#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing ####################################### # Install the 'dropbear-initramfs' and replace the binaries with those from the previous Ultra Hardened build. # Globals: # DIR_TMP # TARGET # Arguments: # None # Returns: # 0: on success ####################################### dropbear_initramfs() { ### Declare Arrays, HashMaps, and Variables. declare var_file="" declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log" chroot_logger "${TARGET}${var_logfile}" chroot_script "${TARGET}" ' export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a '"${var_logfile}"' echo ExitCode: $? >> '"${var_logfile}"' ' chroot_script "${TARGET}" ' export INITRD=No apt-get purge -y dropbear dropbear-run || true echo ExitCode: $? >> '"${var_logfile}"' ' chroot_script "${TARGET}" ' export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a '"${var_logfile}"' echo ExitCode: $? >> '"${var_logfile}"' ' chroot_script "${TARGET}" ' export INITRD=No apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"' echo ExitCode: $? >> '"${var_logfile}"' ' mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.trixie" install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/" do_log "debug" "file_only" "4311() Installation [dropbear] successful." for var_file in dbclient dropbearconvert dropbearkey; do mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.trixie" install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/" do_log "debug" "file_only" "4311() Installation [${var_file}] successful." done insert_header "${TARGET}/etc/apt/preferences.d/99-mask-dropbear" insert_comments "${TARGET}/etc/apt/preferences.d/99-mask-dropbear" cat << 'EOF' >> "${TARGET}/etc/apt/preferences.d/99-mask-dropbear" # Never install the dropbear daemon package at all. Package: dropbear Pin: release * Pin-Priority: -1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF insert_header "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs" insert_comments "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs" cat << 'EOF' >> "${TARGET}/etc/apt/preferences.d/99-mask-dropbear-initramfs" # Keep the currently installed initramfs integration; never upgrade it. Package: dropbear-initramfs Pin: release * Pin-Priority: -1 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF chroot_script "${TARGET}" "systemctl mask dropbear.service dropbear.socket" do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]" guard_dir && return 0 } ### Prevents accidental 'unset -f'. # shellcheck disable=SC2034 readonly -f dropbear_initramfs # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh