From 5db405a67720f01c1f5916480875b00c4169672257ec72416c838506ce61c89c Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Wed, 3 Dec 2025 12:58:22 +0100 Subject: [PATCH] V8.13.528.2025.12.03 Signed-off-by: Marc S. Weidner --- .../hooks/live/0000_basic_chroot_setup.chroot | 2 + .../systemd/network/90-ciss-ethernet.network | 2 + .../live/boot/0042_ciss_post_decrypt_attest | 83 ++++++++++--------- config/package-lists/live.list.common.chroot | 1 + lib/lib_provider_netcup.sh | 2 + 5 files changed, 50 insertions(+), 40 deletions(-) diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index cd5e6e4..7236b72 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -250,6 +250,8 @@ mkdir -p /etc/systemd/system/sockets.target.wants mkdir -p /etc/systemd/system ### Enable clean systemd-networkd stack ---------------------------------------------------------------------------------------- +apt-get -y purge ifupdown || true + ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service diff --git a/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network b/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network index 297bab4..74d1d94 100644 --- a/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network +++ b/config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network @@ -18,6 +18,8 @@ DNSOverTLS=opportunistic DNSSEC=yes IPv6AcceptRA=yes LinkLocalAddressing=ipv6 +LLMNR=no +MulticastDNS=no [DHCPv4] RoutesToDNS=no diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest index 5d79f92..969f636 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest +++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest @@ -17,6 +17,8 @@ # Purpose: Late rootfs attestation and dmsetup health checking. # Phase : executed by live-boot inside the 9990-main.sh. +# TODO: Remove Debug Mode + _SAVED_SET_OPTS="$(set +o)" set -eu @@ -33,8 +35,8 @@ export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}" ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------ -CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}" -CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}" +CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}" +CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt.sig}" CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}" ### Declare functions ---------------------------------------------------------------------------------------------------------- @@ -46,7 +48,7 @@ CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}" # Arguments: # *: String to print ####################################### -log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } +log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } ####################################### # Helper for colored text output on stdout. @@ -55,7 +57,7 @@ log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } # Arguments: # *: String to print ####################################### -log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } +log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } ####################################### # Helper for colored text output on stdout. @@ -67,47 +69,48 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; } ### Locate decrypted rootfs mount ---------------------------------------------------------------------------------------------- -_mp="" -ROOTMP="" +#_mp="" +#ROOTMP="" -for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do +#for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do - if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi +# if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi -done +#done -if [ -z "${ROOTMP}" ]; then +#if [ -z "${ROOTMP}" ]; then - log_er "No decrypted rootfs mount found." - sleep 8 - panic "[FATAL] No decrypted rootfs mount found." +# log_er "0042() : No decrypted rootfs mount found." +# sleep 8 +# panic "[FATAL] No decrypted rootfs mount found." -fi +#fi -log_ok "Decrypted rootfs at: [${ROOTMP}]" +#log_ok "0042() : Decrypted rootfs at: [${ROOTMP}]" -HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}" -SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}" -KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" +HASH_FILE="${CDLB_ATTEST_FPR_SHA}" +SIGN_FILE="${CDLB_ATTEST_FPR_SIG}" +KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" -[ -s "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } -[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; } -[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; } +[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } +[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; } +[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; } -log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." + +log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." _STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)" _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')" ### Compare against pinned and expected fingerprint. --------------------------------------------------------------------------- if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then - log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" + log_ok "0042() : Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" else - log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" - sleep 8 - panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." + log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" + #sleep 8 + #panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." fi @@ -115,30 +118,30 @@ fi MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" if [ -e "${MAP_DEV}" ]; then - log_in "Checking dmsetup table for ${MAP_DEV}" + log_in "0042() : Checking dmsetup table for ${MAP_DEV}" TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')" if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then - log_ok "Top layer is 'crypt'." + log_ok "0042() : Top layer is 'crypt'." else - log_er "Top layer is NOT 'crypt'." - sleep 8 - panic "[FATAL] Top layer is NOT 'crypt'." + log_er "0042() : Top layer is NOT 'crypt'." + #sleep 8 + #panic "[FATAL] Top layer is NOT 'crypt'." fi if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then - log_ok "Cipher looks like AES-XTS." + log_ok "0042() : Cipher looks like AES-XTS." else - log_er "Cipher does not look like AES-XTS." - sleep 8 - panic "[FATAL] Cipher does not look like AES-XTS." + log_er "0042() : Cipher does not look like AES-XTS." + #sleep 8 + #panic "[FATAL] Cipher does not look like AES-XTS." fi @@ -165,12 +168,12 @@ esac log_in "Checking underlying integrity target: ${CHILD_NAME}" CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)" -printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; } -printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "Integrity target not using keyed MAC (hmac)"; } -printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "Integrity algo not sha512"; } -printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "Expected 4096-byte sector size not found"; } +printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; } +printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; } +printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; } +printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; } -log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy." +log_ok "0042() : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy." fi diff --git a/config/package-lists/live.list.common.chroot b/config/package-lists/live.list.common.chroot index 9901b73..20ab991 100644 --- a/config/package-lists/live.list.common.chroot +++ b/config/package-lists/live.list.common.chroot @@ -9,6 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu +-ifupdown adjtimex age apparmor diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh index 73ffc97..ed1ffcb 100644 --- a/lib/lib_provider_netcup.sh +++ b/lib/lib_provider_netcup.sh @@ -61,6 +61,8 @@ DNSOverTLS=opportunistic DNSSEC=yes IPv6AcceptRA=no LinkLocalAddressing=ipv6 +LLMNR=no +MulticastDNS=no [Address] Address=${handler_netcup_ipv6_string}/128