msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
86c483459a5d7a53816d5ed464805cb8f30a0d2f853b93148b918eef92b36df9
CISS.debian.installer/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
Marc S. Weidner 51cb2f9f6a V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-05 17:21:48 +01:00

92 lines
3.0 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Options in "GRUB_CMDLINE_LINUX" are always effective, (incl. recovery).
### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
guard_sourcing
#######################################
# Hardening: update the Grub boot parameter and the Dropbear and Nuke parameters if opted in.
# Globals:
# ARY_BOOTPARAM
# HMP_PATH_ENCLABEL
# TARGET
# VAR_CRYPT_ROOT
# VAR_DROPBEAR
# VAR_NUKE
# VAR_NUKE_HASH
# VAR_SEC_FW
# VV_GRUB_CMDLINE_LINUX
# VV_GRUB_CMDLINE_LINUX_DEFAULT
# Arguments:
# None
# Returns:
# 0: on success
#######################################
update_grub_bootparameter() {
### Declare Arrays, HashMaps, and Variables.
declare var_nuke_string="" var_param="" var_label="" var_nuke_esc=""
grub_extract_current_string
# shellcheck disable=SC2034
for var_param in "${ARY_BOOTPARAM[@]}"; do
if [[ -z "${var_param}" ]]; then
do_log "warn" "file_only" "4250() Empty GRUB parameter detected and skipped."
continue
fi
if grep -qF -- "${var_param}" <<< "${VV_GRUB_CMDLINE_LINUX_DEFAULT}"; then
do_log "info" "file_only" "4250() Skipping duplicate kernel parameter: '${var_param}'."
continue
fi
VV_GRUB_CMDLINE_LINUX_DEFAULT="${VV_GRUB_CMDLINE_LINUX_DEFAULT} ${var_param}"
done
if [[ "${VAR_SEC_FW}" == "apparmor" ]]; then
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }apparmor=1 security=apparmor lsm=lockdown,yama,integrity,apparmor,bpf"
elif [[ "${VAR_SEC_FW}" == "selinux" ]]; then
### We start in permissive mode first, so we don't pass 'enforcing=1' through the command line.
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }selinux=1 security=selinux"
fi
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
var_label="${HMP_PATH_ENCLABEL["/"]}"
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
fi
if [[ "${VAR_NUKE}" == "true" ]]; then
var_nuke_esc="${VAR_NUKE_HASH//$/\\$}"
var_nuke_string="nuke=${var_nuke_esc}"
# shellcheck disable=SC2034
VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} ${var_nuke_string}"
fi
grub_finalize_string
chroot_exec "${TARGET}" update-grub
guard_dir && return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f update_grub_bootparameter
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink