V8.13.528.2025.12.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -250,6 +250,8 @@ mkdir -p /etc/systemd/system/sockets.target.wants
|
|||||||
mkdir -p /etc/systemd/system
|
mkdir -p /etc/systemd/system
|
||||||
|
|
||||||
### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
|
### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
|
||||||
|
apt-get -y purge ifupdown || true
|
||||||
|
|
||||||
ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
|
ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
|
||||||
|
|
||||||
ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
|
ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
|
||||||
|
|||||||
@@ -18,6 +18,8 @@ DNSOverTLS=opportunistic
|
|||||||
DNSSEC=yes
|
DNSSEC=yes
|
||||||
IPv6AcceptRA=yes
|
IPv6AcceptRA=yes
|
||||||
LinkLocalAddressing=ipv6
|
LinkLocalAddressing=ipv6
|
||||||
|
LLMNR=no
|
||||||
|
MulticastDNS=no
|
||||||
|
|
||||||
[DHCPv4]
|
[DHCPv4]
|
||||||
RoutesToDNS=no
|
RoutesToDNS=no
|
||||||
|
|||||||
@@ -17,6 +17,8 @@
|
|||||||
# Purpose: Late rootfs attestation and dmsetup health checking.
|
# Purpose: Late rootfs attestation and dmsetup health checking.
|
||||||
# Phase : executed by live-boot inside the 9990-main.sh.
|
# Phase : executed by live-boot inside the 9990-main.sh.
|
||||||
|
|
||||||
|
# TODO: Remove Debug Mode
|
||||||
|
|
||||||
_SAVED_SET_OPTS="$(set +o)"
|
_SAVED_SET_OPTS="$(set +o)"
|
||||||
|
|
||||||
set -eu
|
set -eu
|
||||||
@@ -33,8 +35,8 @@ export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
|
|||||||
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
|
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
|
||||||
|
|
||||||
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
|
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
|
||||||
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
|
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
|
||||||
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
|
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt.sig}"
|
||||||
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
|
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
|
||||||
|
|
||||||
### Declare functions ----------------------------------------------------------------------------------------------------------
|
### Declare functions ----------------------------------------------------------------------------------------------------------
|
||||||
@@ -67,47 +69,48 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
|
|||||||
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
|
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
|
||||||
|
|
||||||
### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
|
### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
|
||||||
_mp=""
|
#_mp=""
|
||||||
ROOTMP=""
|
#ROOTMP=""
|
||||||
|
|
||||||
for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
|
#for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
|
||||||
|
|
||||||
if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
|
# if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
|
||||||
|
|
||||||
done
|
#done
|
||||||
|
|
||||||
if [ -z "${ROOTMP}" ]; then
|
#if [ -z "${ROOTMP}" ]; then
|
||||||
|
|
||||||
log_er "No decrypted rootfs mount found."
|
# log_er "0042() : No decrypted rootfs mount found."
|
||||||
sleep 8
|
# sleep 8
|
||||||
panic "[FATAL] No decrypted rootfs mount found."
|
# panic "[FATAL] No decrypted rootfs mount found."
|
||||||
|
|
||||||
fi
|
#fi
|
||||||
|
|
||||||
log_ok "Decrypted rootfs at: [${ROOTMP}]"
|
#log_ok "0042() : Decrypted rootfs at: [${ROOTMP}]"
|
||||||
|
|
||||||
HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
|
HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
|
||||||
SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
|
SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
|
||||||
KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
|
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
|
||||||
|
|
||||||
[ -s "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
|
[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
|
||||||
[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
|
[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; }
|
||||||
[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
|
[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
|
||||||
|
|
||||||
log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
|
|
||||||
|
log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
|
||||||
_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
|
_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
|
||||||
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
|
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
|
||||||
|
|
||||||
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
|
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
|
||||||
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
|
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
|
||||||
|
|
||||||
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
|
log_ok "0042() : Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
|
log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
|
||||||
sleep 8
|
#sleep 8
|
||||||
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
|
#panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -115,30 +118,30 @@ fi
|
|||||||
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
|
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
|
||||||
if [ -e "${MAP_DEV}" ]; then
|
if [ -e "${MAP_DEV}" ]; then
|
||||||
|
|
||||||
log_in "Checking dmsetup table for ${MAP_DEV}"
|
log_in "0042() : Checking dmsetup table for ${MAP_DEV}"
|
||||||
|
|
||||||
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
|
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
|
||||||
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
|
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
|
||||||
|
|
||||||
log_ok "Top layer is 'crypt'."
|
log_ok "0042() : Top layer is 'crypt'."
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
log_er "Top layer is NOT 'crypt'."
|
log_er "0042() : Top layer is NOT 'crypt'."
|
||||||
sleep 8
|
#sleep 8
|
||||||
panic "[FATAL] Top layer is NOT 'crypt'."
|
#panic "[FATAL] Top layer is NOT 'crypt'."
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
|
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
|
||||||
|
|
||||||
log_ok "Cipher looks like AES-XTS."
|
log_ok "0042() : Cipher looks like AES-XTS."
|
||||||
|
|
||||||
else
|
else
|
||||||
|
|
||||||
log_er "Cipher does not look like AES-XTS."
|
log_er "0042() : Cipher does not look like AES-XTS."
|
||||||
sleep 8
|
#sleep 8
|
||||||
panic "[FATAL] Cipher does not look like AES-XTS."
|
#panic "[FATAL] Cipher does not look like AES-XTS."
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -165,12 +168,12 @@ esac
|
|||||||
log_in "Checking underlying integrity target: ${CHILD_NAME}"
|
log_in "Checking underlying integrity target: ${CHILD_NAME}"
|
||||||
|
|
||||||
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
|
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
|
||||||
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
|
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; }
|
||||||
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "Integrity target not using keyed MAC (hmac)"; }
|
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; }
|
||||||
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "Integrity algo not sha512"; }
|
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; }
|
||||||
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "Expected 4096-byte sector size not found"; }
|
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; }
|
||||||
|
|
||||||
log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
|
log_ok "0042() : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|||||||
@@ -9,6 +9,7 @@
|
|||||||
# SPDX-PackageName: CISS.debian.live.builder
|
# SPDX-PackageName: CISS.debian.live.builder
|
||||||
# SPDX-Security-Contact: security@coresecret.eu
|
# SPDX-Security-Contact: security@coresecret.eu
|
||||||
|
|
||||||
|
-ifupdown
|
||||||
adjtimex
|
adjtimex
|
||||||
age
|
age
|
||||||
apparmor
|
apparmor
|
||||||
|
|||||||
@@ -61,6 +61,8 @@ DNSOverTLS=opportunistic
|
|||||||
DNSSEC=yes
|
DNSSEC=yes
|
||||||
IPv6AcceptRA=no
|
IPv6AcceptRA=no
|
||||||
LinkLocalAddressing=ipv6
|
LinkLocalAddressing=ipv6
|
||||||
|
LLMNR=no
|
||||||
|
MulticastDNS=no
|
||||||
|
|
||||||
[Address]
|
[Address]
|
||||||
Address=${handler_netcup_ipv6_string}/128
|
Address=${handler_netcup_ipv6_string}/128
|
||||||
|
|||||||
Reference in New Issue
Block a user