msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b627e6c8e7dca41c0ab69fa816bdee52fa7847bfd1ba9b79f26273052fd175c2
CISS.debian.installer/func/cdi_4200_boot/4210_generate_crypttab.sh
Marc S. Weidner ddf039b09f
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 59s
Details
V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-09-02 15:22:39 +02:00

168 lines
6.8 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# '/etc/crypttab' entry writer and logger.
# Globals:
# TARGET
# Arguments:
# 1: Encryption Label
# 2: LUKS Container UUID
# 3: Keyfile or none
# 4: LUKS Options
# Returns:
# 0: on success
#######################################
write_crypttab() {
declare write_label="$1" write_dev="$2" write_key_file="$3" write_opts="$4"
printf "%-43s%-46s%-40s%s \n" "${write_label}" "${write_dev}" "${write_key_file}" "${write_opts}" >> "${TARGET}/etc/crypttab"
do_log "info" "file_only" "4210() crypttab entry generated: [${write_label} ${write_dev} ${write_key_file} ${write_opts}]."
return 0
}
#######################################
# Generate target '/etc/crypttab' entries.
# Globals:
# HMP_EPHEMERAL_ENCLABEL
# HMP_PATH_ENCLABEL
# HMP_PATH_FSUUID
# HMP_PATH_LUKSUUID
# TARGET
# VAR_DROPBEAR
# VAR_NUKE
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
#######################################
generate_crypttab() {
### Declare Arrays, HashMaps, and Variables.
declare var_key="" var_encryption_label="" var_luks_uuid="" var_ephemeral_enclabel="" var_host_fs_label=""
ensure_lowercase "VAR_DROPBEAR"
### Generate '${TARGET}/etc/crypttab' header.
insert_header "${TARGET}/etc/crypttab"
insert_comments "${TARGET}/etc/crypttab"
cat << EOF >> "${TARGET}/etc/crypttab"
# Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
# 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
# the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
# whether and how the file system itself generates the discard operations and sends them down through the LUKS layer.
#
# For non-ephemeral devices the respective UUID of the LUKS-device is used.
# For the ephemeral devices the respective PART UUID of the host dummy partition is used.
#
# RECOMMENDED: 'discard' enables the TRIM commands to be forwarded by the dm-crypt layer to the SSD/physical device. If ones do
# not specify discard in the '/etc/crypttab', dm-crypt blocks TRIM by default. This would render a discard in the '/etc/fstab'
# ineffective.
#
# <name> <device> <password-file-or-none> <options>
EOF
### Generate '${TARGET}/etc/crypttab' entries.
for var_key in "${!HMP_PATH_LUKSUUID[@]}"; do
[[ "${var_key}" == "/recovery" ]] && continue
var_encryption_label="${HMP_PATH_ENCLABEL["${var_key}"]}"
var_luks_uuid="${HMP_PATH_LUKSUUID["${var_key}"]}"
if [[ "${VAR_DROPBEAR}" == "true" ]]; then
case "${var_key,,}" in
"/")
mkdir -p "${TARGET}/etc/initramfs-tools/files"
mkdir -p "${TARGET}/usr/lib/cryptsetup/scripts"
### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/etc/initramfs-tools/files/"
install -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/files/unlock_wrapper.sh" \
"${TARGET}/lib/cryptsetup/scripts/"
#write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
printf "### Early-unlocked (initramfs) - single passphrase via decrypt_keyctl\n" >> "${TARGET}/etc/crypttab"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
;;
"/usr")
printf "### Early-unlocked (initramfs) - single passphrase via decrypt_keyctl\n" >> "${TARGET}/etc/crypttab"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=decrypt_keyctl,tries=1"
;;
"/boot")
printf "### LUKS encrypted '/boot' different passphrase, not in initramfs\n" >> "${TARGET}/etc/crypttab"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
;;
*)
printf "### Late-unlocked (userspace) no initramfs, independent prompts / tokens\n" >> "${TARGET}/etc/crypttab"
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
;;
esac
else
write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard"
fi
done
### Generate '${TARGET}/etc/crypttab' ephemeral entries.
for var_key in "${!HMP_EPHEMERAL_ENCLABEL[@]}"; do
var_ephemeral_enclabel="${HMP_EPHEMERAL_ENCLABEL["${var_key}"]}"
var_host_fs_label="${HMP_EPHEMERAL_FS_LABEL["${var_key}"]}"
var_host_partuuid="${HMP_PATH_PARTUUID["${var_key}"]}"
case "${var_key,,}" in
swap)
#write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/urandom" "swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
;;
/tmp)
#write_crypttab "${var_ephemeral_enclabel}" "LABEL=${var_host_fs_label}" "/dev/random" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,tmp=ext4"
write_crypttab "${var_ephemeral_enclabel}" "UUID=${var_host_partuuid}" "/dev/urandom" "offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard,plain"
chroot_script "${TARGET}" "systemctl mask tmp.mount"
do_log "info" "file_only" "4210() Masked: [tmp.mount]"
;;
*)
do_log "error" "file_only" "4060() Only 'SWAP' and '/tmp' are valid Partitions for Ephemeral Encryption. Given value was: '${var_key}'."
continue
;;
esac
done
cat << 'EOF' >> "${TARGET}/etc/crypttab"
# vim: number et ts=2 sw=2 sts=2 ai tw=200 ft=sh
EOF
guard_dir && return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink