msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -58,6 +58,7 @@ readonly -f grep_nic_driver_modules
# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>

63
config/hooks/live/0002_hardening_overlay_tmpfs.chroot Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
VAR_DATE="$(date +%F)"
cat << EOF >| /etc/systemd/system/ciss-remount-root.service
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Unit]
Description=Remount overlay root with nosuid,nodev
DefaultDependencies=no
After=local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/bin/mount -o remount,nosuid,nodev /
[Install]
WantedBy=sysinit.target
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
mkdir -p /etc/systemd/system/tmp.mount.d
cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
EOF
mkdir -p /etc/systemd/system/dev-shm.mount.d
cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
[Mount]
Options=mode=1777,nosuid,nodev,noexec,size=25%
EOF
systemctl enable ciss-remount-root.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
config/hooks/live/0021_dropbear_initramfs.chroot
View File

@@ -19,21 +19,22 @@ declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
rm -f /root/dropbear.file
mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie
mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
for var_file in dbclient dropbearconvert dropbearkey; do
mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie"
mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
done

209
config/hooks/live/0100_ciss_mem_wipe.chroot Normal file
View File

@@ -0,0 +1,209 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends kexec-tools busybox-static
install -d -m 0755 /boot/ciss-memwipe
install -d -m 0755 /usr/local/sbin
install -d -m 0755 /etc/systemd/system
install -d -m 0755 /etc/default
### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
# shellcheck disable=SC2012,SC2155
declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
declare TMPDIR; TMPDIR="$(mktemp -d)"
trap 'rm -rf "${TMPDIR}"' EXIT
mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
cat << 'EOF' >| "${TMPDIR}/init"
#!/bin/busybox sh
### Minimal init to wipe RAM, then power off.
### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
set -eu
get_arg() { # $1=key ; echoes value or empty
for tok in $(cat /proc/cmdline); do
case "${tok}" in
$1=*) echo "${tok#*=}"; return 0;;
esac
done
echo ""
}
mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
[ -e /dev/null ] || mknod -m 666 /dev/null c 1 3
[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
mount -t proc proc /proc
mount -t sysfs sysfs /sys
PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
SIZE_KB=$(( MEM_KB * PCT / 100 ))
mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
wipe_pass() {
pattern="$1"
if [ "${pattern}" = "zero" ]; then
src="/dev/zero"
else
src="/dev/urandom"
fi
i=0
while :; do
busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
i=$((i+1))
done
sync
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
rm -f /wipe/block_* 2>/dev/null || true
sync
}
DO_ZERO=0; DO_RANDOM=0
case "${MODE}" in
zero) DO_ZERO=1 ;;
random) DO_RANDOM=1 ;;
zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
*) DO_ZERO=1 ;;
esac
p=1
while [ ${p} -le "${PASSES}" ]; do
[ ${DO_ZERO} -eq 1 ] && wipe_pass zero
[ ${DO_RANDOM} -eq 1 ] && wipe_pass random
p=$((p+1))
done
sync
busybox poweroff -f || echo o >| /proc/sysrq-trigger
EOF
chmod +x "${TMPDIR}/init"
( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
cat << 'EOF' >| /etc/default/ciss-memwipe
### CISS Memory Wipe defaults
CISS_WIPE_PASSES=2 # number of passes
CISS_WIPE_MODE="zero+random" # zero | random | zero+random
CISS_WIPE_DD_BS="64M" # dd block size
CISS_WIPE_TMPFS_PCT=95 # percentage of MemTotal to allocate
EOF
cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
#!/bin/bash
# Prepare and execute kexec-based memory wipe.
set -euo pipefail
. /etc/default/ciss-memwipe || true
KERNEL="/boot/ciss-memwipe/vmlinuz"
INITRD="/boot/ciss-memwipe/initrd.img"
append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
prepare() {
# Try to allow kexec if not locked down
if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
echo 0 > /proc/sys/kernel/kexec_load_disabled || true
fi
# Load wipe kernel
if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
fi
}
fallback_inplace() {
# Last-resort: wipe in-place via tmpfs and then power off
mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
i=0
while :; do
dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
i=$((i+1))
done
sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
rm -f /run/wipe/blk_* 2>/dev/null || true
sync
systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
}
execute() {
sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
# Prefer systemd's path if possible
if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
# If kexec image was loaded, systemctl kexec will use it
systemctl kexec || kexec -e || fallback_inplace
else
kexec -e || fallback_inplace
fi
}
case "${1:-}" in
prepare) prepare ;;
execute) execute ;;
*) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
esac
EOF
chmod 0755 /usr/local/sbin/ciss-memwipe
### Systemd service: load at boot, execute on shutdown
cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
[Unit]
Description=CISS: preload and execute kexec-based RAM wipe on shutdown
DefaultDependencies=no
# Ensure we run late enough on shutdown, but early enough to take over
Before=shutdown.target
After=local-fs.target network.target multi-user.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ciss-memwipe prepare
# ExecStop runs during shutdown: jump into wipe kernel
ExecStop=/usr/local/sbin/ciss-memwipe execute
TimeoutStartSec=20s
TimeoutStopSec=infinity
[Install]
WantedBy=multi-user.target
EOF
systemctl enable ciss-memwipe.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
config/hooks/live/9999_zzzz.chroot
View File

@@ -18,9 +18,14 @@ declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
rm -f /root/ciss_xdg_tmp.sh
rm -fr /root/build
find / -xdev \( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -name '.keep' -exec rm -f -- {} +
### Securing '/.ciss' ----------------------------------------------------------------------------------------------------------
find /.ciss -type d -exec chmod 0700 {} +
find /.ciss -type f -exec chmod 0440 {} +
### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
find /etc/ciss/keys -type f -exec chmod 0444 {} +
find /etc/ciss/keys -type f -exec chmod 0440 {} +
### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
update-initramfs -u -k all -v

2
config/hooks/live/zzzz_luks_squash.hook.binary → config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
View File

@@ -60,7 +60,7 @@ readonly -f preallocate
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/rootfs.crypt"
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
declare KEYFD=""
# shellcheck disable=SC2155

10
config/includes.chroot/.ciss/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/.ciss/attestation/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/ciss/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/initramfs-tools/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

15
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -1,22 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
# shellcheck disable=SC2034
set -Ceu -o pipefail -o ignoreeof
shopt -s failglob
shopt -s lastpipe
shopt -u nullglob
umask 0077
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
### Will be replaced at build time:
declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
#######################################
# Variable declaration
@@ -383,7 +388,7 @@ verify_script() {
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds."

6
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
View File

@@ -1,13 +1,13 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh

2
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

11
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -47,8 +47,13 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
### Include 'busybox' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
copy_exec /usr/bin/busybox /usr/bin/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/bin/busybox] \n\e[0m"
### Include 'dmsetup' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup
printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup] \n\e[0m"
### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------

2
config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
config/includes.chroot/etc/ssh/ssh_known_hosts
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

6
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -184,13 +184,13 @@ vm.mmap_rnd_compat_bits=16
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false
kernel.core_pattern=|/bin/false
### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0
###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (From v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################

10
config/includes.chroot/etc/systemd/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/systemd/system/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.404.2025.11.10"
declare -gr VERSION="Master V8.13.408.2025.11.13"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.408.2025.11.13 at: 10:18:37.9542

60
config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
# Phase : premount (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
OVERLAY_BASE="/run/live/overlay"
UPPER="${OVERLAY_BASE}/upper"
WORK="${OVERLAY_BASE}/work"
### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile.
: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
### Create a base dir with restrictive perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${OVERLAY_BASE}"
### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path.
mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
# Prepare upper/work with tight perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${UPPER}" "${WORK}"
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

170
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash Normal file
View File

@@ -0,0 +1,170 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Open /live/ciss_rootfs.crypt (LUKS) and present its SquashFS as /run/live/rootfs
# Phase : premount (executed by live-boot inside the initramfs)
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m"
#######################################
# Premount logging helper.
# Globals:
# None
# Arguments:
# *: String to log.
#######################################
log() {
msg="$*"
if [ -w /dev/kmsg ]; then
printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg
else
printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}"
fi
}
### Declare variables ----------------------------------------------------------------------------------------------------------
CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
CDLB_ISO_LABEL="CISS.debian.live"
MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs"
_PARAMETER=""
_dev=""
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
ciss_crypt_path=*) CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
ciss_iso_label=* ) CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
esac
done
mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
### Mount the live medium (ISO) read-only, unless already mounted --------------------------------------------------------------
if ! mountpoint -q "${MNT_MEDIUM}"; then
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
fi
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
### Skip non-block entries early.
[ -b "${_dev}" ] || continue
### Try ISO9660 first, then UDF; only unmount on failure
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null
then
mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
else
umount "${MNT_MEDIUM}" 2>/dev/null || true
fi
done
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
log "no live medium mounted defer to default live-boot path"
exit 0
fi
### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then
log "encrypted root not found at ${MNT_MEDIUM}/${CDLB_LUKS_FS}"
exit 0
fi
### Create/read FIFO compatible with cryptsetup-initramfs (if present). This allows 'cryptroot-unlock' to feed the passphrase
### over SSH (dropbear).
mkdir -p /lib/cryptsetup
[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo
### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}/${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
### Try to open the LUKS container, first via FIFO (SSH unlock), then interactively. -------------------------------------------
attempts=0
while true; do
attempts=$((attempts+1))
echo "Unlock '${CDLB_LUKS_FS}' (try ${attempts}): use 'cryptroot-unlock' over SSH or enter on console" >/dev/console 2>/dev/null || true
## Non-blocking read from FIFO (Dropbear and cryptroot-unlock path).
if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then
break
fi
### Interactive fallback on the console.
if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then
break
fi
done
### Mount the decrypted payload as SquashFS under '/run/live/rootfs'. ----------------------------------------------------------
mount -r -t squashfs /dev/mapper/crypt_liveiso "${MNT_ROOTFS}" || { log "mount squashfs failed"; exit 1; }
### Ensure live-boot keeps using our medium (bind-mount for consistency). ------------------------------------------------------
mount --bind "${MNT_MEDIUM}" "${MNT_MEDIUM}" 2>/dev/null || true
log "encrypted squashfs is mounted at ${MNT_ROOTFS} (device=/dev/mapper/crypt_liveiso)"
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

50
config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Enforce early sysctls before services start.
# Phase : premount (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

166
config/includes.chroot/usr/lib/live/boot/0030-verify-checksums → config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -4,7 +4,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,11 +15,11 @@
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
@@ -29,9 +29,43 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
### Declare variables --------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare functions --------------------------------------------------------------------------------------------------------
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
_MOUNTPOINT="${1}"
_PARAMETER=""
@@ -71,19 +105,6 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
@@ -97,13 +118,33 @@ Verify_checksums() {
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
@@ -112,7 +153,7 @@ Verify_checksums() {
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
@@ -124,38 +165,54 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
sleep 16
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
sleep 8
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
else
log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
fi
log_in "Recomputing hash for: [${CDLB_SHA}] ..."
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
sleep 16
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
log_er "Recomputing hash for: [${CDLB_SHA}] failed."
sleep 8
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
fi
printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
log_end_msg
printf "\n"
@@ -164,7 +221,7 @@ Verify_checksums() {
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"
log_in "Verifying checksums ..."
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -176,27 +233,27 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
log_in "Found: [${_CHECKSUM}] ..."
if [ -e "/usr/bin/${_DIGEST}sum" ]; then
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
log_in "Checking signature of: [${_CHECKSUM}] ..."
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
_RETURN_PGP="${?}"
printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
log_in "Checking signature of: [${_CHECKSUM}] successful."
else
_RETURN_PGP="${?}"
printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
log_er "Checking signature of: [${_CHECKSUM}] failed."
fi
@@ -210,12 +267,12 @@ Verify_checksums() {
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}"
printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
else
_RETURN_SHA="${?}"
printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
fi
@@ -225,7 +282,7 @@ Verify_checksums() {
else
_RETURN_SHA="255"
printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
fi
@@ -241,40 +298,35 @@ Verify_checksums() {
case "${_RETURN_PGP},${_RETURN_SHA}" in
"0,0")
printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"na,0")
printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"0,"*)
printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
;;
*",0")
printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
;;
"na,"*)
printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [sha checksum] file failed."
sleep 8
panic "Verification of checksum file failed."
panic "Verification of [sha checksum] file failed."
;;
esac

194
config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest Normal file
View File

@@ -0,0 +1,194 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Late rootfs attestation and dmsetup health checking.
# Phase : bottom (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
bottom)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-ciss_rootfs.crypt}"
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
### Declare functions ----------------------------------------------------------------------------------------------------------
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
_mp=""
ROOTMP=""
for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
done
if [ -z "${ROOTMP}" ]; then
log_er "No decrypted rootfs mount found."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] No decrypted rootfs mount found."
fi
log_ok "Decrypted rootfs at: [${ROOTMP}]"
HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
[ -n "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
_STATUS="$(${GPGV} --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
if [ -e "${MAP_DEV}" ]; then
log_in "Checking dmsetup table for ${MAP_DEV}"
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
log_ok "Top layer is 'crypt'."
else
log_er "Top layer is NOT 'crypt'."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Top layer is NOT 'crypt'."
fi
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
log_ok "Cipher looks like AES-XTS."
else
log_er "Cipher does not look like AES-XTS."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Cipher does not look like AES-XTS."
fi
### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
CHILD_NAME="${CHILD_TOK}"
case "${CHILD_TOK}" in
*:* )
if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
[ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
fi
;;
/dev/* )
CHILD_NAME="$(basename -- "${CHILD_TOK}")"
;;
esac
#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
log_in "Checking underlying integrity target: ${CHILD_NAME}"
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "Integrity target not using keyed MAC (hmac)"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "Integrity algo not sha512"; }
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "Expected 4096-byte sector size not found"; }
log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
fi
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest]\n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh