From 42ff42b9328b836b626eb8b82bf2fb15eeb161a6709f48ec9d4fce9c2567cc69 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 21 Nov 2025 13:55:39 +0000 Subject: [PATCH] V8.13.440.2025.11.19 Signed-off-by: Marc S. Weidner --- .../hooks/9999_ciss_debian_live_builder.sh | 2 +- .../usr/lib/live/boot/0024-ciss-crypt-squash | 72 +++++++++++++------ 2 files changed, 52 insertions(+), 22 deletions(-) diff --git a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh index 13630d6..f795b91 100644 --- a/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh +++ b/config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh @@ -37,7 +37,7 @@ install -d -m 0755 "${DESTDIR}/usr/sbin" ### Include binaries ----------------------------------------------------------------------------------------------------------- -for bin in bash blkid busybox dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort timeout tree udevadm whois; do +for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do path="$(command -v "${bin}" 2>/dev/null || true)" diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index 6e44065..4035c53 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -43,7 +43,6 @@ export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" -CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}" MNT_MEDIUM="/run/live/medium" MNT_ROOTFS="/run/live/rootfs" _PARAMETER="" @@ -127,12 +126,16 @@ printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LU ### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } + printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}" ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- mkdir -p /run 2>/dev/null || true + echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true + chmod 0600 /run/ciss-loopdev 2>/dev/null || true + printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}" ### Prepare fifo for passphrase. ----------------------------------------------------------------------------------------------- @@ -153,20 +156,12 @@ fi chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true -### Background cryptsetup-process, reading from fifo. -------------------------------------------------------------------------- +### Background broker: read FIFO, try cryptsetup per line. --------------------------------------------------------------------- ( set +e - cryptsetup open \ - --type luks \ - --readonly \ - "${LOOP}" "${CDLB_MAPPER_NAME}" \ - --key-file - < /lib/cryptsetup/passfifo 2>/dev/console -) & -PID_CRYPT="$!" -### Background console-prompt for passphrase reading into fifo. ---------------------------------------------------------------- -( - set +e + PASS="" + while :; do if [ -b "${CDLB_MAPPER_DEV}" ]; then @@ -175,26 +170,61 @@ PID_CRYPT="$!" fi - printf "\e[93m[INFO] Enter LUKS passphrase on: \n\e[0m" >/dev/console 2>/dev/null || break + if ! IFS= read -r PASS < /lib/cryptsetup/passfifo; then - if IFS= read -r PASS /dev/null; then + sleep 1 + continue - [ -n "${PASS}" ] || continue + fi - printf '%s\n' "${PASS}" > /lib/cryptsetup/passfifo 2>/dev/null || : + [ -n "${PASS}" ] || continue - else + printf "\e[93m[INFO] Trying to unlock via cryptsetup ...\n\e[0m" >/dev/console 2>/dev/null || true - ### No readable '/dev/console': break immediately + printf '%s\n' "${PASS}" | cryptsetup open --type luks--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console + + if [ -b "${CDLB_MAPPER_DEV}" ]; then + + printf "\e[92m[INFO] LUKS mapper [%s] successfully opened.\n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true break fi done ) & +PID_BROKER="$!" + +### Background process console-prompt feed passphrases into FIFO. -------------------------------------------------------------- +( + set +e + + PASS="" + + while :; do + + if [ -b "${CDLB_MAPPER_DEV}" ]; then + + break + + fi + + printf "\e[93m[INFO] Enter LUKS passphrase on console: \n\e[0m" >/dev/console 2>/dev/null || break + + if ! IFS= read -r PASS /dev/null; then + + break + + fi + + [ -n "${PASS}" ] || continue + + printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || : + + done +) & PID_PROMPT="$!" -### Main process: waiting for mapping to appear. ------------------------------------------------------------------------------- +### Main process: wait bounded time for mapper to appear. ---------------------------------------------------------------------- REMAINING="${CDLB_REMOTE_WAIT_SECS}" if [ ! -b "${CDLB_MAPPER_DEV}" ]; then @@ -221,14 +251,14 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then printf "\e[91m[WARN] Timeout: mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}" kill "${PID_PROMPT}" 2>/dev/null || true - kill "${PID_CRYPT}" 2>/dev/null || true + kill "${PID_BROKER}" 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true exit 42 fi kill "${PID_PROMPT}" 2>/dev/null || true -wait "${PID_CRYPT}" 2>/dev/null || true +wait "${PID_BROKER}" 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"