diff --git a/.archive/0022-ciss-overlay-tmpfs b/.archive/0022-ciss-overlay-tmpfs deleted file mode 100644 index 0a60320..0000000 --- a/.archive/0022-ciss-overlay-tmpfs +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. -# Phase : premount (executed by live-boot inside the initramfs). - -_SAVED_SET_OPTS="$(set +o)" - -set -eu - -sleep 3 - -printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m" - -### Declare variables ---------------------------------------------------------------------------------------------------------- -OVERLAY_BASE="/run/live/overlay" -UPPER="${OVERLAY_BASE}/upper" -WORK="${OVERLAY_BASE}/work" - -### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. ------------------------------------------- -: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}" - -### Create a base dir with restrictive perms. ---------------------------------------------------------------------------------- -# shellcheck disable=SC2174 -mkdir -p -m 0700 "${OVERLAY_BASE}" - -### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. -------------------- -mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}" -printf "\e[92m[INFO] Command : [mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs %s] \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}" - -### Prepare upper /work with tight perms. ------------------------------------------------------------------------------------- -# shellcheck disable=SC2174 -mkdir -p -m 0700 "${UPPER}" "${WORK}" - -eval "${_SAVED_SET_OPTS}" - -printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m" - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/0024-ciss-crypt-squash b/.archive/0024-ciss-crypt-squash deleted file mode 100644 index 8e16139..0000000 --- a/.archive/0024-ciss-crypt-squash +++ /dev/null @@ -1,434 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh' -# Phase : premount (executed by live-boot inside the initramfs) - -_SAVED_SET_OPTS="$(set +o)" - -set -eu - -printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m" - -####################################### -# Ask for a passphrase on /dev/console, mask input with '*'. -# Globals: -# None -# Arguments: -# None -# Returns: -# 0: on success -# 1: on failure / empty -####################################### -ask_pass_console() { - PASSPHRASE="" - SAVED_STTY="" - - ### Save current console settings. - SAVED_STTY=$(stty -g /dev/null || printf '') - - ### Non-canonical mode, no echo, 1 byte at a time. - stty -echo -icanon time 0 min 1 /dev/null || return 1 - - cr=$(printf '\r') - bs=$(printf '\b') - del=$(printf '\177') - - while :; do - - ### Read exactly one byte from the console. - c=$(dd bs=1 count=1 2>/dev/null /dev/console - break - - fi - - ### If nothing read (race), loop again. - [ -z "${c}" ] && continue - - case "${c}" in - - "${cr}") - ### Enter: finish input. - printf '\n' > /dev/console - break - ;; - - "${bs}"|"${del}") - ### Backspace, delete: delete one character, if available. - if [ -n "${PASSPHRASE}" ]; then - - PASSPHRASE=${PASSPHRASE%?} - printf '\b \b' > /dev/console - - fi - ;; - - *) - ### Normal character: append and mask output. - PASSPHRASE="${PASSPHRASE}${c}" - printf '*' > /dev/console - ;; - - esac - - done - - [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" /dev/null || : - - printf '%s' "${PASSPHRASE}" - - return 0 -} - -####################################### -# Premount logging helper. -# Globals: -# None -# Arguments: -# *: String to log. -####################################### -log() { - msg="$*" - if [ -w /dev/kmsg ]; then - printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg - else - printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}" - fi -} - -### Declare variables. --------------------------------------------------------------------------------------------------------- -export CDLB_ISO_LABEL="CISS.debian.live" -export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" -export CDLB_MAPPER_NAME="crypt_liveiso" -export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" -export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs" -CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" -MNT_MEDIUM="/run/live/medium" -MNT_ROOTFS="/run/live/rootfs" -_PARAMETER="" -_dev="" - -### Read the kernel cmdline once. ---------------------------------------------------------------------------------------------- -CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')" - -for _PARAMETER in ${CMDLINE}; do - - case "${_PARAMETER}" in - - ciss_crypt_path=*) export CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";; - ciss_iso_label=* ) export CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";; - - esac - -done - -printf "\e[92m[INFO] CDLB_LUKS_FS : [%s] \n\e[0m" "${CDLB_LUKS_FS}" -printf "\e[92m[INFO] CDLB_ISO_LABEL : [%s] \n\e[0m" "${CDLB_ISO_LABEL}" - -mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}" - -### Mount the live medium (ISO) read-only, unless already mounted. ------------------------------------------------------------- -if ! mountpoint -q "${MNT_MEDIUM}"; then - - if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then - - mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \ - || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \ - || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)" - - fi - -fi - -if ! mountpoint -q "${MNT_MEDIUM}"; then - - ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed). - for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do - - ### Skip non-block entries early. - [ -b "${_dev}" ] || continue - - ### Try ISO9660 first, then UDF; only unmount on failure. - if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then - - mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break - - else - - umount "${MNT_MEDIUM}" 2>/dev/null || true - - fi - - done - -fi - -if ! mountpoint -q "${MNT_MEDIUM}"; then - - log "No live medium mounted, defer to default live-boot path." - printf "\e[91m[FATAL] Boot failure : No live medium mounted, defer to default live-boot path. \n\e[0m" - exit 42 - -fi - -printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}" - -### Locate the encrypted root container on the medium. ------------------------------------------------------------------------- -if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then - - log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]" - printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" - exit 42 - -fi - -printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" - -### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- -LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } - -printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}" - -### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- -mkdir -p /run 2>/dev/null || true - -echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true - -chmod 0600 /run/ciss-loopdev 2>/dev/null || true - -printf "\e[92m[INFO] Exposed LOOP : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}" - -### Prepare fifo for passphrase. ----------------------------------------------------------------------------------------------- -mkdir -p /lib/cryptsetup 2>/dev/null || true - -if [ -p /lib/cryptsetup/passfifo ]; then - - rm -f /lib/cryptsetup/passfifo 2>/dev/null || true - -fi - -if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then - - printf "\e[92m[WARN] Boot failure : Failed to create /lib/cryptsetup/passfifo \n\e[0m" - exit 42 - -fi - -chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true - -### Background broker: read FIFO, try cryptsetup per line. --------------------------------------------------------------------- -( - set +e - - PASS="" - - while :; do - - if [ -b "${CDLB_MAPPER_DEV}" ]; then - - break - - fi - - if ! IFS= read -r PASS < /lib/cryptsetup/passfifo; then - - sleep 1 - continue - - fi - - [ -n "${PASS}" ] || continue - - printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true - - KEYLEN=${#PASS} - - printf '%s' "${PASS}" | cryptsetup open --tries 1 \ - --type luks \ - --keyfile-size="${KEYLEN}" \ - --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console - - if [ -b "${CDLB_MAPPER_DEV}" ]; then - - printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true - break - - fi - - done -) & -PID_BROKER="$!" - -### Background process console-prompt feed passphrases into FIFO. -------------------------------------------------------------- -( - set +e - - PASS="" - PASS_SENT=0 - WAIT_LOOP=0 - - while :; do - - if [ -b "${CDLB_MAPPER_DEV}" ]; then - - break - - fi - - if [ "${PASS_SENT}" -eq 0 ]; then - - printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console - - # shellcheck disable=SC2310 - PASS="$(ask_pass_console)" || continue - - printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || : - - PASS_SENT=1 - WAIT_LOOP=0 - - else - - WAIT_LOOP=$((WAIT_LOOP + 1)) - - if [ "${WAIT_LOOP}" -ge 160 ]; then - - printf '\e[91m[WARN] Please try again : \n\e[0m' > /dev/console - - PASS_SENT=0 - WAIT_LOOP=0 - - fi - - fi - - sleep 0.1 - - done - - return 0 -) & -PID_PROMPT="$!" - -### Main process: wait bounded time for the mapper to appear. ------------------------------------------------------------------ -REMAINING="${CDLB_REMOTE_WAIT_SECS}" - -if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - - printf "\e[93m[INFO] CISS LUKS decryption : Waiting up to %s seconds for [%s] to be unlocked ... \n\e[0m" "${REMAINING}" "${CDLB_MAPPER_DEV}" - -fi - -while [ "${REMAINING}" -gt 0 ]; do - - if [ -b "${CDLB_MAPPER_DEV}" ]; then - - break - - fi - - sleep 1 - - REMAINING=$((REMAINING - 1)) - -done - -if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - - printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}" - kill "${PID_PROMPT}" 2>/dev/null || true - kill "${PID_BROKER}" 2>/dev/null || true - rm -f /lib/cryptsetup/passfifo 2>/dev/null || true - exit 42 - -fi - -kill "${PID_PROMPT}" 2>/dev/null || true -wait "${PID_BROKER}" 2>/dev/null || true -rm -f /lib/cryptsetup/passfifo 2>/dev/null || true - -printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" - -### Mount the decrypted root device to use as the PLAIN_ROOT artifact in '9990-main.sh'. --------------------------------------- -if ! mount -t squashfs -o ro "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"; then - - log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${CDLB_LUKS_ROOTFS_MNT}]" - printf "\e[91m[WARN] CISS LUKS decryption : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}" - exit 42 - -else - - printf "\e[92m[INFO] CISS LUKS decryption : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}" - -fi - -### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- -cat << EOF >| /run/ciss-rootdev -export CDLB_ISO_LABEL=${CDLB_ISO_LABEL} -export CDLB_LUKS_FS=${CDLB_LUKS_FS} -export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME} -export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV} -export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT} -MNT_MEDIUM="/run/live/medium" -MNT_ROOTFS="/run/live/rootfs" -EOF - -chmod 0644 /run/ciss-rootdev 2>/dev/null || true -export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" -export CISS_ROOT_DIR="" - -# TODO: Remove Debug -if [ -e /conf/param.conf ]; then - printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m" - cat /conf/param.conf >/dev/console 2>&1 || : - { - printf '\n' - printf 'PLAIN_ROOT=1\n' - printf 'ROOT=%s\n' "${MNT_ROOTFS}" - } >> /conf/param.conf 2>/dev/null || true -else - printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m" - { - printf '\n' - printf 'PLAIN_ROOT=1\n' - printf 'ROOT=%s\n' "${MNT_ROOTFS}" - } >| /conf/param.conf 2>/dev/null || true -fi - -printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m" -cat /conf/param.conf >/dev/console 2>&1 || : - -log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" -printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" - -### Final sanity check. -------------------------------------------------------------------------------------------------------- -if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - - log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console." - printf "\e[91m[WARN] Failed unlock : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}" - exit 42 - -fi - -eval "${_SAVED_SET_OPTS}" - -printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m" - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/0026-ciss-early-sysctl b/.archive/0026-ciss-early-sysctl deleted file mode 100644 index cfaf2f6..0000000 --- a/.archive/0026-ciss-early-sysctl +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -# Purpose: Enforce early sysctls before services start. -# Phase : premount (executed by live-boot inside the initramfs). - -_SAVED_SET_OPTS="$(set +o)" - -set -eu - -printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m" - -echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true -echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true -echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true -echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true -echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true -echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true -echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true -echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true - -eval "${_SAVED_SET_OPTS}" - -printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m" - -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/0030-ciss-verify-checksums b/.archive/0030-ciss-verify-checksums deleted file mode 100644 index 32b9f03..0000000 --- a/.archive/0030-ciss-verify-checksums +++ /dev/null @@ -1,335 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: GPL-3.0-or-later -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums' -### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. - -####################################### -# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification. -# Globals: -# LIVE_BOOT_CMDLINE -# _TTY -# Arguments: -# 1: _MOUNTPOINT -# Returns: -# 0 : Successful verification -####################################### -Verify_checksums() { - printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m" - - ### Declare variables -------------------------------------------------------------------------------------------------------- - - ### Will be replaced at build time: - export CDLB_EXP_FPR="@EXP_FPR@" - export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" - - ### Declare functions -------------------------------------------------------------------------------------------------------- - - ####################################### - # Helper for colored text output on stdout. - # Globals: - # None - # Arguments: - # *: String to print - ####################################### - log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } - - - ####################################### - # Helper for colored text output on stdout. - # Globals: - # None - # Arguments: - # *: String to print - ####################################### - log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } - - ####################################### - # Helper for colored text output on stdout. - # Globals: - # None - # Arguments: - # *: String to print - ####################################### - log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; } - - _MOUNTPOINT="${1}" - - _PARAMETER="" - - _TTY="/dev/tty8" - - LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" - - LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" - - _KEYFILE="" - - _MP="" - - ### Parse commandline arguments ---------------------------------------------------------------------------------------------- - for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do - - case "${_PARAMETER}" in - - live-boot.verify-checksums=* | verify-checksums=*) - - LIVE_VERIFY_CHECKSUMS="true" - LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" - ;; - - live-boot.verify-checksums | verify-checksums) - - LIVE_VERIFY_CHECKSUMS="true" - ;; - - live-boot.verify-checksums-signatures | verify-checksums-signatures) - - LIVE_VERIFY_CHECKSUMS_SIGNATURES="true" - ;; - - esac - - done - - ### Check if the function should be skipped ---------------------------------------------------------------------------------- - case "${LIVE_VERIFY_CHECKSUMS}" in - - true) - : - ;; - - *) - return 0 - ;; - - esac - - ### Check GPG pubkey file correct path --------------------------------------------------------------------------------------- - for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do - - if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then - - _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg" - - if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then - - _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg" - - fi - - break - - fi - - done - - # shellcheck disable=SC2164 - cd "${_MOUNTPOINT}" - - - ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- - if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - - log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]" - printf "\n" - - _CAND="" - CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" - - CDLB_CMD="/usr/bin/sha512sum" - CDLB_SHA="sha512" - - for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums ; do - - [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } - - done - - CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" - CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" - CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}" - CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" - CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" - - _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)" - - _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')" - - ### Compare against pinned and expected fingerprint. - if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then - - log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" - - else - - log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" - sleep 8 - panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." - - fi - - ### Script self-integrity and authenticity checks -------------------------------------------------------------------------- - ### Assumption: initramfs itself is not altered. - log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..." - - if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then - - log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed." - sleep 8 - panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed." - - else - - log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful." - - fi - - log_in "Recomputing hash for: [${CDLB_SHA}] ..." - - CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; }) - IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}" - - if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then - - log_er "Recomputing hash for: [${CDLB_SHA}] failed." - sleep 8 - panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed." - - fi - - log_ok "Recomputing hash for: [${CDLB_SHA}] successful." - log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed." - log_end_msg - printf "\n" - - fi - - ### Checksum and checksum signature verification ----------------------------------------------------------------------------- - log_begin_msg "Verifying checksums" - printf "\n" - log_in "Verifying checksums ..." - - # shellcheck disable=SC2001 - for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do - - # shellcheck disable=SC2060 - _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" - - for _CHECKSUM in ${_CHECKSUMS}; do - - if [ -e "${_CHECKSUM}" ]; then - - log_in "Found: [${_CHECKSUM}] ..." - - if [ -e "/usr/bin/${_DIGEST}sum" ]; then - - log_in "Found: [/usr/bin/${_DIGEST}sum] ..." - - if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then - - log_in "Checking signature of: [${_CHECKSUM}] ..." - - _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" - - if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then - - _RETURN_PGP="${?}" - log_in "Checking signature of: [${_CHECKSUM}] successful." - - else - - _RETURN_PGP="${?}" - log_er "Checking signature of: [${_CHECKSUM}] failed." - - fi - - else - - _RETURN_PGP="na" - - fi - - # shellcheck disable=SC2312 - if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then - - _RETURN_SHA="${?}" - log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]" - - else - - _RETURN_SHA="${?}" - log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]" - - fi - - # Stop after the first verification. - break 2 - - else - - _RETURN_SHA="255" - log_er "NOT Found [/usr/bin/${_DIGEST}sum]." - - fi - - fi - - done - - done - - log_end_msg - printf "\n" - - case "${_RETURN_PGP},${_RETURN_SHA}" in - - "0,0") - log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." - log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." - sleep 8 - return 0 - ;; - - "na,0") - log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds." - log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds." - sleep 8 - return 0 - ;; - - "0,"*) - log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." - sleep 8 - panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." - ;; - - *",0") - log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." - sleep 8 - panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." - ;; - - "na,"*) - log_er "Verification of [sha checksum] file failed." - sleep 8 - panic "Verification of [sha checksum] file failed." - ;; - - esac -} -# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/9990-main.sh b/.archive/9990-main.sh deleted file mode 100644 index 5cf59b1..0000000 --- a/.archive/9990-main.sh +++ /dev/null @@ -1,259 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: GPL-3.0-or-later -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh' -### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). - -# set -e - -printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-main.sh] \n\e[0m" - -Live () -{ - printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-main.sh] \n\e[0m" - - if [ -x /scripts/local-top/cryptroot ] - then - /scripts/local-top/cryptroot - fi - - exec 6>&1 - exec 7>&2 - exec > boot.log - exec 2>&1 - tail -f boot.log >&7 & - tailpid="${!}" - - # shellcheck disable=SC2034 - LIVE_BOOT_CMDLINE="${LIVE_BOOT_CMDLINE:-$(cat /proc/cmdline)}" - Cmdline_old - - Debug - - Read_only - - Select_eth_device - - if [ -e /conf/param.conf ] - then - . /conf/param.conf - fi - - # Needed here too because some things (*cough* udev *cough*) - # change the timeout - - printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n" - if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ] - then - if do_netmount - then - printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}" - livefs_root="${mountpoint?}" - else - panic "Unable to find a live file system on the network" - fi - else - if [ -n "${ISCSI_PORTAL}" ] - then - printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}" - do_iscsi && livefs_root="${mountpoint}" - elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ] - then - # Do a local boot from hd - printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}" - livefs_root=${ROOT} - else - printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n" - Setup_Memdisk - printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n" - - # If the live media location is given via command line and access to it - # involves LVM volumes, the corresponding volumes need to be activated. - IFS=',' - # shellcheck disable=SC2116 - for dev in $(echo "${LIVE_MEDIA}") - do - printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}" - case "${dev}" in - /dev/mapper/*) - # shellcheck disable=SC2046,SC2312 - eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}") - # shellcheck disable=SC2244 - if [ "${DM_VG_NAME}" ] && [ "${DM_LV_NAME}" ] - then - lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${DM_VG_NAME}/${DM_LV_NAME}" - fi - ;; - /dev/*/*) - # Could be /dev/VG/LV; use lvs to check - if lvm lvs -- "${dev}" >/dev/null 2>&1 - then - lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${dev}" - fi - ;; - esac - done - unset IFS - - # Scan local devices for the image - i=0 - while [ "${i}" -lt 60 ] - do - # shellcheck disable=SC2086 - livefs_root=$(find_livefs ${i}) - - if [ -n "${livefs_root}" ] - then - break - fi - - sleep 1 - i=$((i + 1)) - done - fi - fi - - printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}" - if [ -z "${livefs_root}" ] - then - panic "Unable to find a medium containing a live file system" - fi - - printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}" - Verify_checksums "${livefs_root}" - - # shellcheck disable=SC2244 - if [ "${TORAM}" ] - then - live_dest="ram" - elif [ "${TODISK}" ] - then - live_dest="${TODISK}" - fi - - # shellcheck disable=SC2244 - if [ "${live_dest}" ] - then - log_begin_msg "Copying live media to ${live_dest}" - copy_live_to "${livefs_root}" "${live_dest}" - log_end_msg - fi - - # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on - # because the mountpoint is left behind in /proc/mounts, so let's get - # rid of it when running from RAM - # shellcheck disable=SC2244 - if [ -n "${FROMISO}" ] && [ "${TORAM}" ] - then - losetup -d /dev/loop0 - - if is_mountpoint /run/live/fromiso - then - umount /run/live/fromiso - rmdir --ignore-fail-on-non-empty /run/live/fromiso \ - >/dev/null 2>&1 || true - fi - fi - - printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-}" - printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}" - if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ] - then - printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}" - setup_unionfs "${livefs_root}" "${rootmnt?}" - else - mac="$(get_mac)" - mac="$(echo "${mac}" | sed 's/-//g')" - printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}" - mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}" - fi - - if [ -n "${ROOT_PID}" ] - then - echo "${ROOT_PID}" > "${rootmnt}"/lib/live/root.pid - fi - - log_end_msg - - # aufs2 in kernel versions around 2.6.33 has a regression: - # directories can't be accessed when read for the first time, - # causing a failure, for example, when accessing /var/lib/fai - # when booting FAI, this simple workaround solves it - ls /root/* >/dev/null 2>&1 - - # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on - # because the mountpoint is left behind in /proc/mounts, so let's get - # rid of it when running from RAM - # shellcheck disable=SC2244 - if [ -n "${FINDISO}" ] && [ "${TORAM}" ] - then - losetup -d /dev/loop0 - - if is_mountpoint /run/live/findiso - then - umount /run/live/findiso - rmdir --ignore-fail-on-non-empty /run/live/findiso \ - >/dev/null 2>&1 || true - fi - fi - - if [ -f /etc/hostname ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${rootmnt}/etc/hostname" - then - log_begin_msg "Copying /etc/hostname to ${rootmnt}/etc/hostname" - cp -v /etc/hostname "${rootmnt}/etc/hostname" - log_end_msg - fi - - if [ -f /etc/hosts ] && ! grep -E -q -v '^[[:space:]]*(#|$|(127.0.0.1|::1|ff02::[12])[[:space:]])' "${rootmnt}/etc/hosts" - then - log_begin_msg "Copying /etc/hosts to ${rootmnt}/etc/hosts" - cp -v /etc/hosts "${rootmnt}/etc/hosts" - log_end_msg - fi - - if [ -L /root/etc/resolv.conf ] ; then - # assume we have resolvconf - DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base" - else - DNSFILE="${rootmnt}/etc/resolv.conf" - fi - if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}" - then - log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}" - cp -v /etc/resolv.conf "${DNSFILE}" - log_end_msg - fi - - if ! [ -d "/lib/live/boot" ] - then - panic "A wrong rootfs was mounted." - fi - - Fstab - Netbase - - Swap - - exec 1>&6 6>&- - exec 2>&7 7>&- - kill "${tailpid}" - [ -w "${rootmnt}/var/log/" ] && mkdir -p "${rootmnt}/var/log/live" && ( \ - cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \ - cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null ) - - printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" -} diff --git a/.archive/9990-overlay.sh b/.archive/9990-overlay.sh deleted file mode 100644 index f336d4b..0000000 --- a/.archive/9990-overlay.sh +++ /dev/null @@ -1,499 +0,0 @@ -#!/bin/sh -# bashsupport disable=BP5007 -# shellcheck disable=SC2249 -# shellcheck shell=sh - -# SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; -# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git -# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency -# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; -# SPDX-FileType: SOURCE -# SPDX-License-Identifier: GPL-3.0-or-later -# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. -# SPDX-PackageName: CISS.debian.live.builder -# SPDX-Security-Contact: security@coresecret.eu - -### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh' -### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). - -#set -e - -printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m" - -setup_unionfs () -{ - printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m" - - image_directory="${1}" - rootmnt="${2}" - addimage_directory="${3}" - - ### CISS hook: allow explicit root override ---------------------------------------------------------------------------------- - if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then - - CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '') - - fi - - if [ -n "${CISS_ROOT_DEV:-}" ]; then - - ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS). - PLAIN_ROOT=1 - image_directory="${CISS_ROOT_DEV}" - - elif [ -n "${CISS_ROOT_DIR:-}" ]; then - - ### Alternative: explicitly provided root directory. - PLAIN_ROOT=1 - image_directory="${CISS_ROOT_DIR}" - - fi - ### -------------------------------------------------------------------------------------------------------------------------- - - # shellcheck disable=SC2086 - modprobe -q -b ${UNIONTYPE} - - if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$" - then - panic "${UNIONTYPE} not available." - fi - - croot="/run/live/rootfs" - - # Let's just mount the read-only file systems first - rootfslist="" - - if [ -z "${PLAIN_ROOT}" ] - then - # Read image names from ${MODULE}.module if it exists - # shellcheck disable=SC2153 - if [ -e "${image_directory}/filesystem.${MODULE}.module" ] - then - # shellcheck disable=SC2013,SC2086 - for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module) - do - image_string="${image_string} ${image_directory}/${IMAGE}" - done - elif [ -e "${image_directory}/${MODULE}.module" ] - then - # shellcheck disable=SC2013,SC2086 - for IMAGE in $(cat ${image_directory}/${MODULE}.module) - do - image_string="${image_string} ${image_directory}/${IMAGE}" - done - else - # ${MODULE}.module does not exist, create a list of images - for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir - do - for IMAGE in "${image_directory}"/*."${FILESYSTEM}" - do - if [ -e "${IMAGE}" ] - then - image_string="${image_string} ${IMAGE}" - fi - done - done - - if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ] - then - for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir - do - for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}" - do - if [ -e "${IMAGE}" ] - then - image_string="${image_string} ${IMAGE}" - fi - done - done - fi - - # Now sort the list - # shellcheck disable=SC2086 - image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )" - fi - - # shellcheck disable=SC2086 - [ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})" - - mkdir -p "${croot}" - - for image in ${image_string} - do - imagename=$(basename "${image}") - - export image devname - maybe_break live-realpremount - log_begin_msg "Running /scripts/live-realpremount" - run_scripts /scripts/live-realpremount - log_end_msg - - if [ -d "${image}" ] - then - # It is a plain directory: do nothing - rootfslist="${image} ${rootfslist}" - elif [ -f "${image}" ] - then - if losetup --help 2>&1 | grep -q -- "-r\b" - then - backdev=$(get_backing_device "${image}" "-r") - else - backdev=$(get_backing_device "${image}") - fi - fstype=$(get_fstype "${backdev}") - - case "${fstype}" in - unknown) - panic "Unknown file system type on ${backdev} (${image})" - ;; - - "") - fstype="${imagename##*.}" - log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}." - ;; - esac - - mpoint=$(trim_path "${croot}/${imagename}") - rootfslist="${mpoint} ${rootfslist}" - mount_options="" - - # Setup dm-verity support if a device has it supported - hash_device="${image}.verity" - # shellcheck disable=SC2086 - if [ -f ${hash_device} ] - then - log_begin_msg "Start parsing dm-verity options for ${image}" - backdev_roothash=$(get_backing_device ${hash_device}) - verity_mount_options="-o verity.hashdevice=${backdev_roothash}" - root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH}) - valid_config="true" - case $(mount --version) in - *verity*) - ;; - *) - valid_config="false" - log_warning_msg "mount does not have support for dm-verity. Ignoring mount options" - ;; - esac - if [ -n "${root_hash}" ] - then - verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}" - # Check if the root hash is saved on disk - elif [ -f "${image}.roothash" ] - then - verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash" - else - valid_config="false" - log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring" - fi - - fec="${image}.fec" - fec_roots="${image}.fec.roots" - if [ -f ${fec} ] && [ -f ${fec_roots} ] - then - backdev_fec=$(get_backing_device ${fec}) - roots=$(cat ${fec_roots}) - verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}" - fi - - signature="${image}.roothash.p7s" - if [ -f "${signature}" ] - then - verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}" - elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ] - then - panic "dm-verity signature checking was enforced but no signature could be found for ${image}!" - fi - - - if [ -n "${DM_VERITY_ONCORRUPTION}" ] - then - if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart" - then - verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}" - else - log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!" - log_warning_msg "Ignoring setting" - fi - fi - if [ "${valid_config}" = "true" ] - then - mount_options="${mount_options} ${verity_mount_options}" - fi - log_end_msg "Finished parsing dm-verity options for ${image}" - fi - - mkdir -p "${mpoint}" - log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\"" - # shellcheck disable=SC2086 - mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}" - log_end_msg - else - log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake." - fi - done - else - # We have a plain root system - mkdir -p "${croot}/filesystem" - log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\"" - # shellcheck disable=SC2046,SC2312 - mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \ - panic "Can not mount ${image_directory} on ${croot}/filesystem" && \ - rootfslist="${croot}/filesystem ${rootfslist}" - # Probably broken: - # shellcheck disable=SC2086,SC2250 - mount -o bind ${croot}/filesystem $mountpoint - log_end_msg - fi - - # tmpfs file systems - touch /etc/fstab - mkdir -p /run/live/overlay - - # Looking for persistence devices or files - if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ] - then - - if [ -z "${QUICKUSBMODULES}" ] - then - # Load USB modules - # shellcheck disable=SC2012 - num_block=$(ls -l /sys/block | wc -l) - for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage - do - # shellcheck disable=SC2086 - modprobe -q -b ${module} - done - - udevadm trigger - udevadm settle - - # For some reason, udevsettle does not block in this scenario, - # so we sleep for a little while. - # - # See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591 - # shellcheck disable=SC2034 - for timeout in 5 4 3 2 1 - do - sleep 1 - - # shellcheck disable=SC2012,SC2046,SC2086,SC2312 - if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ] - then - break - fi - done - fi - - # shellcheck disable=SC3043 - local whitelistdev - whitelistdev="" - if [ -n "${PERSISTENCE_MEDIA}" ] - then - case "${PERSISTENCE_MEDIA}" in - removable) - whitelistdev="$(removable_dev)" - ;; - - removable-usb) - whitelistdev="$(removable_usb_dev)" - ;; - esac - if [ -z "${whitelistdev}" ] - then - whitelistdev="ignore_all_devices" - fi - fi - - # shellcheck disable=SC2086 - if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD} - then - overlays="${custom_overlay_label}" - fi - - # shellcheck disable=SC3043 - local overlay_devices - overlay_devices="" - if [ "${whitelistdev}" != "ignore_all_devices" ] - then - for media in $(find_persistence_media "${overlays}" "${whitelistdev}") - do - # shellcheck disable=SC2086 - media="$(echo ${media} | tr ":" " ")" - - for overlay_label in ${custom_overlay_label} - do - case ${media} in - ${overlay_label}=*) - device="${media#*=}" - overlay_devices="${overlay_devices} ${device}" - ;; - esac - done - done - fi - elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ] - then - # Check if there are any nfs options - # shellcheck disable=SC2086 - if echo ${NFS_COW} | grep -q ',' - then - # shellcheck disable=SC2086 - nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)" - nfs_cow=$(echo ${NFS_COW}|cut -d, -f1) - else - nfs_cow_opts="-o nolock" - nfs_cow=${NFS_COW} - fi - - if [ -n "${PERSISTENCE_READONLY}" ] - then - nfs_cow_opts="${nfs_cow_opts},nocto,ro" - fi - - mac="$(get_mac)" - if [ -n "${mac}" ] - then - # shellcheck disable=SC2086 - cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/") - cow_fstype="nfs" - else - panic "unable to determine mac address" - fi - fi - - if [ -z "${cowdevice}" ] - then - cowdevice="tmpfs" - cow_fstype="tmpfs" - cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}" - fi - - if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ] - then - # shellcheck disable=SC2086 - mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay" - # shellcheck disable=SC2086 - root_backing="/run/live/persistence/$(basename ${cowdevice})-root" - # shellcheck disable=SC2086 - mkdir -p ${root_backing} - else - root_backing="/run/live/overlay" - fi - - if [ "${cow_fstype}" = "nfs" ] - then - log_begin_msg \ - "Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}" - # shellcheck disable=SC2086 - nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \ - panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}" - else - # shellcheck disable=SC2086 - mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \ - panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}" - fi - - # shellcheck disable=SC2086 - rootfscount=$(echo ${rootfslist} |wc -w) - - rootfs=${rootfslist%% } - - if [ -n "${EXPOSED_ROOT}" ] - then - # shellcheck disable=SC2086 - if [ ${rootfscount} -ne 1 ] - then - panic "only one RO file system supported with exposedroot: ${rootfslist}" - fi - - # shellcheck disable=SC2086 - mount -o bind ${rootfs} ${rootmnt} || \ - panic "bind mount of ${rootfs} failed" - - if [ -z "${SKIP_UNION_MOUNTS}" ] - then - cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live' - else - cow_dirs='' - fi - else - cow_dirs="/" - fi - - for dir in ${cow_dirs}; do - unionmountpoint=$(trim_path "${rootmnt}${dir}") - # shellcheck disable=SC2086 - mkdir -p ${unionmountpoint} - cow_dir=$(trim_path "/run/live/overlay${dir}") - rootfs_dir="${rootfs}${dir}" - # shellcheck disable=SC2086 - mkdir -p ${cow_dir} - if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ] - then - # shellcheck disable=SC2086 - do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir} - else - # shellcheck disable=SC2086 - do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir} - fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}" - done - - # Remove persistence depending on boot parameter - Remove_persistence - - # Correct the permissions of /: - chmod 0755 "${rootmnt}" - - # Correct the permission of /tmp: - if [ -d "${rootmnt}/tmp" ] - then - chmod 1777 "${rootmnt}"/tmp - fi - - # Correct the permission of /var/tmp: - if [ -d "${rootmnt}/var/tmp" ] - then - chmod 1777 "${rootmnt}"/var/tmp - fi - - # Adding custom persistence - if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ] - then - # shellcheck disable=SC3043 - local custom_mounts - custom_mounts="/tmp/custom_mounts.list" - # shellcheck disable=SC2086 - rm -f ${custom_mounts} - - # Gather information about custom mounts from devices detected as overlays - # shellcheck disable=SC2086 - get_custom_mounts ${custom_mounts} ${overlay_devices} - - # shellcheck disable=SC2086 - [ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence" - - # Now we do the actual mounting (and symlinking) - # shellcheck disable=SC3043 - local used_overlays - used_overlays="" - # shellcheck disable=SC2086 - used_overlays=$(activate_custom_mounts ${custom_mounts}) - # shellcheck disable=SC2086 - rm -f ${custom_mounts} - - # Close unused overlays (e.g., due to missing $persistence_list) - for overlay in ${overlay_devices} - do - # shellcheck disable=SC2086 - if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$" - then - close_persistence_media ${overlay} - fi - done - fi - - printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m" -} diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 0534bbe..70f1750 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -232,9 +232,17 @@ ln -sf /dev/null /etc/systemd/system/apt-show-versions.timer ln -sf /dev/null /etc/systemd/system/apt-show-versions.service rm -f /etc/cron.daily/apt-show-versions || true -### Remove original '/usr/lib/live/boot/0030-verify-checksums' ----------------------------------------------------------------- +### Remove the original '/usr/lib/live/boot/0030-verify-checksums' ------------------------------------------------------------- [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums +### Ensure proper 0755 rights for CISS initramfs scripts ---------------------------------------------------------------------- +[[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \ + && chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh +[[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \ + && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh +[[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \ + && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 diff --git a/config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest b/config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh similarity index 94% rename from config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest rename to config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh index 2149fdd..cd59a8a 100644 --- a/config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest +++ b/config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh @@ -77,10 +77,11 @@ for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; done if [ -z "${ROOTMP}" ]; then + log_er "No decrypted rootfs mount found." sleep 8 - # TODO: Remove debug mode - # panic "[FATAL] No decrypted rootfs mount found." + panic "[FATAL] No decrypted rootfs mount found." + fi log_ok "Decrypted rootfs at: [${ROOTMP}]" @@ -106,8 +107,7 @@ else log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" sleep 8 - # TODO: Remove debug mode - # panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." + panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." fi @@ -126,8 +126,7 @@ if [ -e "${MAP_DEV}" ]; then log_er "Top layer is NOT 'crypt'." sleep 8 - # TODO: Remove debug mode - # panic "[FATAL] Top layer is NOT 'crypt'." + panic "[FATAL] Top layer is NOT 'crypt'." fi @@ -139,8 +138,7 @@ if [ -e "${MAP_DEV}" ]; then log_er "Cipher does not look like AES-XTS." sleep 8 - # TODO: Remove debug mode - # panic "[FATAL] Cipher does not look like AES-XTS." + panic "[FATAL] Cipher does not look like AES-XTS." fi diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 732cda4..e919475 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -21,7 +21,7 @@ include_toc: true * **Bugfixes**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) * **Bugfixes**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) * **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) -* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest) +* **Bugfixes**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh) ## V8.13.432.2025.11.18 * **Bugfixes**: [0003_cdi_autostart.chroot](../config/hooks/live/0003_cdi_autostart.chroot) @@ -37,7 +37,7 @@ include_toc: true * **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``. * **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start. -* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/live-bottom/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking. +* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh) + Late rootfs attestation and dmsetup health checking. * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection. * **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location. diff --git a/lib/lib_ciss_signatures.sh b/lib/lib_ciss_signatures.sh index d214fc3..ac2e9bd 100644 --- a/lib/lib_ciss_signatures.sh +++ b/lib/lib_ciss_signatures.sh @@ -17,7 +17,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" # Module to export GPG FPRs into scripts: # - /etc/initramfs-tools/files/unlock_wrapper.sh # - /usr/lib/live/boot/0030-ciss-verify-checksums -# - /usr/lib/live/boot/0042-ciss-post-decrypt-attest +# - /usr/lib/live/boot/0042_ciss_post_decrypt_attest.sh # Globals: # BASH_SOURCE # VAR_HANDLER_BUILD_DIR