#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # '/etc/crypttab' entry writer and logger. # Globals: # TARGET # Arguments: # 1: Encryption Label # 2: LUKS Container UUID # 3: Keyfile or none # 4: LUKS Options # Returns: # 0: Successfully executed commands. ####################################### write_crypttab() { declare _label="$1" _device="$2" _key_file="$3" _opts="$4" printf "%s %s %s %s\n" "${_label}" "${_device}" "${_key_file}" "${_opts}" >> "${TARGET}/etc/crypttab" do_log "info" "true" "crypttab entry generated: '${_label} ${_device} ${_key_file} ${_opts}'." return 0 } ####################################### # Generate target '/etc/crypttab' entries. # Globals: # HMP_EPHEMERAL_ENCLABEL # HMP_EPHEMERAL_FS_LABEL # HMP_PATH_ENCLABEL # HMP_PATH_LUKSUUID # TARGET # user_dropbear_boot # Arguments: # None # Returns: # 0: Successfully executed commands. ####################################### generate_crypttab() { declare var_key var_encryption_label var_luks_uuid ### Generate '${TARGET}/etc/crypttab' header. : >| "${TARGET}/etc/crypttab" chmod 0644 "${TARGET}/etc/crypttab" cat << 'EOF' >> "${TARGET}/etc/crypttab" # /etc/crypttab: static file system information. # # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. # Options like 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). # The crypttab determines whether the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the # physical drive or not. The fstab determines whether and how the file system itself generates the discard # operations and sends them down through the LUKS layer. # # RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical # device. If you do not specify discard in the crypttab, dm-crypt blocks TRIM by default. This would render a # discard in the fstab ineffective. # # EOF ### Generate '${TARGET}/etc/crypttab' entries. declare var_ephemeral_enclabel var_ephemeral_fs_label for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}" var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}" if [[ "${user_dropbear_boot,,}" == "true" ]]; then write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs" else write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard" fi done ### Generate '${TARGET}/etc/crypttab' ephemeral entries. for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}" var_ephemeral_fs_label="${HMP_EPHEMERAL_FS_LABEL["${var_key}"]}" case "${var_key}" in SWAP) write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_ephemeral_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096" continue ;; /tmp) write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_ephemeral_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,tmp=ext4" continue ;; *) do_log "error" "false" "Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'." ;; esac done return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh