msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.440.2025.11.19
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m20s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-23 10:40:07 +00:00
parent 8852295c83
commit 4c3a242069
11 changed files with 99 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
config/includes.chroot/etc/ciss/hashes/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-23; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/ciss/signatures/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-23; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

53
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
View File

@@ -28,7 +28,9 @@ esac
### Ensure directory structure in initramfs ------------------------------------------------------------------------------------ ### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
install -d -m 0755 "${DESTDIR}/etc/ciss/hashes"
install -d -m 0755 "${DESTDIR}/etc/ciss/keys" install -d -m 0755 "${DESTDIR}/etc/ciss/keys"
install -d -m 0755 "${DESTDIR}/etc/ciss/signatures"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d" install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount" install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
install -d -m 0755 "${DESTDIR}/usr/bin" install -d -m 0755 "${DESTDIR}/usr/bin"
@@ -56,7 +58,7 @@ for dir in bin usr/bin; do
done done
### Install GPG signing keys --------------------------------------------------------------------------------------------------- ### Install GPG keys -----------------------------------------------------------------------------------------------------------
src_dir="/etc/ciss/keys" src_dir="/etc/ciss/keys"
dst_dir="${DESTDIR}/etc/ciss/keys" dst_dir="${DESTDIR}/etc/ciss/keys"
key="" key=""
@@ -77,6 +79,51 @@ if [ -d "${src_dir}" ]; then
fi fi
### Install GPG signatures -----------------------------------------------------------------------------------------------------
src_dir="/etc/ciss/signatures"
dst_dir="${DESTDIR}/etc/ciss/signatures"
sig=""
if [ -d "${src_dir}" ]; then
install -d -m 0755 "${dst_dir}"
for sig in "${src_dir}"/*.sig; do
[ -e "${sig}" ] || continue
install -m 0444 "${sig}" "${dst_dir}/"
printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${sig}" "${dst_dir}"
done
fi
### Install SHA hashes ---------------------------------------------------------------------------------------------------------
src_dir="/etc/ciss/hashes"
dst_dir="${DESTDIR}/etc/ciss/hashes"
hash=""
if [ -d "${src_dir}" ]; then
install -d -m 0755 "${dst_dir}"
for hash in "${src_dir}"/*sha*sum.txt; do
[ -e "${hash}" ] || continue
install -m 0444 "${hash}" "${dst_dir}/"
printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${hash}" "${dst_dir}"
done
fi
### Install Dropbear configuration --------------------------------------------------------------------------------------------- ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf" install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}" printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
@@ -95,6 +142,10 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files
install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner" install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}" printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
### EOS ### EOS
printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m" printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"

2
config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
View File

@@ -23,7 +23,7 @@ set -eu
sleep 3 sleep 3
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
### Declare variables ---------------------------------------------------------------------------------------------------------- ### Declare variables ----------------------------------------------------------------------------------------------------------
OVERLAY_BASE="/run/live/overlay" OVERLAY_BASE="/run/live/overlay"

2
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
View File

@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"
set -eu set -eu
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
####################################### #######################################
# Ask for a passphrase on /dev/console, mask input with '*'. # Ask for a passphrase on /dev/console, mask input with '*'.

2
config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
View File

@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"
set -eu set -eu
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true

5
config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -29,7 +29,7 @@
# 0 : Successful verification # 0 : Successful verification
####################################### #######################################
Verify_checksums() { Verify_checksums() {
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m"
### Declare variables -------------------------------------------------------------------------------------------------------- ### Declare variables --------------------------------------------------------------------------------------------------------
@@ -48,6 +48,7 @@ Verify_checksums() {
####################################### #######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
####################################### #######################################
# Helper for colored text output on stdout. # Helper for colored text output on stdout.
# Globals: # Globals:
@@ -162,7 +163,7 @@ Verify_checksums() {
CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}" CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)" _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"

2
config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest
View File

@@ -21,7 +21,7 @@ _SAVED_SET_OPTS="$(set +o)"
set -eu set -eu
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] \n\e[0m"
### Declare variables ---------------------------------------------------------------------------------------------------------- ### Declare variables ----------------------------------------------------------------------------------------------------------

24
config/includes.chroot/usr/lib/live/boot/9990-main.sh
View File

@@ -20,11 +20,11 @@
# set -e # set -e
printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
Live () Live ()
{ {
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
if [ -x /scripts/local-top/cryptroot ] if [ -x /scripts/local-top/cryptroot ]
then then
@@ -56,12 +56,12 @@ Live ()
# Needed here too because some things (*cough* udev *cough*) # Needed here too because some things (*cough* udev *cough*)
# change the timeout # change the timeout
printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n" >&2 printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ] if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
then then
if do_netmount if do_netmount
then then
printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}" >&2 printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
livefs_root="${mountpoint?}" livefs_root="${mountpoint?}"
else else
panic "Unable to find a live file system on the network" panic "Unable to find a live file system on the network"
@@ -69,15 +69,15 @@ Live ()
else else
if [ -n "${ISCSI_PORTAL}" ] if [ -n "${ISCSI_PORTAL}" ]
then then
printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}" >&2 printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
do_iscsi && livefs_root="${mountpoint}" do_iscsi && livefs_root="${mountpoint}"
elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ] elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
then then
# Do a local boot from hd # Do a local boot from hd
printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}" >&2 printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
livefs_root=${ROOT} livefs_root=${ROOT}
else else
printf "\e[93m[DEBUG] live(): [Setup_Memdisk] \e[0m\n" >&2 printf "\e[93m[DEBUG] live(): [Setup_Memdisk] \e[0m\n"
Setup_Memdisk Setup_Memdisk
# If the live media location is given via command line and access to it # If the live media location is given via command line and access to it
@@ -130,7 +130,7 @@ Live ()
panic "Unable to find a medium containing a live file system" panic "Unable to find a medium containing a live file system"
fi fi
printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}" >&2 printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
Verify_checksums "${livefs_root}" Verify_checksums "${livefs_root}"
# shellcheck disable=SC2244 # shellcheck disable=SC2244
@@ -166,16 +166,16 @@ Live ()
fi fi
fi fi
printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}" >&2 printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}" >&2 printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ] if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
then then
printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}" >&2 printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
setup_unionfs "${livefs_root}" "${rootmnt?}" setup_unionfs "${livefs_root}" "${rootmnt?}"
else else
mac="$(get_mac)" mac="$(get_mac)"
mac="$(echo "${mac}" | sed 's/-//g')" mac="$(echo "${mac}" | sed 's/-//g')"
printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}" >&2 printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}" mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
fi fi

4
config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
View File

@@ -20,11 +20,11 @@
#set -e #set -e
printf "\e[95m[INFO] Sourcing: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m" printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
setup_unionfs () setup_unionfs ()
{ {
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
image_directory="${1}" image_directory="${1}"
rootmnt="${2}" rootmnt="${2}"

5
lib/lib_ciss_upgrades_boot.sh
View File

@@ -58,6 +58,11 @@ ciss_upgrades_boot() {
done done
mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/hashes/0030-ciss-verify-checksums.sha512sum.txt"
mv "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums.sha512sum.txt.sig" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/signatures/0030-ciss-verify-checksums.sha512sum.txt.sig"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0 return 0