msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.440.2025.11.19
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m2s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-21 13:55:39 +00:00
parent 920e6b0b28
commit 42ff42b932
2 changed files with 52 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
View File

@@ -37,7 +37,7 @@ install -d -m 0755 "${DESTDIR}/usr/sbin"
### Include binaries ----------------------------------------------------------------------------------------------------------- ### Include binaries -----------------------------------------------------------------------------------------------------------
for bin in bash blkid busybox dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort timeout tree udevadm whois; do for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
path="$(command -v "${bin}" 2>/dev/null || true)" path="$(command -v "${bin}" 2>/dev/null || true)"

70
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
View File

@@ -43,7 +43,6 @@ export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_NAME="crypt_liveiso"
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}"
MNT_MEDIUM="/run/live/medium" MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs" MNT_ROOTFS="/run/live/rootfs"
_PARAMETER="" _PARAMETER=""
@@ -127,12 +126,16 @@ printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LU
### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}" printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}"
### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
mkdir -p /run 2>/dev/null || true mkdir -p /run 2>/dev/null || true
echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
chmod 0600 /run/ciss-loopdev 2>/dev/null || true chmod 0600 /run/ciss-loopdev 2>/dev/null || true
printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}" printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
### Prepare fifo for passphrase. ----------------------------------------------------------------------------------------------- ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
@@ -153,20 +156,12 @@ fi
chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
### Background cryptsetup-process, reading from fifo. -------------------------------------------------------------------------- ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
( (
set +e set +e
cryptsetup open \
--type luks \
--readonly \
"${LOOP}" "${CDLB_MAPPER_NAME}" \
--key-file - < /lib/cryptsetup/passfifo 2>/dev/console
) &
PID_CRYPT="$!"
### Background console-prompt for passphrase reading into fifo. ---------------------------------------------------------------- PASS=""
(
set +e
while :; do while :; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then if [ -b "${CDLB_MAPPER_DEV}" ]; then
@@ -175,26 +170,61 @@ PID_CRYPT="$!"
fi fi
printf "\e[93m[INFO] Enter LUKS passphrase on: \n\e[0m" >/dev/console 2>/dev/null || break if ! IFS= read -r PASS < /lib/cryptsetup/passfifo; then
if IFS= read -r PASS </dev/console 2>/dev/null; then sleep 1
continue
fi
[ -n "${PASS}" ] || continue [ -n "${PASS}" ] || continue
printf '%s\n' "${PASS}" > /lib/cryptsetup/passfifo 2>/dev/null || : printf "\e[93m[INFO] Trying to unlock via cryptsetup ...\n\e[0m" >/dev/console 2>/dev/null || true
else printf '%s\n' "${PASS}" | cryptsetup open --type luks--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
### No readable '/dev/console': break immediately if [ -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[92m[INFO] LUKS mapper [%s] successfully opened.\n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
break break
fi fi
done done
) & ) &
PID_BROKER="$!"
### Background process console-prompt feed passphrases into FIFO. --------------------------------------------------------------
(
set +e
PASS=""
while :; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then
break
fi
printf "\e[93m[INFO] Enter LUKS passphrase on console: \n\e[0m" >/dev/console 2>/dev/null || break
if ! IFS= read -r PASS </dev/console 2>/dev/null; then
break
fi
[ -n "${PASS}" ] || continue
printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
done
) &
PID_PROMPT="$!" PID_PROMPT="$!"
### Main process: waiting for mapping to appear. ------------------------------------------------------------------------------- ### Main process: wait bounded time for mapper to appear. ----------------------------------------------------------------------
REMAINING="${CDLB_REMOTE_WAIT_SECS}" REMAINING="${CDLB_REMOTE_WAIT_SECS}"
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
@@ -221,14 +251,14 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[91m[WARN] Timeout: mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}" printf "\e[91m[WARN] Timeout: mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
kill "${PID_PROMPT}" 2>/dev/null || true kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_CRYPT}" 2>/dev/null || true kill "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
exit 42 exit 42
fi fi
kill "${PID_PROMPT}" 2>/dev/null || true kill "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_CRYPT}" 2>/dev/null || true wait "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"