msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.018.2026.06.07
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-07 09:11:26 +01:00
parent 9cdcc0a9ec
commit 3fc5003676
3 changed files with 212 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+171 -44
View File
@@ -25,6 +25,98 @@ _SAVED_SET_OPTS="$(set +o)"
set -eu
#######################################
# Ensure the minimal device nodes required by this early boot script exist.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: always, device-node setup is best-effort only
#######################################
ensure_minimal_dev_nodes() {
mknod_cmd=""
busybox_cmd=""
[ -d /dev ] || mkdir -p /dev || return 0
if [ -c /dev/null ] && [ -c /dev/console ]; then
return 0
fi
mknod_cmd="$(command -v mknod 2>&- || printf '')"
if [ -z "${mknod_cmd}" ]; then
busybox_cmd="$(command -v busybox 2>&- || printf '')"
fi
if [ ! -c /dev/null ]; then
rm -f /dev/null || true
if [ -n "${mknod_cmd}" ]; then
"${mknod_cmd}" -m 666 /dev/null c 1 3 || true
elif [ -n "${busybox_cmd}" ]; then
"${busybox_cmd}" mknod -m 666 /dev/null c 1 3 || true
fi
fi
if [ ! -c /dev/console ]; then
rm -f /dev/console || true
if [ -n "${mknod_cmd}" ]; then
"${mknod_cmd}" -m 600 /dev/console c 5 1 || true
elif [ -n "${busybox_cmd}" ]; then
"${busybox_cmd}" mknod -m 600 /dev/console c 5 1 || true
fi
fi
return 0
}
#######################################
# Console logging helper that does not assume /dev/console is always present.
# Globals:
# None
# Arguments:
# 1: printf format
# *: printf arguments
# Returns:
# 0: always, logging failure is not fatal
#######################################
console_printf() {
console_format="$1"
shift
if [ -c /dev/console ]; then
# shellcheck disable=SC2059
printf "${console_format}" "$@" > /dev/console || :
elif [ -e /proc/1/fd/1 ]; then
# shellcheck disable=SC2059
printf "${console_format}" "$@" > /proc/1/fd/1 || :
fi
return 0
}
ensure_minimal_dev_nodes
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
#######################################
@@ -41,11 +133,21 @@ ask_pass_console() {
PASSPHRASE=""
SAVED_STTY=""
ensure_minimal_dev_nodes
[ -c /dev/console ] || return 1
exec 8<>/dev/console || return 1
### Save current console settings.
SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
SAVED_STTY=$(stty -g <&8 2>&- || printf '')
### Non-canonical mode, no echo, 1 byte at a time.
stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
if ! stty -echo -icanon time 0 min 1 <&8 2>&-; then
exec 8>&-
return 1
fi
cr=$(printf '\r')
bs=$(printf '\b')
@@ -54,11 +156,11 @@ ask_pass_console() {
while :; do
### Read exactly one byte from the console.
c=$(dd bs=1 count=1 2>/dev/null </dev/console)
c=$(dd bs=1 count=1 2>&- <&8)
if [ -z "${c}" ]; then
printf '\n' > /dev/console
printf '\n' >&8
break
fi
@@ -70,7 +172,7 @@ ask_pass_console() {
"${cr}")
### Enter: finish input.
printf '\n' > /dev/console
printf '\n' >&8
break
;;
@@ -79,7 +181,7 @@ ask_pass_console() {
if [ -n "${PASSPHRASE}" ]; then
PASSPHRASE=${PASSPHRASE%?}
printf '\b \b' > /dev/console
printf '\b \b' >&8
fi
;;
@@ -87,14 +189,20 @@ ask_pass_console() {
*)
### Normal character: append and mask output.
PASSPHRASE="${PASSPHRASE}${c}"
printf '*' > /dev/console
printf '*' >&8
;;
esac
done
[ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
if [ -n "${SAVED_STTY}" ]; then
stty "${SAVED_STTY}" <&8 2>&- || :
fi
exec 8>&-
printf '%s' "${PASSPHRASE}"
@@ -130,7 +238,7 @@ _PARAMETER=""
_dev=""
### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
CMDLINE="$(cat /proc/cmdline 2>&- || printf '')"
for _PARAMETER in ${CMDLINE}; do
@@ -153,8 +261,8 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
|| log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
fi
@@ -170,13 +278,13 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
[ -b "${_dev}" ] || continue
### Try ISO9660 first, then UDF; only unmount on failure.
if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&- || mount -r -t udf "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&-; then
mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
mountpoint -q "${CDLB_MNT_MEDIUM}" 2>&- && break
else
umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
umount "${CDLB_MNT_MEDIUM}" 2>&- || true
fi
@@ -220,24 +328,24 @@ fi
printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}"
### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
mkdir -p /run 2>/dev/null || true
mkdir -p /run 2>&- || true
echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
echo "${LOOP}" > /run/ciss-loopdev 2>&- || true
chmod 0600 /run/ciss-loopdev 2>/dev/null || true
chmod 0600 /run/ciss-loopdev 2>&- || true
printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
mkdir -p /lib/cryptsetup 2>/dev/null || true
mkdir -p /lib/cryptsetup 2>&- || true
if [ -p /lib/cryptsetup/passfifo ]; then
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>&- || true
fi
if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
if ! mkfifo /lib/cryptsetup/passfifo 2>&-; then
printf "\e[92m[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
sleep 60
@@ -246,7 +354,7 @@ if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
fi
chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
chmod 0600 /lib/cryptsetup/passfifo 2>&- || true
### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
(
@@ -271,18 +379,29 @@ chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
[ -n "${PASS}" ] || continue
printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
console_printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}"
KEYLEN=${#PASS}
printf '%s' "${PASS}" | cryptsetup open --tries 1 \
--type luks \
--keyfile-size="${KEYLEN}" \
--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
if [ -c /dev/console ]; then
printf '%s' "${PASS}" | cryptsetup open --tries 1 \
--type luks \
--keyfile-size="${KEYLEN}" \
--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
else
printf '%s' "${PASS}" | cryptsetup open --tries 1 \
--type luks \
--keyfile-size="${KEYLEN}" \
--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>&-
fi
if [ -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
console_printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}"
break
fi
@@ -309,12 +428,12 @@ PID_BROKER="$!"
if [ "${PASS_SENT}" -eq 0 ]; then
printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'
# shellcheck disable=SC2310
PASS="$(ask_pass_console)" || continue
printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>&- || :
PASS_SENT=1
WAIT_LOOP=0
@@ -325,7 +444,7 @@ PID_BROKER="$!"
if [ "${WAIT_LOOP}" -ge 160 ]; then
printf '\e[91m[WARN] Please try again : \n\e[0m' > /dev/console
console_printf '\e[91m[WARN] Please try again : \n\e[0m'
PASS_SENT=0
WAIT_LOOP=0
@@ -369,12 +488,12 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_BROKER}" 2>/dev/null || true
wait "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_BROKER}" 2>/dev/null || true
kill "${PID_PROMPT}" 2>&- || true
kill "${PID_BROKER}" 2>&- || true
wait "${PID_PROMPT}" 2>&- || true
wait "${PID_BROKER}" 2>&- || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>&- || true
sleep 60
@@ -383,12 +502,12 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
fi
kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_BROKER}" 2>/dev/null || true
wait "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_BROKER}" 2>/dev/null || true
kill "${PID_PROMPT}" 2>&- || true
kill "${PID_BROKER}" 2>&- || true
wait "${PID_PROMPT}" 2>&- || true
wait "${PID_BROKER}" 2>&- || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>&- || true
printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -403,7 +522,7 @@ export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
EOF
chmod 0444 /run/ciss-rootdev 2>/dev/null || true
chmod 0444 /run/ciss-rootdev 2>&- || true
### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
if [ ! -e /conf/param.conf ]; then
@@ -413,20 +532,28 @@ if [ ! -e /conf/param.conf ]; then
fi
if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>&-; then
printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
fi
if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
if ! grep -q '^livefs_root=' /conf/param.conf 2>&-; then
printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
fi
printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
cat /conf/param.conf >/dev/console 2>&1 || :
if [ -c /dev/console ]; then
cat /conf/param.conf >/dev/console 2>&1 || :
elif [ -e /proc/1/fd/1 ]; then
cat /conf/param.conf >/proc/1/fd/1 2>&1 || :
fi
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"