msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.512.2025.11.26
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m2s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m27s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-26 10:05:56 +00:00
parent afe0dd7038
commit 52c3298db9
10 changed files with 18 additions and 1630 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
.archive/0022-ciss-overlay-tmpfs
View File

@@ -1,52 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
# Phase : premount (executed by live-boot inside the initramfs).
_SAVED_SET_OPTS="$(set +o)"
set -eu
sleep 3
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
OVERLAY_BASE="/run/live/overlay"
UPPER="${OVERLAY_BASE}/upper"
WORK="${OVERLAY_BASE}/work"
### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. -------------------------------------------
: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
### Create a base dir with restrictive perms. ----------------------------------------------------------------------------------
# shellcheck disable=SC2174
mkdir -p -m 0700 "${OVERLAY_BASE}"
### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. --------------------
mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
printf "\e[92m[INFO] Command : [mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs %s] \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}"
### Prepare upper /work with tight perms. -------------------------------------------------------------------------------------
# shellcheck disable=SC2174
mkdir -p -m 0700 "${UPPER}" "${WORK}"
eval "${_SAVED_SET_OPTS}"
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

434
.archive/0024-ciss-crypt-squash
View File

@@ -1,434 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
# Phase : premount (executed by live-boot inside the initramfs)
_SAVED_SET_OPTS="$(set +o)"
set -eu
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
#######################################
# Ask for a passphrase on /dev/console, mask input with '*'.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
# 1: on failure / empty
#######################################
ask_pass_console() {
PASSPHRASE=""
SAVED_STTY=""
### Save current console settings.
SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
### Non-canonical mode, no echo, 1 byte at a time.
stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
cr=$(printf '\r')
bs=$(printf '\b')
del=$(printf '\177')
while :; do
### Read exactly one byte from the console.
c=$(dd bs=1 count=1 2>/dev/null </dev/console)
if [ -z "${c}" ]; then
printf '\n' > /dev/console
break
fi
### If nothing read (race), loop again.
[ -z "${c}" ] && continue
case "${c}" in
"${cr}")
### Enter: finish input.
printf '\n' > /dev/console
break
;;
"${bs}"|"${del}")
### Backspace, delete: delete one character, if available.
if [ -n "${PASSPHRASE}" ]; then
PASSPHRASE=${PASSPHRASE%?}
printf '\b \b' > /dev/console
fi
;;
*)
### Normal character: append and mask output.
PASSPHRASE="${PASSPHRASE}${c}"
printf '*' > /dev/console
;;
esac
done
[ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
printf '%s' "${PASSPHRASE}"
return 0
}
#######################################
# Premount logging helper.
# Globals:
# None
# Arguments:
# *: String to log.
#######################################
log() {
msg="$*"
if [ -w /dev/kmsg ]; then
printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg
else
printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}"
fi
}
### Declare variables. ---------------------------------------------------------------------------------------------------------
export CDLB_ISO_LABEL="CISS.debian.live"
export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
export CDLB_MAPPER_NAME="crypt_liveiso"
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs"
_PARAMETER=""
_dev=""
### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
for _PARAMETER in ${CMDLINE}; do
case "${_PARAMETER}" in
ciss_crypt_path=*) export CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
ciss_iso_label=* ) export CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
esac
done
printf "\e[92m[INFO] CDLB_LUKS_FS : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
printf "\e[92m[INFO] CDLB_ISO_LABEL : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
if ! mountpoint -q "${MNT_MEDIUM}"; then
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
fi
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
### Skip non-block entries early.
[ -b "${_dev}" ] || continue
### Try ISO9660 first, then UDF; only unmount on failure.
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
else
umount "${MNT_MEDIUM}" 2>/dev/null || true
fi
done
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
log "No live medium mounted, defer to default live-boot path."
printf "\e[91m[FATAL] Boot failure : No live medium mounted, defer to default live-boot path. \n\e[0m"
exit 42
fi
printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}"
### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
exit 42
fi
printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}"
### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
mkdir -p /run 2>/dev/null || true
echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
chmod 0600 /run/ciss-loopdev 2>/dev/null || true
printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
mkdir -p /lib/cryptsetup 2>/dev/null || true
if [ -p /lib/cryptsetup/passfifo ]; then
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
fi
if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
printf "\e[92m[WARN] Boot failure : Failed to create /lib/cryptsetup/passfifo \n\e[0m"
exit 42
fi
chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
(
set +e
PASS=""
while :; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then
break
fi
if ! IFS= read -r PASS < /lib/cryptsetup/passfifo; then
sleep 1
continue
fi
[ -n "${PASS}" ] || continue
printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
KEYLEN=${#PASS}
printf '%s' "${PASS}" | cryptsetup open --tries 1 \
--type luks \
--keyfile-size="${KEYLEN}" \
--readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
if [ -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
break
fi
done
) &
PID_BROKER="$!"
### Background process console-prompt feed passphrases into FIFO. --------------------------------------------------------------
(
set +e
PASS=""
PASS_SENT=0
WAIT_LOOP=0
while :; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then
break
fi
if [ "${PASS_SENT}" -eq 0 ]; then
printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
# shellcheck disable=SC2310
PASS="$(ask_pass_console)" || continue
printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
PASS_SENT=1
WAIT_LOOP=0
else
WAIT_LOOP=$((WAIT_LOOP + 1))
if [ "${WAIT_LOOP}" -ge 160 ]; then
printf '\e[91m[WARN] Please try again : \n\e[0m' > /dev/console
PASS_SENT=0
WAIT_LOOP=0
fi
fi
sleep 0.1
done
return 0
) &
PID_PROMPT="$!"
### Main process: wait bounded time for the mapper to appear. ------------------------------------------------------------------
REMAINING="${CDLB_REMOTE_WAIT_SECS}"
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[93m[INFO] CISS LUKS decryption : Waiting up to %s seconds for [%s] to be unlocked ... \n\e[0m" "${REMAINING}" "${CDLB_MAPPER_DEV}"
fi
while [ "${REMAINING}" -gt 0 ]; do
if [ -b "${CDLB_MAPPER_DEV}" ]; then
break
fi
sleep 1
REMAINING=$((REMAINING - 1))
done
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
kill "${PID_PROMPT}" 2>/dev/null || true
kill "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
exit 42
fi
kill "${PID_PROMPT}" 2>/dev/null || true
wait "${PID_BROKER}" 2>/dev/null || true
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
### Mount the decrypted root device to use as the PLAIN_ROOT artifact in '9990-main.sh'. ---------------------------------------
if ! mount -t squashfs -o ro "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"; then
log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${CDLB_LUKS_ROOTFS_MNT}]"
printf "\e[91m[WARN] CISS LUKS decryption : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
exit 42
else
printf "\e[92m[INFO] CISS LUKS decryption : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
fi
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
cat << EOF >| /run/ciss-rootdev
export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
export CDLB_LUKS_FS=${CDLB_LUKS_FS}
export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs"
EOF
chmod 0644 /run/ciss-rootdev 2>/dev/null || true
export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
export CISS_ROOT_DIR=""
# TODO: Remove Debug
if [ -e /conf/param.conf ]; then
printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
cat /conf/param.conf >/dev/console 2>&1 || :
{
printf '\n'
printf 'PLAIN_ROOT=1\n'
printf 'ROOT=%s\n' "${MNT_ROOTFS}"
} >> /conf/param.conf 2>/dev/null || true
else
printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
{
printf '\n'
printf 'PLAIN_ROOT=1\n'
printf 'ROOT=%s\n' "${MNT_ROOTFS}"
} >| /conf/param.conf 2>/dev/null || true
fi
printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
cat /conf/param.conf >/dev/console 2>&1 || :
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
### Final sanity check. --------------------------------------------------------------------------------------------------------
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
printf "\e[91m[WARN] Failed unlock : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
exit 42
fi
eval "${_SAVED_SET_OPTS}"
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

39
.archive/0026-ciss-early-sysctl
View File

@@ -1,39 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Enforce early sysctls before services start.
# Phase : premount (executed by live-boot inside the initramfs).
_SAVED_SET_OPTS="$(set +o)"
set -eu
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
eval "${_SAVED_SET_OPTS}"
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

335
.archive/0030-ciss-verify-checksums
View File

@@ -1,335 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m"
### Declare variables --------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare functions --------------------------------------------------------------------------------------------------------
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
_MOUNTPOINT="${1}"
_PARAMETER=""
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
_KEYFILE=""
_MP=""
### Parse commandline arguments ----------------------------------------------------------------------------------------------
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums ; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
done
CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
sleep 8
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
else
log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
fi
log_in "Recomputing hash for: [${CDLB_SHA}] ..."
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
log_er "Recomputing hash for: [${CDLB_SHA}] failed."
sleep 8
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
fi
log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
log_in "Verifying checksums ..."
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
log_in "Found: [${_CHECKSUM}] ..."
if [ -e "/usr/bin/${_DIGEST}sum" ]; then
log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_in "Checking signature of: [${_CHECKSUM}] ..."
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
_RETURN_PGP="${?}"
log_in "Checking signature of: [${_CHECKSUM}] successful."
else
_RETURN_PGP="${?}"
log_er "Checking signature of: [${_CHECKSUM}] failed."
fi
else
_RETURN_PGP="na"
fi
# shellcheck disable=SC2312
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}"
log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
else
_RETURN_SHA="${?}"
log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
fi
# Stop after the first verification.
break 2
else
_RETURN_SHA="255"
log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
fi
fi
done
done
log_end_msg
printf "\n"
case "${_RETURN_PGP},${_RETURN_SHA}" in
"0,0")
log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"na,0")
log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"0,"*)
log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
;;
*",0")
log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
;;
"na,"*)
log_er "Verification of [sha checksum] file failed."
sleep 8
panic "Verification of [sha checksum] file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

259
.archive/9990-main.sh
View File

@@ -1,259 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh'
### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
# set -e
printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
Live ()
{
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
if [ -x /scripts/local-top/cryptroot ]
then
/scripts/local-top/cryptroot
fi
exec 6>&1
exec 7>&2
exec > boot.log
exec 2>&1
tail -f boot.log >&7 &
tailpid="${!}"
# shellcheck disable=SC2034
LIVE_BOOT_CMDLINE="${LIVE_BOOT_CMDLINE:-$(cat /proc/cmdline)}"
Cmdline_old
Debug
Read_only
Select_eth_device
if [ -e /conf/param.conf ]
then
. /conf/param.conf
fi
# Needed here too because some things (*cough* udev *cough*)
# change the timeout
printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
then
if do_netmount
then
printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
livefs_root="${mountpoint?}"
else
panic "Unable to find a live file system on the network"
fi
else
if [ -n "${ISCSI_PORTAL}" ]
then
printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
do_iscsi && livefs_root="${mountpoint}"
elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
then
# Do a local boot from hd
printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
livefs_root=${ROOT}
else
printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n"
Setup_Memdisk
printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n"
# If the live media location is given via command line and access to it
# involves LVM volumes, the corresponding volumes need to be activated.
IFS=','
# shellcheck disable=SC2116
for dev in $(echo "${LIVE_MEDIA}")
do
printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}"
case "${dev}" in
/dev/mapper/*)
# shellcheck disable=SC2046,SC2312
eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
# shellcheck disable=SC2244
if [ "${DM_VG_NAME}" ] && [ "${DM_LV_NAME}" ]
then
lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${DM_VG_NAME}/${DM_LV_NAME}"
fi
;;
/dev/*/*)
# Could be /dev/VG/LV; use lvs to check
if lvm lvs -- "${dev}" >/dev/null 2>&1
then
lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${dev}"
fi
;;
esac
done
unset IFS
# Scan local devices for the image
i=0
while [ "${i}" -lt 60 ]
do
# shellcheck disable=SC2086
livefs_root=$(find_livefs ${i})
if [ -n "${livefs_root}" ]
then
break
fi
sleep 1
i=$((i + 1))
done
fi
fi
printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
if [ -z "${livefs_root}" ]
then
panic "Unable to find a medium containing a live file system"
fi
printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
Verify_checksums "${livefs_root}"
# shellcheck disable=SC2244
if [ "${TORAM}" ]
then
live_dest="ram"
elif [ "${TODISK}" ]
then
live_dest="${TODISK}"
fi
# shellcheck disable=SC2244
if [ "${live_dest}" ]
then
log_begin_msg "Copying live media to ${live_dest}"
copy_live_to "${livefs_root}" "${live_dest}"
log_end_msg
fi
# if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
# because the mountpoint is left behind in /proc/mounts, so let's get
# rid of it when running from RAM
# shellcheck disable=SC2244
if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
then
losetup -d /dev/loop0
if is_mountpoint /run/live/fromiso
then
umount /run/live/fromiso
rmdir --ignore-fail-on-non-empty /run/live/fromiso \
>/dev/null 2>&1 || true
fi
fi
printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
then
printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
setup_unionfs "${livefs_root}" "${rootmnt?}"
else
mac="$(get_mac)"
mac="$(echo "${mac}" | sed 's/-//g')"
printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
fi
if [ -n "${ROOT_PID}" ]
then
echo "${ROOT_PID}" > "${rootmnt}"/lib/live/root.pid
fi
log_end_msg
# aufs2 in kernel versions around 2.6.33 has a regression:
# directories can't be accessed when read for the first time,
# causing a failure, for example, when accessing /var/lib/fai
# when booting FAI, this simple workaround solves it
ls /root/* >/dev/null 2>&1
# if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
# because the mountpoint is left behind in /proc/mounts, so let's get
# rid of it when running from RAM
# shellcheck disable=SC2244
if [ -n "${FINDISO}" ] && [ "${TORAM}" ]
then
losetup -d /dev/loop0
if is_mountpoint /run/live/findiso
then
umount /run/live/findiso
rmdir --ignore-fail-on-non-empty /run/live/findiso \
>/dev/null 2>&1 || true
fi
fi
if [ -f /etc/hostname ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${rootmnt}/etc/hostname"
then
log_begin_msg "Copying /etc/hostname to ${rootmnt}/etc/hostname"
cp -v /etc/hostname "${rootmnt}/etc/hostname"
log_end_msg
fi
if [ -f /etc/hosts ] && ! grep -E -q -v '^[[:space:]]*(#|$|(127.0.0.1|::1|ff02::[12])[[:space:]])' "${rootmnt}/etc/hosts"
then
log_begin_msg "Copying /etc/hosts to ${rootmnt}/etc/hosts"
cp -v /etc/hosts "${rootmnt}/etc/hosts"
log_end_msg
fi
if [ -L /root/etc/resolv.conf ] ; then
# assume we have resolvconf
DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
else
DNSFILE="${rootmnt}/etc/resolv.conf"
fi
if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
then
log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
cp -v /etc/resolv.conf "${DNSFILE}"
log_end_msg
fi
if ! [ -d "/lib/live/boot" ]
then
panic "A wrong rootfs was mounted."
fi
Fstab
Netbase
Swap
exec 1>&6 6>&-
exec 2>&7 7>&-
kill "${tailpid}"
[ -w "${rootmnt}/var/log/" ] && mkdir -p "${rootmnt}/var/log/live" && ( \
cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
}

499
.archive/9990-overlay.sh
View File

@@ -1,499 +0,0 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
#set -e
printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
setup_unionfs ()
{
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
image_directory="${1}"
rootmnt="${2}"
addimage_directory="${3}"
### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
fi
if [ -n "${CISS_ROOT_DEV:-}" ]; then
### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
PLAIN_ROOT=1
image_directory="${CISS_ROOT_DEV}"
elif [ -n "${CISS_ROOT_DIR:-}" ]; then
### Alternative: explicitly provided root directory.
PLAIN_ROOT=1
image_directory="${CISS_ROOT_DIR}"
fi
### --------------------------------------------------------------------------------------------------------------------------
# shellcheck disable=SC2086
modprobe -q -b ${UNIONTYPE}
if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$"
then
panic "${UNIONTYPE} not available."
fi
croot="/run/live/rootfs"
# Let's just mount the read-only file systems first
rootfslist=""
if [ -z "${PLAIN_ROOT}" ]
then
# Read image names from ${MODULE}.module if it exists
# shellcheck disable=SC2153
if [ -e "${image_directory}/filesystem.${MODULE}.module" ]
then
# shellcheck disable=SC2013,SC2086
for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module)
do
image_string="${image_string} ${image_directory}/${IMAGE}"
done
elif [ -e "${image_directory}/${MODULE}.module" ]
then
# shellcheck disable=SC2013,SC2086
for IMAGE in $(cat ${image_directory}/${MODULE}.module)
do
image_string="${image_string} ${image_directory}/${IMAGE}"
done
else
# ${MODULE}.module does not exist, create a list of images
for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
do
for IMAGE in "${image_directory}"/*."${FILESYSTEM}"
do
if [ -e "${IMAGE}" ]
then
image_string="${image_string} ${IMAGE}"
fi
done
done
if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ]
then
for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
do
for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}"
do
if [ -e "${IMAGE}" ]
then
image_string="${image_string} ${IMAGE}"
fi
done
done
fi
# Now sort the list
# shellcheck disable=SC2086
image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )"
fi
# shellcheck disable=SC2086
[ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})"
mkdir -p "${croot}"
for image in ${image_string}
do
imagename=$(basename "${image}")
export image devname
maybe_break live-realpremount
log_begin_msg "Running /scripts/live-realpremount"
run_scripts /scripts/live-realpremount
log_end_msg
if [ -d "${image}" ]
then
# It is a plain directory: do nothing
rootfslist="${image} ${rootfslist}"
elif [ -f "${image}" ]
then
if losetup --help 2>&1 | grep -q -- "-r\b"
then
backdev=$(get_backing_device "${image}" "-r")
else
backdev=$(get_backing_device "${image}")
fi
fstype=$(get_fstype "${backdev}")
case "${fstype}" in
unknown)
panic "Unknown file system type on ${backdev} (${image})"
;;
"")
fstype="${imagename##*.}"
log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}."
;;
esac
mpoint=$(trim_path "${croot}/${imagename}")
rootfslist="${mpoint} ${rootfslist}"
mount_options=""
# Setup dm-verity support if a device has it supported
hash_device="${image}.verity"
# shellcheck disable=SC2086
if [ -f ${hash_device} ]
then
log_begin_msg "Start parsing dm-verity options for ${image}"
backdev_roothash=$(get_backing_device ${hash_device})
verity_mount_options="-o verity.hashdevice=${backdev_roothash}"
root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH})
valid_config="true"
case $(mount --version) in
*verity*)
;;
*)
valid_config="false"
log_warning_msg "mount does not have support for dm-verity. Ignoring mount options"
;;
esac
if [ -n "${root_hash}" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}"
# Check if the root hash is saved on disk
elif [ -f "${image}.roothash" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash"
else
valid_config="false"
log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring"
fi
fec="${image}.fec"
fec_roots="${image}.fec.roots"
if [ -f ${fec} ] && [ -f ${fec_roots} ]
then
backdev_fec=$(get_backing_device ${fec})
roots=$(cat ${fec_roots})
verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}"
fi
signature="${image}.roothash.p7s"
if [ -f "${signature}" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}"
elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ]
then
panic "dm-verity signature checking was enforced but no signature could be found for ${image}!"
fi
if [ -n "${DM_VERITY_ONCORRUPTION}" ]
then
if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart"
then
verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}"
else
log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!"
log_warning_msg "Ignoring setting"
fi
fi
if [ "${valid_config}" = "true" ]
then
mount_options="${mount_options} ${verity_mount_options}"
fi
log_end_msg "Finished parsing dm-verity options for ${image}"
fi
mkdir -p "${mpoint}"
log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\""
# shellcheck disable=SC2086
mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}"
log_end_msg
else
log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake."
fi
done
else
# We have a plain root system
mkdir -p "${croot}/filesystem"
log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\""
# shellcheck disable=SC2046,SC2312
mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \
panic "Can not mount ${image_directory} on ${croot}/filesystem" && \
rootfslist="${croot}/filesystem ${rootfslist}"
# Probably broken:
# shellcheck disable=SC2086,SC2250
mount -o bind ${croot}/filesystem $mountpoint
log_end_msg
fi
# tmpfs file systems
touch /etc/fstab
mkdir -p /run/live/overlay
# Looking for persistence devices or files
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
then
if [ -z "${QUICKUSBMODULES}" ]
then
# Load USB modules
# shellcheck disable=SC2012
num_block=$(ls -l /sys/block | wc -l)
for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage
do
# shellcheck disable=SC2086
modprobe -q -b ${module}
done
udevadm trigger
udevadm settle
# For some reason, udevsettle does not block in this scenario,
# so we sleep for a little while.
#
# See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591
# shellcheck disable=SC2034
for timeout in 5 4 3 2 1
do
sleep 1
# shellcheck disable=SC2012,SC2046,SC2086,SC2312
if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ]
then
break
fi
done
fi
# shellcheck disable=SC3043
local whitelistdev
whitelistdev=""
if [ -n "${PERSISTENCE_MEDIA}" ]
then
case "${PERSISTENCE_MEDIA}" in
removable)
whitelistdev="$(removable_dev)"
;;
removable-usb)
whitelistdev="$(removable_usb_dev)"
;;
esac
if [ -z "${whitelistdev}" ]
then
whitelistdev="ignore_all_devices"
fi
fi
# shellcheck disable=SC2086
if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD}
then
overlays="${custom_overlay_label}"
fi
# shellcheck disable=SC3043
local overlay_devices
overlay_devices=""
if [ "${whitelistdev}" != "ignore_all_devices" ]
then
for media in $(find_persistence_media "${overlays}" "${whitelistdev}")
do
# shellcheck disable=SC2086
media="$(echo ${media} | tr ":" " ")"
for overlay_label in ${custom_overlay_label}
do
case ${media} in
${overlay_label}=*)
device="${media#*=}"
overlay_devices="${overlay_devices} ${device}"
;;
esac
done
done
fi
elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ]
then
# Check if there are any nfs options
# shellcheck disable=SC2086
if echo ${NFS_COW} | grep -q ','
then
# shellcheck disable=SC2086
nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)"
nfs_cow=$(echo ${NFS_COW}|cut -d, -f1)
else
nfs_cow_opts="-o nolock"
nfs_cow=${NFS_COW}
fi
if [ -n "${PERSISTENCE_READONLY}" ]
then
nfs_cow_opts="${nfs_cow_opts},nocto,ro"
fi
mac="$(get_mac)"
if [ -n "${mac}" ]
then
# shellcheck disable=SC2086
cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/")
cow_fstype="nfs"
else
panic "unable to determine mac address"
fi
fi
if [ -z "${cowdevice}" ]
then
cowdevice="tmpfs"
cow_fstype="tmpfs"
cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}"
fi
if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
then
# shellcheck disable=SC2086
mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay"
# shellcheck disable=SC2086
root_backing="/run/live/persistence/$(basename ${cowdevice})-root"
# shellcheck disable=SC2086
mkdir -p ${root_backing}
else
root_backing="/run/live/overlay"
fi
if [ "${cow_fstype}" = "nfs" ]
then
log_begin_msg \
"Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}"
# shellcheck disable=SC2086
nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \
panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}"
else
# shellcheck disable=SC2086
mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \
panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}"
fi
# shellcheck disable=SC2086
rootfscount=$(echo ${rootfslist} |wc -w)
rootfs=${rootfslist%% }
if [ -n "${EXPOSED_ROOT}" ]
then
# shellcheck disable=SC2086
if [ ${rootfscount} -ne 1 ]
then
panic "only one RO file system supported with exposedroot: ${rootfslist}"
fi
# shellcheck disable=SC2086
mount -o bind ${rootfs} ${rootmnt} || \
panic "bind mount of ${rootfs} failed"
if [ -z "${SKIP_UNION_MOUNTS}" ]
then
cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live'
else
cow_dirs=''
fi
else
cow_dirs="/"
fi
for dir in ${cow_dirs}; do
unionmountpoint=$(trim_path "${rootmnt}${dir}")
# shellcheck disable=SC2086
mkdir -p ${unionmountpoint}
cow_dir=$(trim_path "/run/live/overlay${dir}")
rootfs_dir="${rootfs}${dir}"
# shellcheck disable=SC2086
mkdir -p ${cow_dir}
if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
then
# shellcheck disable=SC2086
do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir}
else
# shellcheck disable=SC2086
do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir}
fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
done
# Remove persistence depending on boot parameter
Remove_persistence
# Correct the permissions of /:
chmod 0755 "${rootmnt}"
# Correct the permission of /tmp:
if [ -d "${rootmnt}/tmp" ]
then
chmod 1777 "${rootmnt}"/tmp
fi
# Correct the permission of /var/tmp:
if [ -d "${rootmnt}/var/tmp" ]
then
chmod 1777 "${rootmnt}"/var/tmp
fi
# Adding custom persistence
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
then
# shellcheck disable=SC3043
local custom_mounts
custom_mounts="/tmp/custom_mounts.list"
# shellcheck disable=SC2086
rm -f ${custom_mounts}
# Gather information about custom mounts from devices detected as overlays
# shellcheck disable=SC2086
get_custom_mounts ${custom_mounts} ${overlay_devices}
# shellcheck disable=SC2086
[ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence"
# Now we do the actual mounting (and symlinking)
# shellcheck disable=SC3043
local used_overlays
used_overlays=""
# shellcheck disable=SC2086
used_overlays=$(activate_custom_mounts ${custom_mounts})
# shellcheck disable=SC2086
rm -f ${custom_mounts}
# Close unused overlays (e.g., due to missing $persistence_list)
for overlay in ${overlay_devices}
do
# shellcheck disable=SC2086
if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$"
then
close_persistence_media ${overlay}
fi
done
fi
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
}

10
config/hooks/live/0000_basic_chroot_setup.chroot
View File

@@ -232,9 +232,17 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer
ln -sf /dev/null /etc/systemd/system/apt-show-versions.service
rm -f /etc/cron.daily/apt-show-versions || true
### Remove original '/usr/lib/live/boot/0030-verify-checksums' -----------------------------------------------------------------
### Remove the original '/usr/lib/live/boot/0030-verify-checksums' -------------------------------------------------------------
[[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
### Ensure proper 0755 rights for CISS initramfs scripts ----------------------------------------------------------------------
[[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \
&& chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
[[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
&& chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
[[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
&& chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0

14
config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest → config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
View File

@@ -77,10 +77,11 @@ for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ;
done
if [ -z "${ROOTMP}" ]; then
log_er "No decrypted rootfs mount found."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] No decrypted rootfs mount found."
panic "[FATAL] No decrypted rootfs mount found."
fi
log_ok "Decrypted rootfs at: [${ROOTMP}]"
@@ -106,8 +107,7 @@ else
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
@@ -126,8 +126,7 @@ if [ -e "${MAP_DEV}" ]; then
log_er "Top layer is NOT 'crypt'."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Top layer is NOT 'crypt'."
panic "[FATAL] Top layer is NOT 'crypt'."
fi
@@ -139,8 +138,7 @@ if [ -e "${MAP_DEV}" ]; then
log_er "Cipher does not look like AES-XTS."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Cipher does not look like AES-XTS."
panic "[FATAL] Cipher does not look like AES-XTS."
fi

4
docs/CHANGELOG.md
View File

@@ -21,7 +21,7 @@ include_toc: true
* **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash)
* **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl)
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest)
* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh)
## V8.13.432.2025.11.18
* **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot)
@@ -37,7 +37,7 @@ include_toc: true
* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh) + Late rootfs attestation and dmsetup health checking.
* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.

2
lib/lib_ciss_signatures.sh
View File

@@ -17,7 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# Module to export GPG FPRs into scripts:
# - /etc/initramfs-tools/files/unlock_wrapper.sh
# - /usr/lib/live/boot/0030-ciss-verify-checksums
# - /usr/lib/live/boot/0042-ciss-post-decrypt-attest
# - /usr/lib/live/boot/0042_ciss_post_decrypt_attest.sh
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR