V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -116,11 +116,12 @@ log() {
 ### Declare variables. ---------------------------------------------------------------------------------------------------------
 export CDLB_ISO_LABEL="CISS.debian.live"
 export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
+export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
 export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
-CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
-MNT_MEDIUM="/run/live/medium"
-MNT_ROOTFS="/run/live/rootfs"
+export CDLB_MNT_MEDIUM="/run/live/medium"
+export CDLB_MNT_ROOTFS="/run/live/rootfs"
+export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
 
@@ -141,22 +142,22 @@ done
 printf "\e[92m[INFO] CDLB_LUKS_FS         : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
 printf "\e[92m[INFO] CDLB_ISO_LABEL       : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
 
-mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
+mkdir -p /conf "${CDLB_MNT_MEDIUM}" "${CDLB_MNT_ROOTFS}"
 
 ### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
   if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
 
-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
       || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
 
   fi
 
 fi
 
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
   ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
   for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
@@ -165,13 +166,13 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
     [ -b "${_dev}" ] || continue
 
     ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
 
-      mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
 
     else
 
-      umount "${MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
 
     fi
 
@@ -179,29 +180,38 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
 
 fi
 
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
-  log "No live medium mounted, defer to default live-boot path."
   printf "\e[91m[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path. \n\e[0m"
-  exit 42
+  sleep 60
+  log   "[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path."
+  panic "[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path."
 
 fi
 
-printf "\e[92m[INFO] MNT_MEDIUM           : [%s] \n\e[0m" "${MNT_MEDIUM}"
+printf "\e[92m[INFO] MNT_MEDIUM           : [%s] \n\e[0m" "${CDLB_MNT_MEDIUM}"
 
 ### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
-if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
+if [ ! -f "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
 
-  log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
-  printf "\e[91m[FATAL] Boot failure        : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
-  exit 42
+  printf "\e[91m[FATAL] Boot failure        : Encrypted root not found at: [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
+  sleep 60
+  log   "[FATAL] Boot failure        : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
+  panic "[FATAL] Boot failure        : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
 
 fi
 
-printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
+printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
-LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
+if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
+
+  printf "\e[91m[FATAL] Boot failure        : losetup failed \n\e[0m"
+  sleep 60
+  log   "[FATAL] Boot failure        : losetup failed "
+  panic "[FATAL] Boot failure        : losetup failed "
+
+fi
 
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"
 
@@ -225,8 +235,10 @@ fi
 
 if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
 
-  printf "\e[92m[WARN] Boot failure         : Failed to create /lib/cryptsetup/passfifo \n\e[0m"
-  exit 42
+  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
+  sleep 60
+  log   "[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo]"
+  panic "[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo]"
 
 fi
 
@@ -355,7 +367,9 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
   kill "${PID_PROMPT}" 2>/dev/null || true
   kill "${PID_BROKER}" 2>/dev/null || true
   rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
-  exit 42
+  sleep 60
+  log   "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
+  panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
 
 fi
 
@@ -365,45 +379,42 @@ rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
 
-### Mount the decrypted root device ready to use als PLAIN_ROOT artifact in '9990-main.sh'. ------------------------------------
-if ! mount -r -t squashfs "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"; then
+### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
+cat << EOF >| /run/ciss-rootdev
+export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
+export CDLB_LUKS_FS=${CDLB_LUKS_FS}
+export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
+export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
+export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
+export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
+export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
+export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
+EOF
+chmod 0444 /run/ciss-rootdev 2>/dev/null || true
 
-  log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${MNT_ROOTFS}]"
-  printf "\e[91m[WARN] CISS LUKS decryption  : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
-  exit 42
+### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
+if [ ! -e /conf/param.conf ]; then
 
-else
-
-  printf "\e[92m[INFO] CISS LUKS decryption  : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
+  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
+  : >| /conf/param.conf
 
 fi
 
-### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
-echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
-chmod 0644 /run/ciss-rootdev 2>/dev/null || true
-export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
-export CISS_ROOT_DIR=""
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
+
+  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
+
+fi
+
+if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+
+  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
 
-# TODO: Remove Debug
-if [ -e /conf/param.conf ]; then
-  printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
-  cat /conf/param.conf >/dev/console 2>&1 || :
-  {
-    printf '\n'
-    printf 'PLAIN_ROOT=1\n'
-    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
-  } >> /conf/param.conf 2>/dev/null || true
-else
-  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
-  {
-    printf '\n'
-    printf 'PLAIN_ROOT=1\n'
-    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
-  } >| /conf/param.conf 2>/dev/null || true
 fi
 
 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
 cat /conf/param.conf >/dev/console 2>&1 || :
+sleep 8
 
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -411,9 +422,10 @@ printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/
 ### Final sanity check. --------------------------------------------------------------------------------------------------------
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 
-  log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
   printf "\e[91m[WARN] Failed unlock        : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
-  exit 42
+  sleep 60
+  log   "[WARN] Failed unlock        : [${CDLB_LUKS_FS}] via dropbear and console."
+  panic "[WARN] Failed unlock        : [${CDLB_LUKS_FS}] via dropbear and console."
 
 fi
 

config/includes.chroot/usr/lib/live/boot/9990-main.sh

@@ -128,45 +128,53 @@ Live ()
   fi
 
   printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
-  if [ -z "${livefs_root}" ]
-  then
-    panic "Unable to find a medium containing a live file system"
+  if [ -z "${livefs_root}" ]; then
+
+    printf "\e[91m[FATAL] live()              : Unable to find a medium containing a live file system. \e[0m\n"
+    sleep 60
+    log   "[FATAL] live()              : Unable to find a medium containing a live file system."
+    panic "[FATAL] live()              : Unable to find a medium containing a live file system."
+
   fi
 
   printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
   Verify_checksums "${livefs_root}"
 
   # shellcheck disable=SC2244
-  if [ "${TORAM}" ]
-  then
+  if [ "${TORAM}" ]; then
+
     live_dest="ram"
-  elif [ "${TODISK}" ]
-  then
+
+  elif [ "${TODISK}" ]; then
+
     live_dest="${TODISK}"
+
   fi
 
   # shellcheck disable=SC2244
-  if [ "${live_dest}" ]
-  then
+  if [ "${live_dest}" ]; then
+
     log_begin_msg "Copying live media to ${live_dest}"
     copy_live_to "${livefs_root}" "${live_dest}"
     log_end_msg
+
   fi
 
   # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
   # because the mountpoint is left behind in /proc/mounts, so let's get
   # rid of it when running from RAM
   # shellcheck disable=SC2244
-  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
-  then
+  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]; then
+
     losetup -d /dev/loop0
 
-    if is_mountpoint /run/live/fromiso
-    then
+    if is_mountpoint /run/live/fromiso; then
+
       umount /run/live/fromiso
-      rmdir --ignore-fail-on-non-empty /run/live/fromiso \
-        >/dev/null 2>&1 || true
+      rmdir --ignore-fail-on-non-empty /run/live/fromiso >/dev/null 2>&1 || true
+
     fi
+
   fi
 
   printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"

config/includes.chroot/usr/lib/live/boot/9990-overlay.sh

@@ -31,25 +31,18 @@ setup_unionfs ()
   addimage_directory="${3}"
 
   ### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
-  #if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
+  if [ -r /run/ciss-rootdev ]; then
 
-  #  CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
+    . /run/ciss-rootdev
 
-  #fi
+    export PLAIN_ROOT=1
+    export image_directory="${CDLB_MAPPER_DEV}"
 
-  #if [ -n "${CISS_ROOT_DEV:-}" ]; then
+    printf "\e[92m[INFO] setup_unionfs()      : [image_directory=%s]    \n\e[0m" "${image_directory}"
+    printf "\e[92m[INFO] setup_unionfs()      : [rootmnt=%s]            \n\e[0m" "${rootmnt}"
+    printf "\e[92m[INFO] setup_unionfs()      : [addimage_directory=%s] \n\e[0m" "${addimage_directory}"
 
-    ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
-  #  PLAIN_ROOT=1
-  #  image_directory="${CISS_ROOT_DEV}"
-
-  #elif [ -n "${CISS_ROOT_DIR:-}" ]; then
-
-    ### Alternative: explicitly provided root directory.
-  #  PLAIN_ROOT=1
-  #  image_directory="${CISS_ROOT_DIR}"
-
-  #fi
+  fi
   ### --------------------------------------------------------------------------------------------------------------------------
 
   # shellcheck disable=SC2086