#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # SPDX-Comment: unlock_wrapper_advanced.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command. set -Ceuo pipefail ####################################### # Variable declaration ####################################### declare -ir MAX_RETRIES=2 declare -r ASKPASS='/lib/cryptsetup/askpass' # shellcheck disable=SC2155 declare -r CURRENTDATE=$(date +"%F %T") # shellcheck disable=SC2155 declare -r IFS=$(printf ' \n\t') declare -r GRE='\e[0;92m' declare -r MAG='\e[0;95m' declare -r RED='\e[0;91m' declare -r RES='\e[0m' declare -r NL='\n' declare -g NUKE_ENABLED='false' declare -g NUKE_HASH='' declare -g PASSPHRASE='' ####################################### # Print-colored text. # Arguments: # $1 - color code # $@ - text to print ####################################### color_echo() { declare c="$1"; shift; printf "%s%s %s%s" "${c}" "${*}" "${RES}" "${NL}"; } ####################################### # Die helper: print and exit hard. # Globals: # NC # RED # Arguments: # 1: Message string to print. ####################################### die() { printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2; power_off 3; } ####################################### # Drop to bash environment. # Arguments: # None ####################################### drop_bash() { prompt_string; exec /bin/bash -i; } ####################################### # Extract the 'nuke='-parameter from '/proc/cmdline'. # Globals: # NL # NUKE_ENABLED # NUKE_HASH # RED # RES # Arguments: # None # Returns: # 0: if 'nuke=' was found and extracted. # 1: if not found. ####################################### extract_nuke_hash() { declare ARG="" CMDLINE="" REGEX='(\$[^$]+){3,}' ### Read '/proc/cmdline' into a single line safely. read -r CMDLINE < /proc/cmdline for ARG in ${CMDLINE}; do case "${ARG}" in nuke=*) NUKE_HASH="${ARG#nuke=}" if echo "${NUKE_HASH}" | grep -qE "${REGEX}"; then NUKE_ENABLED="true" return 0 else ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash. color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2 color_echo "${RED}" "✘ Dropping to bash ...:" >&2 drop_bash fi ;; esac done ### No 'nuke=HASH' entry found. return 1 } ####################################### # Gather information of all LUKS Devices available on the system. # Arguments: # None ####################################### gather_luks_devices() { declare prev=() curr=() declare -i tries=0 while ((tries < 10)); do mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort) if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then break fi prev=("${curr[@]}") tries=$((tries + 1)) sleep 1 done printf '%s\n' "${curr[@]}" } ####################################### # Erase LUKS headers on all LUKS devices and shutdown system. # Globals: # NUKE_DEVICES ####################################### nuke() { declare dev="" for dev in "${DEVICES_LUKS[@]}"; do cryptsetup erase --batch-mode "${dev}" || true color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]." done secure_unset_pass color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds." power_off 16 } ####################################### # Unified power-off routine. # Arguments: # 1: Sleep time before power-off in seconds (Default to 0 seconds). ####################################### power_off() { declare -r wait="${1:-0}" sleep "${wait}" sync echo 1 >| /proc/sys/kernel/sysrq echo o >| /proc/sysrq-trigger # The System powers off immediately; no further code is executed. } ####################################### # Generates informative shell prompt. # Globals: # PS1 # Arguments: # None ####################################### prompt_string() { declare -gx PS1="\ \[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\ \[\033[1;95m\]\h\[\033[0m\]:\ \[\033[1;96m\]\w\[\033[0m\]/>>\ \$(if [[ \$? -eq 0 ]]; then \ # Show exit status in green if zero echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \ else \ # Show exit status in red otherwise echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \ fi)\ |~\$ " } ####################################### # Trap function to be called on 'ERR'. # Arguments: # 1: ${?} # 2: ${BASH_SOURCE[0]} # 3: ${LINENO} # 4: ${FUNCNAME[0]:-main} # 5: ${BASH_COMMAND} ####################################### trap_on_err() { declare -r errcode="$1" declare -r errscrt="$2" declare -r errline="$3" declare -r errfunc="$4" declare -r errcmmd="$5" trap - ERR INT TERM stty echo print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}" power_off 16 } ####################################### # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine. # Globals: # NL # RED # RES # Arguments: # None ####################################### trap_on_term() { trap - ERR INT TERM stty echo printf "%s" "${NL}" color_echo "${RED}" "✘ System caught a 'SIGINT'. System Power Off in 3 seconds." >&2 power_off 3 } ####################################### # Print Error Message for Trap on 'ERR' on Terminal. # Globals: # NL # RED # RES # Arguments: # 1: ${?} # 2: ${BASH_SOURCE[0]} # 3: ${LINENO} # 4: ${FUNCNAME[0]:-main} # 5: ${BASH_COMMAND} ####################################### print_scr_err() { declare -r scr_err_errcode="$1" declare -r scr_err_errscrt="$2" declare -r scr_err_errline="$3" declare -r scr_err_errfunc="$4" declare -r scr_err_errcmmd="$5" printf "%s" "${NL}" color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2 printf "%s" "${NL}" color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2 color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2 color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2 color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2 color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2 printf "%s" "${NL}" } ####################################### # Print Error Message for '0'-Exit-Code on Terminal. # Arguments: # none ####################################### print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; } ####################################### # Read Passphrase interactively. # Globals: # ASKPASS # NUKE_ENABLED # NUKE_HASH # PASSPHRASE # Arguments: # None # Returns: # 0: on success ####################################### read_passphrase() { declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt") declare METHOD="" SALT="" PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")" if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then ### Validate NUKE_HASH format (e.g., $id$salt$hash) if [[ "${NUKE_HASH}" =~ ^\$[a-z0-9]+\$[a-zA-Z0-9./]+\$ ]]; then SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")" for METHOD in "${METHODS[@]}"; do if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then nuke fi done fi fi printf "%s" "${PASSPHRASE}" return 0 } ####################################### # Securely unset the passphrase variable. # Globals: # PASSPHRASE ####################################### secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; } ####################################### # Check the integrity and authenticity of this script itself. # Arguments: # 0: Script Name ####################################### verify_script() { declare dir; dir="$(dirname "$(readlink -f "${0}")")" declare script; script="$(basename "${0}")" declare -a algo=("sha512" "sha384") declare cmd="" computed="" expected="" hashfile="" item="" sigfile="" for item in "${algo[@]}"; do hashfile="${dir}/${script}.${item}" sigfile="${hashfile}.sig" cmd="${item}sum" color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]" gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || { color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "✘ System Power Off in 3 seconds ...." power_off 3 } color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful." color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]" computed=$(${cmd} "${dir}/${script}" | awk '{print $1}') expected=$(cat "${hashfile}") if [[ "${computed}" != "${expected}" ]]; then color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" >&2 color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2 power_off 3 fi color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful." done color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding." } ### Main Programm Sequence ### main() { trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR trap 'trap_on_term' INT TERM color_echo "${RED}" "Coresecret Connection established." color_echo "${RED}" "Starting Time: ${CURRENTDATE}" color_echo "${MAG}" "Integrity self-check ..." printf "%s" "${NL}" verify_script ### Read newline-separated output into an array. color_echo "${MAG}" "Scanning for LUKS devices ..." printf "%s" "${NL}" mapfile -t DEVICES_LUKS < <(gather_luks_devices) ### If there are no LUKS devices at all, drop to bash. if (( ${#DEVICES_LUKS[@]} == 0 )); then printf "%s✘ No LUKS Devices found. Dropping to bash ... %s %s" "${RED}" "${RES}" "${NC}" drop_bash fi ### Extract the 'nuke='-parameter from '/proc/cmdline'. extract_nuke_hash ### Read passphrase interactively. read_passphrase ### If there are LUKS devices but no Nuke devices, try unlocking flow if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then ### Attempt interactive unlock with cryptroot-unlock if cryptroot-unlock; then exit 0 else printf "\n" printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n" printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n" printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n" prompt_string exec /bin/bash -i fi elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then declare -i attempt=1 declare NUKED=false declare TEST_DEV="${DEVICES_NUKE[0]}" while ((attempt <= MAX_RETRIES)); do printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}" passphrase_ask declare -g PASSWD="${PASSPHRASE}" if passphrase_test "${TEST_DEV}" "${PASSWD}"; then for dev in "${DEVICES_NUKE[@]}"; do cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1 printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}" done declare -r NUKED=true unset PASSWD break else declare code="$?" case "${code}" in 1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;; 2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;; 3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;; *) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;; esac fi attempt=$((attempt + 1)) done if [[ ${NUKED} == true ]]; then stty echo sleep 3 sync set +C echo 1 > /proc/sys/kernel/sysrq echo o > /proc/sysrq-trigger fi if cryptroot-unlock; then exit 0 else printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n" printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n" printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n" prompt_string exec /bin/bash -i fi fi } main "$@" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh