msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-17 17:14:45 +01:00
parent 7fb6ca2cd2
commit 1d130a7027
2 changed files with 130 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+64 -4
View File
@@ -65,6 +65,59 @@ preallocate() {
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f preallocate readonly -f preallocate
#######################################
# Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
# Globals:
# None
# Arguments:
# 1: Rootfs attestation manifest path
# Returns:
# 0: on success
# 42: on failure
#######################################
require_rootfs_attestation_artifacts() {
declare manifest="${1}"
declare signature="${manifest}.sig"
declare artifact=""
for artifact in "${manifest}" "${signature}"; do
if [[ ! -e "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ ! -s "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
if [[ ! -r "${artifact}" ]]; then
printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
return 42
fi
done
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f require_rootfs_attestation_artifacts
####################################### #######################################
# Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper. # Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
# Globals: # Globals:
@@ -142,9 +195,12 @@ EOF
# shellcheck disable=SC2034 # shellcheck disable=SC2034
readonly -f create_attestation readonly -f create_attestation
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt" declare LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs" declare ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
declare ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt" declare ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
declare LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
declare ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
declare ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
declare DM_LAB="crypt_liveiso" declare DM_LAB="crypt_liveiso"
declare DEVMAP="/dev/mapper/${DM_LAB}" declare DEVMAP="/dev/mapper/${DM_LAB}"
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}" declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
@@ -162,8 +218,10 @@ declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n" printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}" create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n" printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
"${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"
### Safety margin: ### Safety margin:
# - LUKS2-Header and Metadata # - LUKS2-Header and Metadata
@@ -250,6 +308,8 @@ shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
rm -f -- "${ROOTFS}" rm -f -- "${ROOTFS}"
require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
umask "${__umask}" umask "${__umask}"
__umask="" __umask=""
config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+66 -3
View File
@@ -23,7 +23,7 @@
# SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope. # SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
# - Panics on missing, malformed, unauthentic, or mismatched evidence. # - Panics on missing, malformed, unauthentic, or mismatched evidence.
# set -eu set -eu
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
@@ -39,7 +39,8 @@ export CDLB_MAPPER_DEV="${CDLB_MAPPER_DEV:-/dev/mapper/${CDLB_MAPPER_NAME}}"
export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}" export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"
### Locations of the attestation file of filesystem.squashfs on the verified live medium. -------------------------------------- ### Locations of the attestation file of filesystem.squashfs on the verified live medium. --------------------------------------
CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/filesystem.squashfs.sha512sum.txt}" CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}" CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}" CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}" CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
@@ -73,6 +74,16 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
####################################### #######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; } log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
### Provide a local fail-closed fallback when this file is executed as a subprocess outside the live-boot shell context. --------
if ! command -v panic >/dev/null 2>&1; then
panic() {
log_er "${*}"
exit 1
}
fi
####################################### #######################################
# Validate a boot-time attestation input file. # Validate a boot-time attestation input file.
# Globals: # Globals:
@@ -125,6 +136,52 @@ require_attestation_file() {
return 0 return 0
} }
#######################################
# Resolve rootfs attestation paths on known live medium mountpoints.
# Globals:
# CDLB_MNT_MEDIUM
# CDLB_ROOTFS_ATTEST_MANIFEST
# CDLB_ROOTFS_ATTEST_NAME
# CDLB_ROOTFS_ATTEST_SIGNATURE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
resolve_rootfs_attestation_artifacts() {
medium_path=""
manifest_path=""
signature_path=""
if [ -f "${CDLB_ROOTFS_ATTEST_MANIFEST}" ] && [ -f "${CDLB_ROOTFS_ATTEST_SIGNATURE}" ]; then
return 0
fi
for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
[ -n "${medium_path}" ] || continue
manifest_path="${medium_path}/live/${CDLB_ROOTFS_ATTEST_NAME}"
signature_path="${manifest_path}.sig"
if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
return 0
fi
done
log_er "0042() : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
panic "0042() : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
return 1
}
####################################### #######################################
# Validate the decrypted rootfs payload device. # Validate the decrypted rootfs payload device.
# Globals: # Globals:
@@ -144,7 +201,11 @@ require_rootfs_payload_device() {
fi fi
if [ -L "${artifact_path}" ] || { [ ! -b "${artifact_path}" ] && [ ! -f "${artifact_path}" ]; }; then if [ -b "${artifact_path}" ]; then
:
elif [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
log_er "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]" log_er "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
panic "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]" panic "0042() : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
@@ -270,6 +331,8 @@ verify_rootfs_payload() {
return 0 return 0
} }
resolve_rootfs_attestation_artifacts
HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}" HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}"
SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}" SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}"
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"