V8.13.528.2025.12.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m2s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m2s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -299,16 +299,14 @@ Verify_checksums() {
|
||||
case "${_RETURN_PGP},${_RETURN_SHA}" in
|
||||
|
||||
"0,0")
|
||||
log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
|
||||
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
|
||||
sleep 8
|
||||
log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting."
|
||||
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting."
|
||||
return 0
|
||||
;;
|
||||
|
||||
"na,0")
|
||||
log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
|
||||
log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
|
||||
sleep 8
|
||||
log_ok "Verification of [sha checksum] file successful; continuing booting."
|
||||
log_success_msg "Verification of [sha checksum] file successful; continuing booting."
|
||||
return 0
|
||||
;;
|
||||
|
||||
|
||||
@@ -17,8 +17,6 @@
|
||||
# Purpose: Late rootfs attestation and dmsetup health checking.
|
||||
# Phase : executed by live-boot inside the 9990-main.sh.
|
||||
|
||||
# TODO: Remove Debug Mode
|
||||
|
||||
_SAVED_SET_OPTS="$(set +o)"
|
||||
|
||||
set -eu
|
||||
@@ -72,10 +70,26 @@ HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
|
||||
SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
|
||||
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
|
||||
|
||||
[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
|
||||
[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; }
|
||||
[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
|
||||
if [ -s "${KEYFILE}" ]; then
|
||||
|
||||
log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
|
||||
panic "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
|
||||
|
||||
fi
|
||||
|
||||
if [ -s "${HASH_FILE}" ]; then
|
||||
|
||||
log_er "0042() : Attestation data missing: [${HASH_FILE}]"
|
||||
panic "0042() : Attestation data missing: [${HASH_FILE}]"
|
||||
|
||||
fi
|
||||
|
||||
if [ -s "${SIGN_FILE}" ]; then
|
||||
|
||||
log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"
|
||||
panic "0042() : Attestation signature missing: [${SIGN_FILE}]"
|
||||
|
||||
fi
|
||||
|
||||
log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
|
||||
_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
|
||||
@@ -89,71 +103,8 @@ if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
|
||||
else
|
||||
|
||||
log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
|
||||
#sleep 8
|
||||
#panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
|
||||
|
||||
fi
|
||||
|
||||
### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
|
||||
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
|
||||
if [ -b "${MAP_DEV}" ]; then
|
||||
|
||||
log_in "0042() : Checking dmsetup table for ${MAP_DEV}"
|
||||
|
||||
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
|
||||
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
|
||||
|
||||
log_ok "0042() : Top layer is 'crypt'."
|
||||
|
||||
else
|
||||
|
||||
log_er "0042() : Top layer is NOT 'crypt'."
|
||||
#sleep 8
|
||||
#panic "[FATAL] Top layer is NOT 'crypt'."
|
||||
|
||||
fi
|
||||
|
||||
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
|
||||
|
||||
log_ok "0042() : Cipher looks like AES-XTS."
|
||||
|
||||
else
|
||||
|
||||
log_er "0042() : Cipher does not look like AES-XTS."
|
||||
#sleep 8
|
||||
#panic "[FATAL] Cipher does not look like AES-XTS."
|
||||
|
||||
fi
|
||||
|
||||
### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
|
||||
CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
|
||||
CHILD_NAME="${CHILD_TOK}"
|
||||
|
||||
case "${CHILD_TOK}" in
|
||||
|
||||
*:* )
|
||||
if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
|
||||
CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
|
||||
[ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
|
||||
fi
|
||||
;;
|
||||
|
||||
/dev/* )
|
||||
CHILD_NAME="$(basename -- "${CHILD_TOK}")"
|
||||
;;
|
||||
|
||||
esac
|
||||
|
||||
#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
|
||||
log_in "Checking underlying integrity target: ${CHILD_NAME}"
|
||||
|
||||
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
|
||||
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; }
|
||||
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; }
|
||||
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; }
|
||||
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; }
|
||||
|
||||
log_ok "0042() : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
|
||||
sleep 8
|
||||
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
|
||||
|
||||
fi
|
||||
|
||||
|
||||
@@ -488,13 +488,10 @@ setup_unionfs ()
|
||||
done
|
||||
fi
|
||||
|
||||
# TODO: Remove Debug
|
||||
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
|
||||
printf "\e[92m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
|
||||
printf "\e[95m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
|
||||
[ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ] && /usr/lib/live/boot/0042_ciss_post_decrypt_attest
|
||||
printf "\e[92m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] done. \n\e[0m"
|
||||
|
||||
sleep 16
|
||||
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
|
||||
|
||||
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
|
||||
|
||||
Reference in New Issue
Block a user