msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.528.2025.12.03
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-03 12:58:22 +01:00
parent 5e85191009
commit 5db405a677
5 changed files with 50 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/hooks/live/0000_basic_chroot_setup.chroot
View File

@@ -250,6 +250,8 @@ mkdir -p /etc/systemd/system/sockets.target.wants
mkdir -p /etc/systemd/system
### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
apt-get -y purge ifupdown || true
ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service

2
config/includes.chroot/etc/systemd/network/90-ciss-ethernet.network
View File

@@ -18,6 +18,8 @@ DNSOverTLS=opportunistic
DNSSEC=yes
IPv6AcceptRA=yes
LinkLocalAddressing=ipv6
LLMNR=no
MulticastDNS=no
[DHCPv4]
RoutesToDNS=no

79
config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
View File

@@ -17,6 +17,8 @@
# Purpose: Late rootfs attestation and dmsetup health checking.
# Phase : executed by live-boot inside the 9990-main.sh.
# TODO: Remove Debug Mode
_SAVED_SET_OPTS="$(set +o)"
set -eu
@@ -33,8 +35,8 @@ export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt.sig}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
### Declare functions ----------------------------------------------------------------------------------------------------------
@@ -67,47 +69,48 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
_mp=""
ROOTMP=""
#_mp=""
#ROOTMP=""
for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
#for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
# if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
done
#done
if [ -z "${ROOTMP}" ]; then
#if [ -z "${ROOTMP}" ]; then
log_er "No decrypted rootfs mount found."
sleep 8
panic "[FATAL] No decrypted rootfs mount found."
# log_er "0042() : No decrypted rootfs mount found."
# sleep 8
# panic "[FATAL] No decrypted rootfs mount found."
fi
#fi
log_ok "Decrypted rootfs at: [${ROOTMP}]"
#log_ok "0042() : Decrypted rootfs at: [${ROOTMP}]"
HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
[ -s "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; }
[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
log_ok "0042() : Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
#sleep 8
#panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
@@ -115,30 +118,30 @@ fi
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
if [ -e "${MAP_DEV}" ]; then
log_in "Checking dmsetup table for ${MAP_DEV}"
log_in "0042() : Checking dmsetup table for ${MAP_DEV}"
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
log_ok "Top layer is 'crypt'."
log_ok "0042() : Top layer is 'crypt'."
else
log_er "Top layer is NOT 'crypt'."
sleep 8
panic "[FATAL] Top layer is NOT 'crypt'."
log_er "0042() : Top layer is NOT 'crypt'."
#sleep 8
#panic "[FATAL] Top layer is NOT 'crypt'."
fi
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
log_ok "Cipher looks like AES-XTS."
log_ok "0042() : Cipher looks like AES-XTS."
else
log_er "Cipher does not look like AES-XTS."
sleep 8
panic "[FATAL] Cipher does not look like AES-XTS."
log_er "0042() : Cipher does not look like AES-XTS."
#sleep 8
#panic "[FATAL] Cipher does not look like AES-XTS."
fi
@@ -165,12 +168,12 @@ esac
log_in "Checking underlying integrity target: ${CHILD_NAME}"
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "Integrity target not using keyed MAC (hmac)"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "Integrity algo not sha512"; }
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "Expected 4096-byte sector size not found"; }
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; }
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; }
log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
log_ok "0042() : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
fi

1
config/package-lists/live.list.common.chroot
View File

@@ -9,6 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
-ifupdown
adjtimex
age
apparmor

2
lib/lib_provider_netcup.sh
View File

@@ -61,6 +61,8 @@ DNSOverTLS=opportunistic
DNSSEC=yes
IPv6AcceptRA=no
LinkLocalAddressing=ipv6
LLMNR=no
MulticastDNS=no
[Address]
Address=${handler_netcup_ipv6_string}/128