#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # '/etc/crypttab' entry writer and logger. # Globals: # TARGET # Arguments: # 1: Encryption Label # 2: LUKS Container UUID # 3: Keyfile or none # 4: LUKS Options # Returns: # 0: on success ####################################### write_crypttab() { declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4" printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab" do_log "info" "file_only" "4210() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]." return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f write_crypttab ####################################### # Generate the '/etc/crypttab' target entries. # Globals: # HMP_EPHEMERAL_ENCLABEL # HMP_PATH_ENCLABEL # HMP_PATH_FSUUID # HMP_PATH_LUKSUUID # TARGET # VAR_DROPBEAR # Arguments: # None # Returns: # 0: on success ####################################### generate_crypttab() { ### Declare Arrays, HashMaps, and Variables. declare var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label="" \ var_host_partuuid="" ensure_lowercase "VAR_DROPBEAR" ### Generate '${TARGET}/etc/crypttab' header. insert_header "${TARGET}/etc/crypttab" insert_comments "${TARGET}/etc/crypttab" cat << EOF >> "${TARGET}/etc/crypttab" # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like # 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether # the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines # whether and how the file system itself generates the discard operations and sends them down through the LUKS layer. # # For non-ephemeral devices the respective UUID of the LUKS-device is used. # For the ephemeral devices the respective PART UUID of the host dummy partition is used. # # RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do # not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab' # ineffective. # # EOF ### Generate '${TARGET}/etc/crypttab' entries. for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do [[ "${var_key}" == "/recovery" ]] && continue var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}" var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}" if [[ "${VAR_DROPBEAR}" == "true" ]]; then case "${var_key,,}" in "/") write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1" ;; "/usr") write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1" ;; "/boot") write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_boot" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1" ;; *) write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "pw_main" "check,discard,initramfs,keyscript=decrypt_keyctl,luks,same-cpu-crypt,tries=1" ;; esac else write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "check,discard,luks,same-cpu-crypt" fi done ### Generate '${TARGET}/etc/crypttab' ephemeral entries. for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}" var_host_fs_label="${HMP_EPHEMERAL_FS_LABEL["${var_key}"]}" var_host_partuuid="${HMP_PATH_PARTUUID["${var_key}"]}" case "${var_key,,}" in swap) write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,loud,swap" ;; /tmp) write_crypttab "${var_ephemeral_enclabel}" "PARTUUID=${var_host_partuuid}" "/dev/random" "cipher=aes-xts-plain64,size=512,discard,loud,tmp=ext4" mkdir -p "${TARGET}/etc/tmpfiles.d" insert_header "${TARGET}/etc/tmpfiles.d/10-tmp.conf" insert_comments "${TARGET}/etc/tmpfiles.d/10-tmp.conf" cat << 'EOF' >> "${TARGET}/etc/tmpfiles.d/10-tmp.conf" d /tmp 1777 root root - EOF ;; *) do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'." continue ;; esac done cat << 'EOF' >> "${TARGET}/etc/crypttab" # vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh EOF guard_dir && return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f generate_crypttab # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh