V8.13.512.2025.11.27

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-27 23:44:42 +00:00
parent 7fc9692ce2
commit 26e22f47a5
21 changed files with 501 additions and 332 deletions
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -22,6 +22,8 @@ declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
 ### Will be replaced at build time:
 declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
 declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
+declare -gr CDLB_MAPPER_NAME="crypt_liveiso"
+declare -gr CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"

 #######################################
 # Variable declaration
@@ -36,8 +38,6 @@ declare -r MAG='\e[0;95m'
 declare -r RED='\e[0;91m'
 declare -r RES='\e[0m'
 declare -r NL='\n'
-declare -g NUKE_ENABLED='false'
-declare -g NUKE_HASH=''
 declare -g PASSPHRASE=''

 #######################################
@@ -56,6 +56,9 @@ ask_via_stdin() {
  printf "\n" >&2
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f ask_via_stdin

 #######################################
 # Printed text in color.
@@ -64,6 +67,9 @@ ask_via_stdin() {
 #   *: Text to print.
 #######################################
 color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f color_echo

 #######################################
 # Die Helper: print and then exit hard.
@@ -74,6 +80,9 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
 #   1: Message string to print.
 #######################################
 die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f die

 #######################################
 # Drop into the bash environment.
@@ -81,111 +90,9 @@ die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3;
 #   None
 #######################################
 drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
-
-#######################################
-# Extract the 'nuke=' parameter from '/proc/cmdline'.
-# Globals:
-#   GRE
-#   NUKE_ENABLED
-#   NUKE_HASH
-#   RED
-#   REGEX
-# Arguments:
-#   None
-# Returns:
-#   0: on success
-#######################################
-extract_nuke_hash() {
-  declare     ARG="" CMDLINE=""
-
-  ### Read '/proc/cmdline' into a single line safely.
-  read -r CMDLINE < /proc/cmdline
-
-  for ARG in ${CMDLINE}; do
-
-    # shellcheck disable=SC2249
-    case "${ARG,,}" in
-
-      nuke=*)
-        NUKE_HASH="${ARG#*=}"
-        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
-
-          declare -g NUKE_ENABLED="true"
-          color_echo "${GRE}" "✅ System self check: [ok]"
-          return 0
-
-        else
-
-          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
-          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
-          color_echo "${RED}" "✘ Dropping to bash ...:"
-          drop_bash
-
-        fi
-      ;;
-
-    esac
-
-  done
-
-  color_echo "${GRE}" "✅ No Nuke Hash found."
-
-  return 0
-}
-
-#######################################
-# Gather information of all LUKS Devices available on the system.
-# Arguments:
-#   None
-#######################################
-gather_luks_devices() {
-  declare     prev=() curr=()
-  declare -i  tries=0
-
-  while ((tries < 10)); do
-
-    # shellcheck disable=SC2312
-    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
-
-    if [[ "${curr[*]}" == "${prev[*]}" ]]; then
-      break
-    fi
-
-    prev=("${curr[@]}")
-    tries=$((tries + 1))
-    sleep 1
-
-  done
-
-  printf '%s\n' "${curr[@]}"
-
-  return 0
-}
-
-#######################################
-# Erase the LUKS headers on all LUKS devices, then shut down the system.
-# Globals:
-#   DEVICES_LUKS
-#   RED
-# Arguments:
-#   None
-#######################################
-nuke() {
-  declare     dev=""
-
-  for dev in "${DEVICES_LUKS[@]}"; do
-
-    cryptsetup erase --batch-mode "${dev}" || true
-    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
-
-  done
-
-  secure_unset_pass
-
-  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
-
-  power_off 16
-}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f drop_bash

 #######################################
 # Unified power-off routine.
@@ -200,6 +107,9 @@ power_off() {
  echo o >| /proc/sysrq-trigger
  ### The System powers off immediately; no further code is executed.
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f power_off

 #######################################
 # Print Error Message for Trap on 'ERR' on Terminal.
@@ -233,6 +143,9 @@ print_scr_err() {

  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f print_scr_err

 #######################################
 # Print Error Message for '0'-Exit-Code on Terminal.
@@ -242,6 +155,9 @@ print_scr_err() {
 #   None
 #######################################
 print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f print_scr_scc

 #######################################
 # Generates an informative shell prompt.
@@ -264,12 +180,13 @@ else \
 fi)\
 |~\$ "
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f prompt_string

 #######################################
 # Read the passphrase interactively.
 # Globals:
-#   NUKE_ENABLED
-#   NUKE_HASH
 #   PASSPHRASE
 # Arguments:
 #   None
@@ -277,31 +194,13 @@ fi)\
 #   0: on success
 #######################################
 read_passphrase() {
-  declare -i  ROUNDS=0
-  declare     CAND="" SALT=""
-
  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
  ask_via_stdin "Enter passphrase: " PASSPHRASE
-
-  ### NUKE pre-check.
-  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
-
-    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
-    ROUNDS="${ROUNDS#rounds=}"
-    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
-    CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
-
-    ### NUKE final check.
-    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
-
-      nuke
-
-    fi
-
-  fi
-
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f read_passphrase

 #######################################
 # Securely unset the 'PASSPHRASE'-variable.
@@ -311,6 +210,9 @@ read_passphrase() {
 #   None
 #######################################
 secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f secure_unset_pass

 #######################################
 # Trap function to be called on 'ERR'.
@@ -334,6 +236,9 @@ trap_on_err() {
  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
  power_off 16
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_err

 #######################################
 # Security Trap on 'EXIT'.
@@ -346,6 +251,9 @@ trap_on_exit() {
  trap - ERR EXIT INT TERM
  [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_exit

 #######################################
 # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
@@ -362,6 +270,9 @@ trap_on_term() {
  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
  power_off 3
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f trap_on_term

 #######################################
 # Check the integrity and authenticity of this script itself.
@@ -382,13 +293,13 @@ verify_script() {

  for item in "${algo[@]}"; do

-    hashfile="${dir}/${script}.${item}sum.txt"
+    hashfile="${dir}/${script}.sha${item}sum.txt"
    sigfile="${hashfile}.sig"
    cmd="${item}sum"

    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"

-    if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
+    if ! gpgv --keyring "/etc/ciss/keys/${CDLB_DB_EXP_FPR}.gpg" "${sigfile}" "${hashfile}"; then

      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
      color_echo "${RED}" "✘ System Power Off in 3 seconds."
@@ -423,6 +334,9 @@ verify_script() {
  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
  return 0
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f verify_script

 #######################################
 # Main Program Sequence.
@@ -438,6 +352,8 @@ verify_script() {
 #   None
 #######################################
 main() {
+  declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
+
  exec 1>&2

  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -454,44 +370,62 @@ main() {
  color_echo "${MAG}" "Integrity self-check ..."
  verify_script

-  ### Read newline-separated output into an array.
+  while :; do
+
+    if [[ -b "${CDLB_MAPPER_DEV}" ]]; then
+
+      secure_unset_pass
+      printf "%b" "${NL}"
+      color_echo "${GRE}" "CISS LUKS Container successfully opened. Closing dropbear connection in 3 seconds."
+      sleep 3
+      exit 0
+
+    fi
+
+    if [[ "${COUNTER}" -eq 3 ]]; then
+
+      secure_unset_pass
+      break
+
+    fi
+
+    if [[ "${PASS_SENT}" -eq 0 ]]; then
+
+      # shellcheck disable=SC2310
+      read_passphrase || continue
+
+      printf '%s\n' "${PASSPHRASE}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+
+      PASS_SENT=1
+      WAIT_LOOP=0
+
+    else
+
+      WAIT_LOOP=$((WAIT_LOOP + 1))
+      COUNTER=$((COUNTER + 1))
+
+      if [[ "${WAIT_LOOP}" -ge 160 ]]; then
+
+        color_echo "${GRE}" "Please try again"
+
+        PASS_SENT=0
+        WAIT_LOOP=0
+
+      fi
+
+    fi
+
+    sleep 0.1
+
+  done
+
  printf "%b" "${NL}"
-  color_echo "${MAG}" "Scanning for LUKS devices ..."
-  # shellcheck disable=SC2312
-  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
-
-  ### If there are no LUKS devices at all, drop to bash.
-  if (( ${#DEVICES_LUKS[@]} == 0 )); then
-    printf "%b" "${NL}"
-    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
-    drop_bash
-  fi
-
-  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
-  printf "%b" "${NL}"
-  extract_nuke_hash
-
-  ### Read passphrase interactively.
-  read_passphrase
-
-  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
-
-    secure_unset_pass
-    exit 0
-
-  else
-
-    secure_unset_pass
-
-    printf "%b" "${NL}"
-    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
-    color_echo "${GRE}" "  No LUKS operations performed. Dropping to bash ..."
-    color_echo "${GRE}" "  To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
-
-    drop_bash
-
-  fi
+  color_echo "${GRE}" "No LUKS operations successful. Dropping to bash ..."
+  drop_bash
 }
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f main

 main "${@}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
+++ b/config/includes.chroot/etc/modprobe.d/30-cendev-hardening.conf
@@ -1,3 +1,5 @@
+# bashsupport disable=BP5007
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
--- a/config/includes.chroot/etc/resolv.conf
+++ b/config/includes.chroot/etc/resolv.conf
@@ -0,0 +1,16 @@
+# bashsupport disable=BP5007
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+ln -s /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
+++ b/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
@@ -9,9 +9,28 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+[Match]
+Type=ether
+
 [Network]
 DHCP=yes
+DNSOverTLS=opportunistic
+DNSSEC=yes
+IPv6AcceptRA=yes
 LinkLocalAddressing=ipv6

+[DHCPv4]
+RoutesToDNS=no
+UseDNS=yes
+UseDomains=no
+UseHostname=no
+UseNTP=no
+
+[DHCPv6]
+RoutesToDNS=no
+UseDNS=yes
+UseDomains=no
+UseHostname=no
+UseNTP=no

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf