msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.440.2025.11.19
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m28s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-21 12:16:57 +00:00
parent a8b4f1982c
commit 18aca3e498
1 changed files with 94 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
View File

@@ -42,7 +42,7 @@ export CDLB_ISO_LABEL="CISS.debian.live"
export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_NAME="crypt_liveiso"
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-10}" CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}" CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}"
MNT_MEDIUM="/run/live/medium" MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs" MNT_ROOTFS="/run/live/rootfs"
@@ -117,7 +117,7 @@ printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}"
### Locate the encrypted root container on the medium. ------------------------------------------------------------------------- ### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
log "Encrypted root not found at: [${MNT_MEDIUM}/${CDLB_LUKS_FS}]" log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
printf "\e[91m[FATAL] Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" printf "\e[91m[FATAL] Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
exit 0 exit 0
@@ -127,59 +127,121 @@ printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LU
### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}"
### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
mkdir -p /run 2>/dev/null || true mkdir -p /run 2>/dev/null || true
echo "${LOOP}" >| /run/ciss-loopdev 2>/dev/null || true echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
chmod 0600 /run/ciss-loopdev 2>/dev/null || true chmod 0600 /run/ciss-loopdev 2>/dev/null || true
printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
### Wait briefly for the LUKS container to open via dropbear. ------------------------------------------------------------------ ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then mkdir -p /lib/cryptsetup 2>/dev/null || true
REMAINING="${CDLB_REMOTE_WAIT_SECS}" if [ -p /lib/cryptsetup/passfifo ]; then
while [ "${REMAINING}" -gt 0 ]; do rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
fi
if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
printf "\e[92m[WARN] Failed to create /lib/cryptsetup/passfifo \n\e[0m"
exit 42
fi
chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
### Background cryptsetup-process, reading from fifo. --------------------------------------------------------------------------
(
set +e
cryptsetup open \
--type luks \
--readonly \
"${LOOP}" "${CDLB_MAPPER_NAME}" \
--key-file - < /lib/cryptsetup/passfifo 2>/dev/console
) &
PID_CRYPT="$!"
### Background console-prompt for passphrase reading into fifo. ----------------------------------------------------------------
(
set +e
while :; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then
break
fi
printf "\e[93m[INFO] Enter LUKS passphrase on: \n\e[0m" >/dev/console 2>/dev/null || break
if IFS= read -r PASS </dev/console 2>/dev/null; then
[ -n "${PASS}" ] || continue
printf '%s\n' "${PASS}" > /lib/cryptsetup/passfifo 2>/dev/null || :
else
### No readable '/dev/console': break immediately
break
fi
done
) &
PID_PROMPT="$!"
### Main process: waiting for mapping to appear. -------------------------------------------------------------------------------
REMAINING="${CDLB_REMOTE_WAIT_SECS}"
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[93m[INFO] Waiting up to %s seconds for [%s] to be unlocked ...\n\e[0m" "${REMAINING}" "${CDLB_MAPPER_DEV}"
fi
while [ "${REMAINING}" -gt 0 ]; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then if [ -b "${CDLB_MAPPER_DEV}" ]; then
log "LUKS mapping [${CDLB_MAPPER_DEV}] opened remotely by dropbear unlock_wrapper.sh."
printf "\e[92m[INFO] LUKS mapping : [%s] opened remotely by dropbear unlock_wrapper.sh. \n\e[0m" "${CDLB_MAPPER_DEV}"
break break
fi fi
sleep 1 sleep 1
REMAINING=$((REMAINING - 1)) REMAINING=$((REMAINING - 1))
done done
fi
### Fallback: interactive password entry on the console. -----------------------------------------------------------------------
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
attempts=0 printf "\e[91m[WARN] Timeout: mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
kill "${PID_PROMPT}" 2>/dev/null || true
while [ "${attempts}" -lt "${CDLB_MAX_TRIES}" ] && [ ! -b "${LUKS_MAPPER_DEV}" ]; do kill "${PID_CRYPT}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
attempts=$((attempts + 1)) exit 42
printf "\e[93m[INFO] Unlock : [%s] Attempts: [%s/%s] Enter Passphrase on console: \n\e[0m" \
"${CDLB_LUKS_FS}" "${attempts}" "${CDLB_MAX_TRIES}" >/dev/console 2>/dev/null || true
### Let cryptsetup handle the prompt on /dev/console; no keyfile, no FIFO.
if cryptsetup open --type luks --readonly "${LOOP}" "${LUKS_MAPPER_NAME}"; then
log "LUKS mapping [${CDLB_MAPPER_DEV}] opened via local console."
printf "\e[92m[INFO] LUKS mapping : [%s] Opened via local console. \n\e[0m" "${CDLB_MAPPER_DEV}"
break
fi
done
fi fi
kill "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_CRYPT}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
chmod 0644 /run/ciss-rootdev 2>/dev/null || true
export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
export CISS_ROOT_DIR=""
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
### Final sanity check. -------------------------------------------------------------------------------------------------------- ### Final sanity check. --------------------------------------------------------------------------------------------------------
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
@@ -189,18 +251,6 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
fi fi
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
chmod 0644 /run/ciss-rootdev 2>/dev/null || true
export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
export CISS_ROOT_DIR=""
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m" printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh