diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index ea276b2..6e44065 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -42,7 +42,7 @@ export CDLB_ISO_LABEL="CISS.debian.live" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" -CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-10}" +CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}" MNT_MEDIUM="/run/live/medium" MNT_ROOTFS="/run/live/rootfs" @@ -117,7 +117,7 @@ printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}" ### Locate the encrypted root container on the medium. ------------------------------------------------------------------------- if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then - log "Encrypted root not found at: [${MNT_MEDIUM}/${CDLB_LUKS_FS}]" + log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]" printf "\e[91m[FATAL] Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" exit 0 @@ -127,59 +127,121 @@ printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LU ### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } +printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}" ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- mkdir -p /run 2>/dev/null || true -echo "${LOOP}" >| /run/ciss-loopdev 2>/dev/null || true +echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true chmod 0600 /run/ciss-loopdev 2>/dev/null || true +printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}" -### Wait briefly for the LUKS container to open via dropbear. ------------------------------------------------------------------ -if [ ! -b "${CDLB_MAPPER_DEV}" ]; then +### Prepare fifo for passphrase. ----------------------------------------------------------------------------------------------- +mkdir -p /lib/cryptsetup 2>/dev/null || true - REMAINING="${CDLB_REMOTE_WAIT_SECS}" +if [ -p /lib/cryptsetup/passfifo ]; then - while [ "${REMAINING}" -gt 0 ]; do + rm -f /lib/cryptsetup/passfifo 2>/dev/null || true + +fi + +if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then + + printf "\e[92m[WARN] Failed to create /lib/cryptsetup/passfifo \n\e[0m" + exit 42 + +fi + +chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true + +### Background cryptsetup-process, reading from fifo. -------------------------------------------------------------------------- +( + set +e + cryptsetup open \ + --type luks \ + --readonly \ + "${LOOP}" "${CDLB_MAPPER_NAME}" \ + --key-file - < /lib/cryptsetup/passfifo 2>/dev/console +) & +PID_CRYPT="$!" + +### Background console-prompt for passphrase reading into fifo. ---------------------------------------------------------------- +( + set +e + while :; do if [ -b "${CDLB_MAPPER_DEV}" ]; then - log "LUKS mapping [${CDLB_MAPPER_DEV}] opened remotely by dropbear unlock_wrapper.sh." - printf "\e[92m[INFO] LUKS mapping : [%s] opened remotely by dropbear unlock_wrapper.sh. \n\e[0m" "${CDLB_MAPPER_DEV}" break fi - sleep 1 - REMAINING=$((REMAINING - 1)) + printf "\e[93m[INFO] Enter LUKS passphrase on: \n\e[0m" >/dev/console 2>/dev/null || break + + if IFS= read -r PASS /dev/null; then + + [ -n "${PASS}" ] || continue + + printf '%s\n' "${PASS}" > /lib/cryptsetup/passfifo 2>/dev/null || : + + else + + ### No readable '/dev/console': break immediately + break + + fi done +) & +PID_PROMPT="$!" -fi +### Main process: waiting for mapping to appear. ------------------------------------------------------------------------------- +REMAINING="${CDLB_REMOTE_WAIT_SECS}" -### Fallback: interactive password entry on the console. ----------------------------------------------------------------------- if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - attempts=0 - - while [ "${attempts}" -lt "${CDLB_MAX_TRIES}" ] && [ ! -b "${LUKS_MAPPER_DEV}" ]; do - - attempts=$((attempts + 1)) - - printf "\e[93m[INFO] Unlock : [%s] Attempts: [%s/%s] Enter Passphrase on console: \n\e[0m" \ - "${CDLB_LUKS_FS}" "${attempts}" "${CDLB_MAX_TRIES}" >/dev/console 2>/dev/null || true - - ### Let cryptsetup handle the prompt on /dev/console; no keyfile, no FIFO. - if cryptsetup open --type luks --readonly "${LOOP}" "${LUKS_MAPPER_NAME}"; then - - log "LUKS mapping [${CDLB_MAPPER_DEV}] opened via local console." - printf "\e[92m[INFO] LUKS mapping : [%s] Opened via local console. \n\e[0m" "${CDLB_MAPPER_DEV}" - break - - fi - - done + printf "\e[93m[INFO] Waiting up to %s seconds for [%s] to be unlocked ...\n\e[0m" "${REMAINING}" "${CDLB_MAPPER_DEV}" fi +while [ "${REMAINING}" -gt 0 ]; do + + if [ -b "${CDLB_MAPPER_DEV}" ]; then + + break + + fi + + sleep 1 + + REMAINING=$((REMAINING - 1)) + +done + +if [ ! -b "${CDLB_MAPPER_DEV}" ]; then + + printf "\e[91m[WARN] Timeout: mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}" + kill "${PID_PROMPT}" 2>/dev/null || true + kill "${PID_CRYPT}" 2>/dev/null || true + rm -f /lib/cryptsetup/passfifo 2>/dev/null || true + exit 42 + +fi + +kill "${PID_PROMPT}" 2>/dev/null || true +wait "${PID_CRYPT}" 2>/dev/null || true +rm -f /lib/cryptsetup/passfifo 2>/dev/null || true + +printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" + +### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- +echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev +chmod 0644 /run/ciss-rootdev 2>/dev/null || true +export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" +export CISS_ROOT_DIR="" + +log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" +printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" + ### Final sanity check. -------------------------------------------------------------------------------------------------------- if [ ! -b "${CDLB_MAPPER_DEV}" ]; then @@ -189,18 +251,6 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then fi -### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- -echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev - -chmod 0644 /run/ciss-rootdev 2>/dev/null || true - -export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" -export CISS_ROOT_DIR="" - -log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" - -printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" - printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh