|
|
|
@@ -22,6 +22,8 @@ declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
|
|
|
|
|
### Will be replaced at build time:
|
|
|
|
|
declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
|
|
|
|
|
declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
|
|
|
|
|
declare -gr CDLB_MAPPER_NAME="crypt_liveiso"
|
|
|
|
|
declare -gr CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Variable declaration
|
|
|
|
@@ -36,8 +38,6 @@ declare -r MAG='\e[0;95m'
|
|
|
|
|
declare -r RED='\e[0;91m'
|
|
|
|
|
declare -r RES='\e[0m'
|
|
|
|
|
declare -r NL='\n'
|
|
|
|
|
declare -g NUKE_ENABLED='false'
|
|
|
|
|
declare -g NUKE_HASH=''
|
|
|
|
|
declare -g PASSPHRASE=''
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
@@ -56,6 +56,9 @@ ask_via_stdin() {
|
|
|
|
|
printf "\n" >&2
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f ask_via_stdin
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Printed text in color.
|
|
|
|
@@ -64,6 +67,9 @@ ask_via_stdin() {
|
|
|
|
|
# *: Text to print.
|
|
|
|
|
#######################################
|
|
|
|
|
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f color_echo
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Die Helper: print and then exit hard.
|
|
|
|
@@ -74,6 +80,9 @@ color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "
|
|
|
|
|
# 1: Message string to print.
|
|
|
|
|
#######################################
|
|
|
|
|
die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f die
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Drop into the bash environment.
|
|
|
|
@@ -81,111 +90,9 @@ die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3;
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Extract the 'nuke=' parameter from '/proc/cmdline'.
|
|
|
|
|
# Globals:
|
|
|
|
|
# GRE
|
|
|
|
|
# NUKE_ENABLED
|
|
|
|
|
# NUKE_HASH
|
|
|
|
|
# RED
|
|
|
|
|
# REGEX
|
|
|
|
|
# Arguments:
|
|
|
|
|
# None
|
|
|
|
|
# Returns:
|
|
|
|
|
# 0: on success
|
|
|
|
|
#######################################
|
|
|
|
|
extract_nuke_hash() {
|
|
|
|
|
declare ARG="" CMDLINE=""
|
|
|
|
|
|
|
|
|
|
### Read '/proc/cmdline' into a single line safely.
|
|
|
|
|
read -r CMDLINE < /proc/cmdline
|
|
|
|
|
|
|
|
|
|
for ARG in ${CMDLINE}; do
|
|
|
|
|
|
|
|
|
|
# shellcheck disable=SC2249
|
|
|
|
|
case "${ARG,,}" in
|
|
|
|
|
|
|
|
|
|
nuke=*)
|
|
|
|
|
NUKE_HASH="${ARG#*=}"
|
|
|
|
|
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
|
|
|
|
|
|
|
|
|
|
declare -g NUKE_ENABLED="true"
|
|
|
|
|
color_echo "${GRE}" "✅ System self check: [ok]"
|
|
|
|
|
return 0
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
|
|
|
|
|
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
|
|
|
|
|
color_echo "${RED}" "✘ Dropping to bash ...:"
|
|
|
|
|
drop_bash
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
color_echo "${GRE}" "✅ No Nuke Hash found."
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Gather information of all LUKS Devices available on the system.
|
|
|
|
|
# Arguments:
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
gather_luks_devices() {
|
|
|
|
|
declare prev=() curr=()
|
|
|
|
|
declare -i tries=0
|
|
|
|
|
|
|
|
|
|
while ((tries < 10)); do
|
|
|
|
|
|
|
|
|
|
# shellcheck disable=SC2312
|
|
|
|
|
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
|
|
|
|
|
|
|
|
|
|
if [[ "${curr[*]}" == "${prev[*]}" ]]; then
|
|
|
|
|
break
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
prev=("${curr[@]}")
|
|
|
|
|
tries=$((tries + 1))
|
|
|
|
|
sleep 1
|
|
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
printf '%s\n' "${curr[@]}"
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Erase the LUKS headers on all LUKS devices, then shut down the system.
|
|
|
|
|
# Globals:
|
|
|
|
|
# DEVICES_LUKS
|
|
|
|
|
# RED
|
|
|
|
|
# Arguments:
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
nuke() {
|
|
|
|
|
declare dev=""
|
|
|
|
|
|
|
|
|
|
for dev in "${DEVICES_LUKS[@]}"; do
|
|
|
|
|
|
|
|
|
|
cryptsetup erase --batch-mode "${dev}" || true
|
|
|
|
|
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
|
|
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
secure_unset_pass
|
|
|
|
|
|
|
|
|
|
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
|
|
|
|
|
|
|
|
|
|
power_off 16
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f drop_bash
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Unified power-off routine.
|
|
|
|
@@ -200,6 +107,9 @@ power_off() {
|
|
|
|
|
echo o >| /proc/sysrq-trigger
|
|
|
|
|
### The System powers off immediately; no further code is executed.
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f power_off
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Print Error Message for Trap on 'ERR' on Terminal.
|
|
|
|
@@ -233,6 +143,9 @@ print_scr_err() {
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f print_scr_err
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Print Error Message for '0'-Exit-Code on Terminal.
|
|
|
|
@@ -242,6 +155,9 @@ print_scr_err() {
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f print_scr_scc
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Generates an informative shell prompt.
|
|
|
|
@@ -264,12 +180,13 @@ else \
|
|
|
|
|
fi)\
|
|
|
|
|
|~\$ "
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f prompt_string
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Read the passphrase interactively.
|
|
|
|
|
# Globals:
|
|
|
|
|
# NUKE_ENABLED
|
|
|
|
|
# NUKE_HASH
|
|
|
|
|
# PASSPHRASE
|
|
|
|
|
# Arguments:
|
|
|
|
|
# None
|
|
|
|
@@ -277,31 +194,13 @@ fi)\
|
|
|
|
|
# 0: on success
|
|
|
|
|
#######################################
|
|
|
|
|
read_passphrase() {
|
|
|
|
|
declare -i ROUNDS=0
|
|
|
|
|
declare CAND="" SALT=""
|
|
|
|
|
|
|
|
|
|
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
|
|
|
|
|
ask_via_stdin "Enter passphrase: " PASSPHRASE
|
|
|
|
|
|
|
|
|
|
### NUKE pre-check.
|
|
|
|
|
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
|
|
|
|
|
|
|
|
|
|
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
|
|
|
|
|
ROUNDS="${ROUNDS#rounds=}"
|
|
|
|
|
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
|
|
|
|
|
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
|
|
|
|
|
|
|
|
|
|
### NUKE final check.
|
|
|
|
|
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
|
|
|
|
|
|
|
|
|
|
nuke
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f read_passphrase
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Securely unset the 'PASSPHRASE'-variable.
|
|
|
|
@@ -311,6 +210,9 @@ read_passphrase() {
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f secure_unset_pass
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Trap function to be called on 'ERR'.
|
|
|
|
@@ -334,6 +236,9 @@ trap_on_err() {
|
|
|
|
|
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
|
|
|
|
|
power_off 16
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f trap_on_err
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Security Trap on 'EXIT'.
|
|
|
|
@@ -346,6 +251,9 @@ trap_on_exit() {
|
|
|
|
|
trap - ERR EXIT INT TERM
|
|
|
|
|
[[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f trap_on_exit
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
|
|
|
|
@@ -362,6 +270,9 @@ trap_on_term() {
|
|
|
|
|
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
|
|
|
|
|
power_off 3
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f trap_on_term
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Check the integrity and authenticity of this script itself.
|
|
|
|
@@ -382,13 +293,13 @@ verify_script() {
|
|
|
|
|
|
|
|
|
|
for item in "${algo[@]}"; do
|
|
|
|
|
|
|
|
|
|
hashfile="${dir}/${script}.${item}sum.txt"
|
|
|
|
|
hashfile="${dir}/${script}.sha${item}sum.txt"
|
|
|
|
|
sigfile="${hashfile}.sig"
|
|
|
|
|
cmd="${item}sum"
|
|
|
|
|
|
|
|
|
|
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
|
|
|
|
|
|
|
|
|
|
if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
|
|
|
|
|
if ! gpgv --keyring "/etc/ciss/keys/${CDLB_DB_EXP_FPR}.gpg" "${sigfile}" "${hashfile}"; then
|
|
|
|
|
|
|
|
|
|
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
|
|
|
|
|
color_echo "${RED}" "✘ System Power Off in 3 seconds."
|
|
|
|
@@ -423,6 +334,9 @@ verify_script() {
|
|
|
|
|
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f verify_script
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
# Main Program Sequence.
|
|
|
|
@@ -438,6 +352,8 @@ verify_script() {
|
|
|
|
|
# None
|
|
|
|
|
#######################################
|
|
|
|
|
main() {
|
|
|
|
|
declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
|
|
|
|
|
|
|
|
|
|
exec 1>&2
|
|
|
|
|
|
|
|
|
|
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
|
|
|
|
@@ -454,44 +370,62 @@ main() {
|
|
|
|
|
color_echo "${MAG}" "Integrity self-check ..."
|
|
|
|
|
verify_script
|
|
|
|
|
|
|
|
|
|
### Read newline-separated output into an array.
|
|
|
|
|
while :; do
|
|
|
|
|
|
|
|
|
|
if [[ -b "${CDLB_MAPPER_DEV}" ]]; then
|
|
|
|
|
|
|
|
|
|
secure_unset_pass
|
|
|
|
|
printf "%b" "${NL}"
|
|
|
|
|
color_echo "${GRE}" "CISS LUKS Container successfully opened. Closing dropbear connection in 3 seconds."
|
|
|
|
|
sleep 3
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [[ "${COUNTER}" -eq 3 ]]; then
|
|
|
|
|
|
|
|
|
|
secure_unset_pass
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if [[ "${PASS_SENT}" -eq 0 ]]; then
|
|
|
|
|
|
|
|
|
|
# shellcheck disable=SC2310
|
|
|
|
|
read_passphrase || continue
|
|
|
|
|
|
|
|
|
|
printf '%s\n' "${PASSPHRASE}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
|
|
|
|
|
|
|
|
|
|
PASS_SENT=1
|
|
|
|
|
WAIT_LOOP=0
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
WAIT_LOOP=$((WAIT_LOOP + 1))
|
|
|
|
|
COUNTER=$((COUNTER + 1))
|
|
|
|
|
|
|
|
|
|
if [[ "${WAIT_LOOP}" -ge 160 ]]; then
|
|
|
|
|
|
|
|
|
|
color_echo "${GRE}" "Please try again"
|
|
|
|
|
|
|
|
|
|
PASS_SENT=0
|
|
|
|
|
WAIT_LOOP=0
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
sleep 0.1
|
|
|
|
|
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
printf "%b" "${NL}"
|
|
|
|
|
color_echo "${MAG}" "Scanning for LUKS devices ..."
|
|
|
|
|
# shellcheck disable=SC2312
|
|
|
|
|
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
|
|
|
|
|
|
|
|
|
|
### If there are no LUKS devices at all, drop to bash.
|
|
|
|
|
if (( ${#DEVICES_LUKS[@]} == 0 )); then
|
|
|
|
|
printf "%b" "${NL}"
|
|
|
|
|
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
|
|
|
|
|
drop_bash
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
### Extract the 'nuke='-parameter from '/proc/cmdline'.
|
|
|
|
|
printf "%b" "${NL}"
|
|
|
|
|
extract_nuke_hash
|
|
|
|
|
|
|
|
|
|
### Read passphrase interactively.
|
|
|
|
|
read_passphrase
|
|
|
|
|
|
|
|
|
|
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
|
|
|
|
|
|
|
|
|
|
secure_unset_pass
|
|
|
|
|
exit 0
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
secure_unset_pass
|
|
|
|
|
|
|
|
|
|
printf "%b" "${NL}"
|
|
|
|
|
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
|
|
|
|
|
color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..."
|
|
|
|
|
color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
|
|
|
|
|
|
|
|
|
|
drop_bash
|
|
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
color_echo "${GRE}" "No LUKS operations successful. Dropping to bash ..."
|
|
|
|
|
drop_bash
|
|
|
|
|
}
|
|
|
|
|
### Prevents accidental 'unset -f'.
|
|
|
|
|
# shellcheck disable=SC2034
|
|
|
|
|
readonly -f main
|
|
|
|
|
|
|
|
|
|
main "${@}"
|
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
|
|
|
|
