each item | select(has("control") and (.control | has("nuke_rounds"))) | .control.nuke_rounds | tostring ' "${DIR_CNF}/partitioning.yaml" | head -n1 )" [[ ! -f "${var_nuke_pwd_file}" ]] && return 0 guard_trace on if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then return "${ERR_READ_NUKE_FILE}" fi guard_trace off if ! var_salt="$(generate_salt)"; then return "${ERR_GENERATE_SALT}" fi guard_trace on var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}") guard_trace off declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}" unset var_temp_nuke_hash var_temp_plain_nuke_pwd do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]" guard_dir; return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh