#!/bin/sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # SPDX-Comment: Hook script (initramfs) for setting up the CISS.debian.installer hardened dropbear environment, incl. Luks Nuke. set -e PREREQ="" prereqs() { echo "${PREREQ}"; } case $1 in prereqs) prereqs; exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions # shellcheck disable=2292 if [ ! -e /etc/initramfs-tools/files/unlock_wrapper.sh ]; then echo "Missing unlock_wrapper.sh in /etc/initramfs-tools/files/" exit 1 fi ### Ensure directory structure in initramfs mkdir -p "${DESTDIR}/etc/dropbear" mkdir -p "${DESTDIR}/etc/keys" mkdir -p "${DESTDIR}/usr/local/bin" mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d" mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" ### Include Bash copy_exec /usr/bin/bash /usr/bin ### Include Busybox copy_exec /usr/bin/busybox /usr/bin copy_exec /usr/bin/busybox /bin ### Include lsblk (block device info tool) copy_exec /usr/bin/lsblk /usr/bin ### Include mkpasswd copy_exec /usr/bin/mkpasswd /usr/bin ### Include udevadm (udev management tool) copy_exec /usr/bin/udevadm /usr/bin ### Include sha512sum e.g. copy_exec /usr/bin/sha512sum /usr/bin copy_exec /usr/bin/sha384sum /usr/bin ### Include Signature-Verifier copy_exec /usr/bin/gpgv /usr/bin ### Include Whois copy_exec /usr/bin/whois /usr/bin ### Link busybox applets for compatibility for dir in bin usr/bin; do ln -sf busybox "${DESTDIR}/${dir}/cat" ln -sf busybox "${DESTDIR}/${dir}/sleep" done ### Install Dropbear firewall configuration install -m 0444 /etc/initramfs-tools/files/dropbear_fw.conf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.conf" ### Install Dropbear configuration install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf" ### Install Dropbear Cryptroot Unlock Wrapper install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh" # TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock_wrapper.sh #install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha384" #install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512" #install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha384.sig" #install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig" ### Install PGP Signing Keys #install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg" ### Install Dropbear Banner #install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner" echo "Successfully executed: [/etc/initramfs-tools/hooks/custom-initramfs.sh]." # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh