From 6b9f36b04477f4a29a517d63c4f1bc2b87c99abde4be4c6f6c247b61ce9065d7 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 25 Nov 2025 12:31:38 +0000 Subject: [PATCH] V8.13.440.2025.11.19 Signed-off-by: Marc S. Weidner --- .archive/0022-ciss-overlay-tmpfs | 52 ++ .archive/0024-ciss-crypt-squash | 90 +++- .archive/0026-ciss-early-sysctl | 39 ++ .archive/0030-ciss-verify-checksums | 335 ++++++++++++ .archive/9990-main.sh | 259 +++++++++ .archive/9990-overlay.sh | 499 ++++++++++++++++++ .../usr/lib/live/boot/0024-ciss-crypt-squash | 122 +++-- .../usr/lib/live/boot/9990-main.sh | 38 +- .../usr/lib/live/boot/9990-overlay.sh | 23 +- 9 files changed, 1362 insertions(+), 95 deletions(-) create mode 100644 .archive/0022-ciss-overlay-tmpfs create mode 100644 .archive/0026-ciss-early-sysctl create mode 100644 .archive/0030-ciss-verify-checksums create mode 100644 .archive/9990-main.sh create mode 100644 .archive/9990-overlay.sh diff --git a/.archive/0022-ciss-overlay-tmpfs b/.archive/0022-ciss-overlay-tmpfs new file mode 100644 index 0000000..0a60320 --- /dev/null +++ b/.archive/0022-ciss-overlay-tmpfs @@ -0,0 +1,52 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. +# Phase : premount (executed by live-boot inside the initramfs). + +_SAVED_SET_OPTS="$(set +o)" + +set -eu + +sleep 3 + +printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m" + +### Declare variables ---------------------------------------------------------------------------------------------------------- +OVERLAY_BASE="/run/live/overlay" +UPPER="${OVERLAY_BASE}/upper" +WORK="${OVERLAY_BASE}/work" + +### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. ------------------------------------------- +: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}" + +### Create a base dir with restrictive perms. ---------------------------------------------------------------------------------- +# shellcheck disable=SC2174 +mkdir -p -m 0700 "${OVERLAY_BASE}" + +### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. -------------------- +mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}" +printf "\e[92m[INFO] Command : [mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs %s] \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}" + +### Prepare upper /work with tight perms. ------------------------------------------------------------------------------------- +# shellcheck disable=SC2174 +mkdir -p -m 0700 "${UPPER}" "${WORK}" + +eval "${_SAVED_SET_OPTS}" + +printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m" + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/0024-ciss-crypt-squash b/.archive/0024-ciss-crypt-squash index 73cd534..8e16139 100644 --- a/.archive/0024-ciss-crypt-squash +++ b/.archive/0024-ciss-crypt-squash @@ -43,8 +43,6 @@ ask_pass_console() { ### Non-canonical mode, no echo, 1 byte at a time. stty -echo -icanon time 0 min 1 /dev/null || return 1 - printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console - cr=$(printf '\r') bs=$(printf '\b') del=$(printf '\177') @@ -67,13 +65,13 @@ ask_pass_console() { case "${c}" in "${cr}") - ### Enter: finish input. + ### Enter: finish input. printf '\n' > /dev/console break ;; "${bs}"|"${del}") - ### Backspace, delete: delete one character, if available. + ### Backspace, delete: delete one character, if available. if [ -n "${PASSPHRASE}" ]; then PASSPHRASE=${PASSPHRASE%?} @@ -83,7 +81,7 @@ ask_pass_console() { ;; *) - ### Normal character: append and mask output. + ### Normal character: append and mask output. PASSPHRASE="${PASSPHRASE}${c}" printf '*' > /dev/console ;; @@ -120,6 +118,7 @@ export CDLB_ISO_LABEL="CISS.debian.live" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" +export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs" CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" MNT_MEDIUM="/run/live/medium" MNT_ROOTFS="/run/live/rootfs" @@ -282,6 +281,8 @@ PID_BROKER="$!" set +e PASS="" + PASS_SENT=0 + WAIT_LOOP=0 while :; do @@ -291,12 +292,38 @@ PID_BROKER="$!" fi - # shellcheck disable=SC2310 - PASS="$(ask_pass_console)" || continue + if [ "${PASS_SENT}" -eq 0 ]; then - printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || : + printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console + + # shellcheck disable=SC2310 + PASS="$(ask_pass_console)" || continue + + printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || : + + PASS_SENT=1 + WAIT_LOOP=0 + + else + + WAIT_LOOP=$((WAIT_LOOP + 1)) + + if [ "${WAIT_LOOP}" -ge 160 ]; then + + printf '\e[91m[WARN] Please try again : \n\e[0m' > /dev/console + + PASS_SENT=0 + WAIT_LOOP=0 + + fi + + fi + + sleep 0.1 done + + return 0 ) & PID_PROMPT="$!" @@ -337,14 +364,57 @@ kill "${PID_PROMPT}" 2>/dev/null || true wait "${PID_BROKER}" 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true -printf "\e[92m[INFO] LUKS mapper : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" +printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" + +### Mount the decrypted root device to use as the PLAIN_ROOT artifact in '9990-main.sh'. --------------------------------------- +if ! mount -t squashfs -o ro "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"; then + + log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${CDLB_LUKS_ROOTFS_MNT}]" + printf "\e[91m[WARN] CISS LUKS decryption : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}" + exit 42 + +else + + printf "\e[92m[INFO] CISS LUKS decryption : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}" + +fi ### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- -echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev +cat << EOF >| /run/ciss-rootdev +export CDLB_ISO_LABEL=${CDLB_ISO_LABEL} +export CDLB_LUKS_FS=${CDLB_LUKS_FS} +export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME} +export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV} +export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT} +MNT_MEDIUM="/run/live/medium" +MNT_ROOTFS="/run/live/rootfs" +EOF + chmod 0644 /run/ciss-rootdev 2>/dev/null || true export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" export CISS_ROOT_DIR="" +# TODO: Remove Debug +if [ -e /conf/param.conf ]; then + printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m" + cat /conf/param.conf >/dev/console 2>&1 || : + { + printf '\n' + printf 'PLAIN_ROOT=1\n' + printf 'ROOT=%s\n' "${MNT_ROOTFS}" + } >> /conf/param.conf 2>/dev/null || true +else + printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m" + { + printf '\n' + printf 'PLAIN_ROOT=1\n' + printf 'ROOT=%s\n' "${MNT_ROOTFS}" + } >| /conf/param.conf 2>/dev/null || true +fi + +printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m" +cat /conf/param.conf >/dev/console 2>&1 || : + log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" diff --git a/.archive/0026-ciss-early-sysctl b/.archive/0026-ciss-early-sysctl new file mode 100644 index 0000000..cfaf2f6 --- /dev/null +++ b/.archive/0026-ciss-early-sysctl @@ -0,0 +1,39 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +# Purpose: Enforce early sysctls before services start. +# Phase : premount (executed by live-boot inside the initramfs). + +_SAVED_SET_OPTS="$(set +o)" + +set -eu + +printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m" + +echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true +echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true +echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true +echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true +echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true +echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true +echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true +echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true + +eval "${_SAVED_SET_OPTS}" + +printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m" + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/0030-ciss-verify-checksums b/.archive/0030-ciss-verify-checksums new file mode 100644 index 0000000..32b9f03 --- /dev/null +++ b/.archive/0030-ciss-verify-checksums @@ -0,0 +1,335 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums' +### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. + +####################################### +# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification. +# Globals: +# LIVE_BOOT_CMDLINE +# _TTY +# Arguments: +# 1: _MOUNTPOINT +# Returns: +# 0 : Successful verification +####################################### +Verify_checksums() { + printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m" + + ### Declare variables -------------------------------------------------------------------------------------------------------- + + ### Will be replaced at build time: + export CDLB_EXP_FPR="@EXP_FPR@" + export CDLB_EXP_CA_FPR="@EXP_CA_FPR@" + + ### Declare functions -------------------------------------------------------------------------------------------------------- + + ####################################### + # Helper for colored text output on stdout. + # Globals: + # None + # Arguments: + # *: String to print + ####################################### + log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; } + + + ####################################### + # Helper for colored text output on stdout. + # Globals: + # None + # Arguments: + # *: String to print + ####################################### + log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; } + + ####################################### + # Helper for colored text output on stdout. + # Globals: + # None + # Arguments: + # *: String to print + ####################################### + log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; } + + _MOUNTPOINT="${1}" + + _PARAMETER="" + + _TTY="/dev/tty8" + + LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}" + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="false" + + _KEYFILE="" + + _MP="" + + ### Parse commandline arguments ---------------------------------------------------------------------------------------------- + for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do + + case "${_PARAMETER}" in + + live-boot.verify-checksums=* | verify-checksums=*) + + LIVE_VERIFY_CHECKSUMS="true" + LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}" + ;; + + live-boot.verify-checksums | verify-checksums) + + LIVE_VERIFY_CHECKSUMS="true" + ;; + + live-boot.verify-checksums-signatures | verify-checksums-signatures) + + LIVE_VERIFY_CHECKSUMS_SIGNATURES="true" + ;; + + esac + + done + + ### Check if the function should be skipped ---------------------------------------------------------------------------------- + case "${LIVE_VERIFY_CHECKSUMS}" in + + true) + : + ;; + + *) + return 0 + ;; + + esac + + ### Check GPG pubkey file correct path --------------------------------------------------------------------------------------- + for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do + + if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then + + _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg" + + if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then + + _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg" + + fi + + break + + fi + + done + + # shellcheck disable=SC2164 + cd "${_MOUNTPOINT}" + + + ### CDLB verification of script integrity itself ----------------------------------------------------------------------------- + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]" + printf "\n" + + _CAND="" + CDLB_SCRIPT_SELF="" CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE="" + + CDLB_CMD="/usr/bin/sha512sum" + CDLB_SHA="sha512" + + for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums ; do + + [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; } + + done + + CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}" + CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}" + CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}" + CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt" + CDLB_SIG_FILE="${CDLB_HASHFILE}.sig" + + _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)" + + _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')" + + ### Compare against pinned and expected fingerprint. + if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then + + log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" + + else + + log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" + sleep 8 + panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." + + fi + + ### Script self-integrity and authenticity checks -------------------------------------------------------------------------- + ### Assumption: initramfs itself is not altered. + log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..." + + if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then + + log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed." + sleep 8 + panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed." + + else + + log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful." + + fi + + log_in "Recomputing hash for: [${CDLB_SHA}] ..." + + CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; }) + IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}" + + if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then + + log_er "Recomputing hash for: [${CDLB_SHA}] failed." + sleep 8 + panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed." + + fi + + log_ok "Recomputing hash for: [${CDLB_SHA}] successful." + log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed." + log_end_msg + printf "\n" + + fi + + ### Checksum and checksum signature verification ----------------------------------------------------------------------------- + log_begin_msg "Verifying checksums" + printf "\n" + log_in "Verifying checksums ..." + + # shellcheck disable=SC2001 + for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do + + # shellcheck disable=SC2060 + _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt" + + for _CHECKSUM in ${_CHECKSUMS}; do + + if [ -e "${_CHECKSUM}" ]; then + + log_in "Found: [${_CHECKSUM}] ..." + + if [ -e "/usr/bin/${_DIGEST}sum" ]; then + + log_in "Found: [/usr/bin/${_DIGEST}sum] ..." + + if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then + + log_in "Checking signature of: [${_CHECKSUM}] ..." + + _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig" + + if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then + + _RETURN_PGP="${?}" + log_in "Checking signature of: [${_CHECKSUM}] successful." + + else + + _RETURN_PGP="${?}" + log_er "Checking signature of: [${_CHECKSUM}] failed." + + fi + + else + + _RETURN_PGP="na" + + fi + + # shellcheck disable=SC2312 + if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then + + _RETURN_SHA="${?}" + log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]" + + else + + _RETURN_SHA="${?}" + log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]" + + fi + + # Stop after the first verification. + break 2 + + else + + _RETURN_SHA="255" + log_er "NOT Found [/usr/bin/${_DIGEST}sum]." + + fi + + fi + + done + + done + + log_end_msg + printf "\n" + + case "${_RETURN_PGP},${_RETURN_SHA}" in + + "0,0") + log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." + log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + "na,0") + log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds." + log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds." + sleep 8 + return 0 + ;; + + "0,"*) + log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." + sleep 8 + panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed." + ;; + + *",0") + log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." + sleep 8 + panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful." + ;; + + "na,"*) + log_er "Verification of [sha checksum] file failed." + sleep 8 + panic "Verification of [sha checksum] file failed." + ;; + + esac +} +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/.archive/9990-main.sh b/.archive/9990-main.sh new file mode 100644 index 0000000..5cf59b1 --- /dev/null +++ b/.archive/9990-main.sh @@ -0,0 +1,259 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh' +### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). + +# set -e + +printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-main.sh] \n\e[0m" + +Live () +{ + printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-main.sh] \n\e[0m" + + if [ -x /scripts/local-top/cryptroot ] + then + /scripts/local-top/cryptroot + fi + + exec 6>&1 + exec 7>&2 + exec > boot.log + exec 2>&1 + tail -f boot.log >&7 & + tailpid="${!}" + + # shellcheck disable=SC2034 + LIVE_BOOT_CMDLINE="${LIVE_BOOT_CMDLINE:-$(cat /proc/cmdline)}" + Cmdline_old + + Debug + + Read_only + + Select_eth_device + + if [ -e /conf/param.conf ] + then + . /conf/param.conf + fi + + # Needed here too because some things (*cough* udev *cough*) + # change the timeout + + printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n" + if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ] + then + if do_netmount + then + printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}" + livefs_root="${mountpoint?}" + else + panic "Unable to find a live file system on the network" + fi + else + if [ -n "${ISCSI_PORTAL}" ] + then + printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}" + do_iscsi && livefs_root="${mountpoint}" + elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ] + then + # Do a local boot from hd + printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}" + livefs_root=${ROOT} + else + printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n" + Setup_Memdisk + printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n" + + # If the live media location is given via command line and access to it + # involves LVM volumes, the corresponding volumes need to be activated. + IFS=',' + # shellcheck disable=SC2116 + for dev in $(echo "${LIVE_MEDIA}") + do + printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}" + case "${dev}" in + /dev/mapper/*) + # shellcheck disable=SC2046,SC2312 + eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}") + # shellcheck disable=SC2244 + if [ "${DM_VG_NAME}" ] && [ "${DM_LV_NAME}" ] + then + lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${DM_VG_NAME}/${DM_LV_NAME}" + fi + ;; + /dev/*/*) + # Could be /dev/VG/LV; use lvs to check + if lvm lvs -- "${dev}" >/dev/null 2>&1 + then + lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${dev}" + fi + ;; + esac + done + unset IFS + + # Scan local devices for the image + i=0 + while [ "${i}" -lt 60 ] + do + # shellcheck disable=SC2086 + livefs_root=$(find_livefs ${i}) + + if [ -n "${livefs_root}" ] + then + break + fi + + sleep 1 + i=$((i + 1)) + done + fi + fi + + printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}" + if [ -z "${livefs_root}" ] + then + panic "Unable to find a medium containing a live file system" + fi + + printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}" + Verify_checksums "${livefs_root}" + + # shellcheck disable=SC2244 + if [ "${TORAM}" ] + then + live_dest="ram" + elif [ "${TODISK}" ] + then + live_dest="${TODISK}" + fi + + # shellcheck disable=SC2244 + if [ "${live_dest}" ] + then + log_begin_msg "Copying live media to ${live_dest}" + copy_live_to "${livefs_root}" "${live_dest}" + log_end_msg + fi + + # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on + # because the mountpoint is left behind in /proc/mounts, so let's get + # rid of it when running from RAM + # shellcheck disable=SC2244 + if [ -n "${FROMISO}" ] && [ "${TORAM}" ] + then + losetup -d /dev/loop0 + + if is_mountpoint /run/live/fromiso + then + umount /run/live/fromiso + rmdir --ignore-fail-on-non-empty /run/live/fromiso \ + >/dev/null 2>&1 || true + fi + fi + + printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-}" + printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}" + if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ] + then + printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}" + setup_unionfs "${livefs_root}" "${rootmnt?}" + else + mac="$(get_mac)" + mac="$(echo "${mac}" | sed 's/-//g')" + printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}" + mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}" + fi + + if [ -n "${ROOT_PID}" ] + then + echo "${ROOT_PID}" > "${rootmnt}"/lib/live/root.pid + fi + + log_end_msg + + # aufs2 in kernel versions around 2.6.33 has a regression: + # directories can't be accessed when read for the first time, + # causing a failure, for example, when accessing /var/lib/fai + # when booting FAI, this simple workaround solves it + ls /root/* >/dev/null 2>&1 + + # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on + # because the mountpoint is left behind in /proc/mounts, so let's get + # rid of it when running from RAM + # shellcheck disable=SC2244 + if [ -n "${FINDISO}" ] && [ "${TORAM}" ] + then + losetup -d /dev/loop0 + + if is_mountpoint /run/live/findiso + then + umount /run/live/findiso + rmdir --ignore-fail-on-non-empty /run/live/findiso \ + >/dev/null 2>&1 || true + fi + fi + + if [ -f /etc/hostname ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${rootmnt}/etc/hostname" + then + log_begin_msg "Copying /etc/hostname to ${rootmnt}/etc/hostname" + cp -v /etc/hostname "${rootmnt}/etc/hostname" + log_end_msg + fi + + if [ -f /etc/hosts ] && ! grep -E -q -v '^[[:space:]]*(#|$|(127.0.0.1|::1|ff02::[12])[[:space:]])' "${rootmnt}/etc/hosts" + then + log_begin_msg "Copying /etc/hosts to ${rootmnt}/etc/hosts" + cp -v /etc/hosts "${rootmnt}/etc/hosts" + log_end_msg + fi + + if [ -L /root/etc/resolv.conf ] ; then + # assume we have resolvconf + DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base" + else + DNSFILE="${rootmnt}/etc/resolv.conf" + fi + if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}" + then + log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}" + cp -v /etc/resolv.conf "${DNSFILE}" + log_end_msg + fi + + if ! [ -d "/lib/live/boot" ] + then + panic "A wrong rootfs was mounted." + fi + + Fstab + Netbase + + Swap + + exec 1>&6 6>&- + exec 2>&7 7>&- + kill "${tailpid}" + [ -w "${rootmnt}/var/log/" ] && mkdir -p "${rootmnt}/var/log/live" && ( \ + cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \ + cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null ) + + printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m" +} diff --git a/.archive/9990-overlay.sh b/.archive/9990-overlay.sh new file mode 100644 index 0000000..f336d4b --- /dev/null +++ b/.archive/9990-overlay.sh @@ -0,0 +1,499 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh' +### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). + +#set -e + +printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m" + +setup_unionfs () +{ + printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m" + + image_directory="${1}" + rootmnt="${2}" + addimage_directory="${3}" + + ### CISS hook: allow explicit root override ---------------------------------------------------------------------------------- + if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then + + CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '') + + fi + + if [ -n "${CISS_ROOT_DEV:-}" ]; then + + ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS). + PLAIN_ROOT=1 + image_directory="${CISS_ROOT_DEV}" + + elif [ -n "${CISS_ROOT_DIR:-}" ]; then + + ### Alternative: explicitly provided root directory. + PLAIN_ROOT=1 + image_directory="${CISS_ROOT_DIR}" + + fi + ### -------------------------------------------------------------------------------------------------------------------------- + + # shellcheck disable=SC2086 + modprobe -q -b ${UNIONTYPE} + + if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$" + then + panic "${UNIONTYPE} not available." + fi + + croot="/run/live/rootfs" + + # Let's just mount the read-only file systems first + rootfslist="" + + if [ -z "${PLAIN_ROOT}" ] + then + # Read image names from ${MODULE}.module if it exists + # shellcheck disable=SC2153 + if [ -e "${image_directory}/filesystem.${MODULE}.module" ] + then + # shellcheck disable=SC2013,SC2086 + for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module) + do + image_string="${image_string} ${image_directory}/${IMAGE}" + done + elif [ -e "${image_directory}/${MODULE}.module" ] + then + # shellcheck disable=SC2013,SC2086 + for IMAGE in $(cat ${image_directory}/${MODULE}.module) + do + image_string="${image_string} ${image_directory}/${IMAGE}" + done + else + # ${MODULE}.module does not exist, create a list of images + for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir + do + for IMAGE in "${image_directory}"/*."${FILESYSTEM}" + do + if [ -e "${IMAGE}" ] + then + image_string="${image_string} ${IMAGE}" + fi + done + done + + if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ] + then + for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir + do + for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}" + do + if [ -e "${IMAGE}" ] + then + image_string="${image_string} ${IMAGE}" + fi + done + done + fi + + # Now sort the list + # shellcheck disable=SC2086 + image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )" + fi + + # shellcheck disable=SC2086 + [ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})" + + mkdir -p "${croot}" + + for image in ${image_string} + do + imagename=$(basename "${image}") + + export image devname + maybe_break live-realpremount + log_begin_msg "Running /scripts/live-realpremount" + run_scripts /scripts/live-realpremount + log_end_msg + + if [ -d "${image}" ] + then + # It is a plain directory: do nothing + rootfslist="${image} ${rootfslist}" + elif [ -f "${image}" ] + then + if losetup --help 2>&1 | grep -q -- "-r\b" + then + backdev=$(get_backing_device "${image}" "-r") + else + backdev=$(get_backing_device "${image}") + fi + fstype=$(get_fstype "${backdev}") + + case "${fstype}" in + unknown) + panic "Unknown file system type on ${backdev} (${image})" + ;; + + "") + fstype="${imagename##*.}" + log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}." + ;; + esac + + mpoint=$(trim_path "${croot}/${imagename}") + rootfslist="${mpoint} ${rootfslist}" + mount_options="" + + # Setup dm-verity support if a device has it supported + hash_device="${image}.verity" + # shellcheck disable=SC2086 + if [ -f ${hash_device} ] + then + log_begin_msg "Start parsing dm-verity options for ${image}" + backdev_roothash=$(get_backing_device ${hash_device}) + verity_mount_options="-o verity.hashdevice=${backdev_roothash}" + root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH}) + valid_config="true" + case $(mount --version) in + *verity*) + ;; + *) + valid_config="false" + log_warning_msg "mount does not have support for dm-verity. Ignoring mount options" + ;; + esac + if [ -n "${root_hash}" ] + then + verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}" + # Check if the root hash is saved on disk + elif [ -f "${image}.roothash" ] + then + verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash" + else + valid_config="false" + log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring" + fi + + fec="${image}.fec" + fec_roots="${image}.fec.roots" + if [ -f ${fec} ] && [ -f ${fec_roots} ] + then + backdev_fec=$(get_backing_device ${fec}) + roots=$(cat ${fec_roots}) + verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}" + fi + + signature="${image}.roothash.p7s" + if [ -f "${signature}" ] + then + verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}" + elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ] + then + panic "dm-verity signature checking was enforced but no signature could be found for ${image}!" + fi + + + if [ -n "${DM_VERITY_ONCORRUPTION}" ] + then + if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart" + then + verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}" + else + log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!" + log_warning_msg "Ignoring setting" + fi + fi + if [ "${valid_config}" = "true" ] + then + mount_options="${mount_options} ${verity_mount_options}" + fi + log_end_msg "Finished parsing dm-verity options for ${image}" + fi + + mkdir -p "${mpoint}" + log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\"" + # shellcheck disable=SC2086 + mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}" + log_end_msg + else + log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake." + fi + done + else + # We have a plain root system + mkdir -p "${croot}/filesystem" + log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\"" + # shellcheck disable=SC2046,SC2312 + mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \ + panic "Can not mount ${image_directory} on ${croot}/filesystem" && \ + rootfslist="${croot}/filesystem ${rootfslist}" + # Probably broken: + # shellcheck disable=SC2086,SC2250 + mount -o bind ${croot}/filesystem $mountpoint + log_end_msg + fi + + # tmpfs file systems + touch /etc/fstab + mkdir -p /run/live/overlay + + # Looking for persistence devices or files + if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ] + then + + if [ -z "${QUICKUSBMODULES}" ] + then + # Load USB modules + # shellcheck disable=SC2012 + num_block=$(ls -l /sys/block | wc -l) + for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage + do + # shellcheck disable=SC2086 + modprobe -q -b ${module} + done + + udevadm trigger + udevadm settle + + # For some reason, udevsettle does not block in this scenario, + # so we sleep for a little while. + # + # See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591 + # shellcheck disable=SC2034 + for timeout in 5 4 3 2 1 + do + sleep 1 + + # shellcheck disable=SC2012,SC2046,SC2086,SC2312 + if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ] + then + break + fi + done + fi + + # shellcheck disable=SC3043 + local whitelistdev + whitelistdev="" + if [ -n "${PERSISTENCE_MEDIA}" ] + then + case "${PERSISTENCE_MEDIA}" in + removable) + whitelistdev="$(removable_dev)" + ;; + + removable-usb) + whitelistdev="$(removable_usb_dev)" + ;; + esac + if [ -z "${whitelistdev}" ] + then + whitelistdev="ignore_all_devices" + fi + fi + + # shellcheck disable=SC2086 + if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD} + then + overlays="${custom_overlay_label}" + fi + + # shellcheck disable=SC3043 + local overlay_devices + overlay_devices="" + if [ "${whitelistdev}" != "ignore_all_devices" ] + then + for media in $(find_persistence_media "${overlays}" "${whitelistdev}") + do + # shellcheck disable=SC2086 + media="$(echo ${media} | tr ":" " ")" + + for overlay_label in ${custom_overlay_label} + do + case ${media} in + ${overlay_label}=*) + device="${media#*=}" + overlay_devices="${overlay_devices} ${device}" + ;; + esac + done + done + fi + elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ] + then + # Check if there are any nfs options + # shellcheck disable=SC2086 + if echo ${NFS_COW} | grep -q ',' + then + # shellcheck disable=SC2086 + nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)" + nfs_cow=$(echo ${NFS_COW}|cut -d, -f1) + else + nfs_cow_opts="-o nolock" + nfs_cow=${NFS_COW} + fi + + if [ -n "${PERSISTENCE_READONLY}" ] + then + nfs_cow_opts="${nfs_cow_opts},nocto,ro" + fi + + mac="$(get_mac)" + if [ -n "${mac}" ] + then + # shellcheck disable=SC2086 + cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/") + cow_fstype="nfs" + else + panic "unable to determine mac address" + fi + fi + + if [ -z "${cowdevice}" ] + then + cowdevice="tmpfs" + cow_fstype="tmpfs" + cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}" + fi + + if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ] + then + # shellcheck disable=SC2086 + mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay" + # shellcheck disable=SC2086 + root_backing="/run/live/persistence/$(basename ${cowdevice})-root" + # shellcheck disable=SC2086 + mkdir -p ${root_backing} + else + root_backing="/run/live/overlay" + fi + + if [ "${cow_fstype}" = "nfs" ] + then + log_begin_msg \ + "Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}" + # shellcheck disable=SC2086 + nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \ + panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}" + else + # shellcheck disable=SC2086 + mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \ + panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}" + fi + + # shellcheck disable=SC2086 + rootfscount=$(echo ${rootfslist} |wc -w) + + rootfs=${rootfslist%% } + + if [ -n "${EXPOSED_ROOT}" ] + then + # shellcheck disable=SC2086 + if [ ${rootfscount} -ne 1 ] + then + panic "only one RO file system supported with exposedroot: ${rootfslist}" + fi + + # shellcheck disable=SC2086 + mount -o bind ${rootfs} ${rootmnt} || \ + panic "bind mount of ${rootfs} failed" + + if [ -z "${SKIP_UNION_MOUNTS}" ] + then + cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live' + else + cow_dirs='' + fi + else + cow_dirs="/" + fi + + for dir in ${cow_dirs}; do + unionmountpoint=$(trim_path "${rootmnt}${dir}") + # shellcheck disable=SC2086 + mkdir -p ${unionmountpoint} + cow_dir=$(trim_path "/run/live/overlay${dir}") + rootfs_dir="${rootfs}${dir}" + # shellcheck disable=SC2086 + mkdir -p ${cow_dir} + if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ] + then + # shellcheck disable=SC2086 + do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir} + else + # shellcheck disable=SC2086 + do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir} + fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}" + done + + # Remove persistence depending on boot parameter + Remove_persistence + + # Correct the permissions of /: + chmod 0755 "${rootmnt}" + + # Correct the permission of /tmp: + if [ -d "${rootmnt}/tmp" ] + then + chmod 1777 "${rootmnt}"/tmp + fi + + # Correct the permission of /var/tmp: + if [ -d "${rootmnt}/var/tmp" ] + then + chmod 1777 "${rootmnt}"/var/tmp + fi + + # Adding custom persistence + if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ] + then + # shellcheck disable=SC3043 + local custom_mounts + custom_mounts="/tmp/custom_mounts.list" + # shellcheck disable=SC2086 + rm -f ${custom_mounts} + + # Gather information about custom mounts from devices detected as overlays + # shellcheck disable=SC2086 + get_custom_mounts ${custom_mounts} ${overlay_devices} + + # shellcheck disable=SC2086 + [ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence" + + # Now we do the actual mounting (and symlinking) + # shellcheck disable=SC3043 + local used_overlays + used_overlays="" + # shellcheck disable=SC2086 + used_overlays=$(activate_custom_mounts ${custom_mounts}) + # shellcheck disable=SC2086 + rm -f ${custom_mounts} + + # Close unused overlays (e.g., due to missing $persistence_list) + for overlay in ${overlay_devices} + do + # shellcheck disable=SC2086 + if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$" + then + close_persistence_media ${overlay} + fi + done + fi + + printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m" +} diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index d9f0651..f8406c3 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -116,11 +116,12 @@ log() { ### Declare variables. --------------------------------------------------------------------------------------------------------- export CDLB_ISO_LABEL="CISS.debian.live" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" +export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs" export CDLB_MAPPER_NAME="crypt_liveiso" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" -CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" -MNT_MEDIUM="/run/live/medium" -MNT_ROOTFS="/run/live/rootfs" +export CDLB_MNT_MEDIUM="/run/live/medium" +export CDLB_MNT_ROOTFS="/run/live/rootfs" +export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" _PARAMETER="" _dev="" @@ -141,22 +142,22 @@ done printf "\e[92m[INFO] CDLB_LUKS_FS : [%s] \n\e[0m" "${CDLB_LUKS_FS}" printf "\e[92m[INFO] CDLB_ISO_LABEL : [%s] \n\e[0m" "${CDLB_ISO_LABEL}" -mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}" +mkdir -p /conf "${CDLB_MNT_MEDIUM}" "${CDLB_MNT_ROOTFS}" ### Mount the live medium (ISO) read-only, unless already mounted. ------------------------------------------------------------- -if ! mountpoint -q "${MNT_MEDIUM}"; then +if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then - mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \ - || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \ + mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \ + || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \ || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)" fi fi -if ! mountpoint -q "${MNT_MEDIUM}"; then +if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed). for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do @@ -165,13 +166,13 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then [ -b "${_dev}" ] || continue ### Try ISO9660 first, then UDF; only unmount on failure. - if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then + if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then - mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break + mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break else - umount "${MNT_MEDIUM}" 2>/dev/null || true + umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true fi @@ -179,29 +180,38 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then fi -if ! mountpoint -q "${MNT_MEDIUM}"; then +if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then - log "No live medium mounted, defer to default live-boot path." printf "\e[91m[FATAL] Boot failure : No live medium mounted, defer to default live-boot path. \n\e[0m" - exit 42 + sleep 60 + log "[FATAL] Boot failure : No live medium mounted, defer to default live-boot path." + panic "[FATAL] Boot failure : No live medium mounted, defer to default live-boot path." fi -printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}" +printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" ### Locate the encrypted root container on the medium. ------------------------------------------------------------------------- -if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then +if [ ! -f "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then - log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]" - printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" - exit 42 + printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}" + sleep 60 + log "[FATAL] Boot failure : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]" + panic "[FATAL] Boot failure : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]" fi -printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" +printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}" ### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- -LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } +if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then + + printf "\e[91m[FATAL] Boot failure : losetup failed \n\e[0m" + sleep 60 + log "[FATAL] Boot failure : losetup failed " + panic "[FATAL] Boot failure : losetup failed " + +fi printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}" @@ -225,8 +235,10 @@ fi if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then - printf "\e[92m[WARN] Boot failure : Failed to create /lib/cryptsetup/passfifo \n\e[0m" - exit 42 + printf "\e[92m[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m" + sleep 60 + log "[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo]" + panic "[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo]" fi @@ -355,7 +367,9 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then kill "${PID_PROMPT}" 2>/dev/null || true kill "${PID_BROKER}" 2>/dev/null || true rm -f /lib/cryptsetup/passfifo 2>/dev/null || true - exit 42 + sleep 60 + log "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds." + panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds." fi @@ -365,45 +379,42 @@ rm -f /lib/cryptsetup/passfifo 2>/dev/null || true printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}" -### Mount the decrypted root device ready to use als PLAIN_ROOT artifact in '9990-main.sh'. ------------------------------------ -if ! mount -r -t squashfs "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"; then +### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- +cat << EOF >| /run/ciss-rootdev +export CDLB_ISO_LABEL=${CDLB_ISO_LABEL} +export CDLB_LUKS_FS=${CDLB_LUKS_FS} +export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT} +export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME} +export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV} +export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM} +export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS} +export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS} +EOF +chmod 0444 /run/ciss-rootdev 2>/dev/null || true - log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${MNT_ROOTFS}]" - printf "\e[91m[WARN] CISS LUKS decryption : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}" - exit 42 +### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ---------------------------------------- +if [ ! -e /conf/param.conf ]; then -else - - printf "\e[92m[INFO] CISS LUKS decryption : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}" + printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m" + : >| /conf/param.conf fi -### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- -echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev -chmod 0644 /run/ciss-rootdev 2>/dev/null || true -export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" -export CISS_ROOT_DIR="" +if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then + + printf 'PLAIN_ROOT=1\n' >> /conf/param.conf + +fi + +if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then + + printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf -# TODO: Remove Debug -if [ -e /conf/param.conf ]; then - printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m" - cat /conf/param.conf >/dev/console 2>&1 || : - { - printf '\n' - printf 'PLAIN_ROOT=1\n' - printf 'ROOT=%s\n' "${MNT_ROOTFS}" - } >> /conf/param.conf 2>/dev/null || true -else - printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m" - { - printf '\n' - printf 'PLAIN_ROOT=1\n' - printf 'ROOT=%s\n' "${MNT_ROOTFS}" - } >| /conf/param.conf 2>/dev/null || true fi printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m" cat /conf/param.conf >/dev/console 2>&1 || : +sleep 8 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" @@ -411,9 +422,10 @@ printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/ ### Final sanity check. -------------------------------------------------------------------------------------------------------- if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console." printf "\e[91m[WARN] Failed unlock : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}" - exit 42 + sleep 60 + log "[WARN] Failed unlock : [${CDLB_LUKS_FS}] via dropbear and console." + panic "[WARN] Failed unlock : [${CDLB_LUKS_FS}] via dropbear and console." fi diff --git a/config/includes.chroot/usr/lib/live/boot/9990-main.sh b/config/includes.chroot/usr/lib/live/boot/9990-main.sh index 5cf59b1..c064932 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh @@ -128,45 +128,53 @@ Live () fi printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}" - if [ -z "${livefs_root}" ] - then - panic "Unable to find a medium containing a live file system" + if [ -z "${livefs_root}" ]; then + + printf "\e[91m[FATAL] live() : Unable to find a medium containing a live file system. \e[0m\n" + sleep 60 + log "[FATAL] live() : Unable to find a medium containing a live file system." + panic "[FATAL] live() : Unable to find a medium containing a live file system." + fi printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}" Verify_checksums "${livefs_root}" # shellcheck disable=SC2244 - if [ "${TORAM}" ] - then + if [ "${TORAM}" ]; then + live_dest="ram" - elif [ "${TODISK}" ] - then + + elif [ "${TODISK}" ]; then + live_dest="${TODISK}" + fi # shellcheck disable=SC2244 - if [ "${live_dest}" ] - then + if [ "${live_dest}" ]; then + log_begin_msg "Copying live media to ${live_dest}" copy_live_to "${livefs_root}" "${live_dest}" log_end_msg + fi # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on # because the mountpoint is left behind in /proc/mounts, so let's get # rid of it when running from RAM # shellcheck disable=SC2244 - if [ -n "${FROMISO}" ] && [ "${TORAM}" ] - then + if [ -n "${FROMISO}" ] && [ "${TORAM}" ]; then + losetup -d /dev/loop0 - if is_mountpoint /run/live/fromiso - then + if is_mountpoint /run/live/fromiso; then + umount /run/live/fromiso - rmdir --ignore-fail-on-non-empty /run/live/fromiso \ - >/dev/null 2>&1 || true + rmdir --ignore-fail-on-non-empty /run/live/fromiso >/dev/null 2>&1 || true + fi + fi printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-}" diff --git a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh index f90752a..8d7cb2c 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh @@ -31,25 +31,18 @@ setup_unionfs () addimage_directory="${3}" ### CISS hook: allow explicit root override ---------------------------------------------------------------------------------- - #if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then + if [ -r /run/ciss-rootdev ]; then - # CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '') + . /run/ciss-rootdev - #fi + export PLAIN_ROOT=1 + export image_directory="${CDLB_MAPPER_DEV}" - #if [ -n "${CISS_ROOT_DEV:-}" ]; then + printf "\e[92m[INFO] setup_unionfs() : [image_directory=%s] \n\e[0m" "${image_directory}" + printf "\e[92m[INFO] setup_unionfs() : [rootmnt=%s] \n\e[0m" "${rootmnt}" + printf "\e[92m[INFO] setup_unionfs() : [addimage_directory=%s] \n\e[0m" "${addimage_directory}" - ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS). - # PLAIN_ROOT=1 - # image_directory="${CISS_ROOT_DEV}" - - #elif [ -n "${CISS_ROOT_DIR:-}" ]; then - - ### Alternative: explicitly provided root directory. - # PLAIN_ROOT=1 - # image_directory="${CISS_ROOT_DIR}" - - #fi + fi ### -------------------------------------------------------------------------------------------------------------------------- # shellcheck disable=SC2086