V9.14.026.2026.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-17 17:14:45 +01:00
parent 7fb6ca2cd2
commit 1d130a7027
2 changed files with 130 additions and 7 deletions
@@ -23,7 +23,7 @@
 #   SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
 # - Panics on missing, malformed, unauthentic, or mismatched evidence.

-# set -eu
+set -eu

 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"

@@ -39,7 +39,8 @@ export CDLB_MAPPER_DEV="${CDLB_MAPPER_DEV:-/dev/mapper/${CDLB_MAPPER_NAME}}"
 export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"

 ### Locations of the attestation file of filesystem.squashfs on the verified live medium. --------------------------------------
-CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/filesystem.squashfs.sha512sum.txt}"
+CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
+CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
 CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
 CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
 CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
@@ -73,6 +74,16 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }

+### Provide a local fail-closed fallback when this file is executed as a subprocess outside the live-boot shell context. --------
+if ! command -v panic >/dev/null 2>&1; then
+
+  panic() {
+    log_er "${*}"
+    exit 1
+  }
+
+fi
+
 #######################################
 # Validate a boot-time attestation input file.
 # Globals:
@@ -125,6 +136,52 @@ require_attestation_file() {
  return 0
 }

+#######################################
+# Resolve rootfs attestation paths on known live medium mountpoints.
+# Globals:
+#   CDLB_MNT_MEDIUM
+#   CDLB_ROOTFS_ATTEST_MANIFEST
+#   CDLB_ROOTFS_ATTEST_NAME
+#   CDLB_ROOTFS_ATTEST_SIGNATURE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+resolve_rootfs_attestation_artifacts() {
+  medium_path=""
+  manifest_path=""
+  signature_path=""
+
+  if [ -f "${CDLB_ROOTFS_ATTEST_MANIFEST}" ] && [ -f "${CDLB_ROOTFS_ATTEST_SIGNATURE}" ]; then
+
+    return 0
+
+  fi
+
+  for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
+
+    [ -n "${medium_path}" ] || continue
+
+    manifest_path="${medium_path}/live/${CDLB_ROOTFS_ATTEST_NAME}"
+    signature_path="${manifest_path}.sig"
+
+    if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
+
+      CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
+      CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
+      return 0
+
+    fi
+
+  done
+
+  log_er "0042()              : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
+  panic  "0042()              : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
+
+  return 1
+}
+
 #######################################
 # Validate the decrypted rootfs payload device.
 # Globals:
@@ -144,7 +201,11 @@ require_rootfs_payload_device() {

  fi

-  if [ -L "${artifact_path}" ] || { [ ! -b "${artifact_path}" ] && [ ! -f "${artifact_path}" ]; }; then
+  if [ -b "${artifact_path}" ]; then
+
+    :
+
+  elif [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then

    log_er "0042()              : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
    panic  "0042()              : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
@@ -270,6 +331,8 @@ verify_rootfs_payload() {
  return 0
 }

+resolve_rootfs_attestation_artifacts
+
 HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}"
 SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"