msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m15s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 54s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-10 11:57:27 +01:00
parent fc263c95e3
commit 6c00891cd4
62 changed files with 1419 additions and 312 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -1,6 +1,6 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -339,138 +339,10 @@ FSTYPE=auto
EOF
cat << EOF >| /etc/initramfs-tools/hooks/ciss_debian_live_builder
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
EOF
cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder
set -e
printf "\e[95mStarting: [ciss_debian_live_builder] \n\e[0m"
PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
install -d -m 0755 "${DESTDIR}/etc/ciss/keys"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
install -d -m 0755 "${DESTDIR}/usr/bin"
install -d -m 0755 "${DESTDIR}/usr/local/bin"
install -d -m 0755 "${DESTDIR}/usr/sbin"
### Include 'bash' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/bash /usr/bin/bash
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
### Include 'blkid' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/sbin/blkid /usr/sbin/blkid
printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
### Include 'busybox' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
copy_exec /usr/bin/sort /usr/bin/sort
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/gpgv /usr/bin/gpgv
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/lsblk /usr/bin/lsblk
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/mkpasswd /usr/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
copy_exec /usr/bin/udevadm /usr/bin/udevadm
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
### Include 'tree' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/tree /usr/bin/tree
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
### Include 'whois' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/whois /usr/bin/whois
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
### Link busybox applets for compatibility -------------------------------------------------------------------------------------
for dir in bin usr/bin; do
ln -sf busybox "${DESTDIR}/${dir}/cat"
ln -sf busybox "${DESTDIR}/${dir}/sleep"
done
### Install GPG signing keys ---------------------------------------------------------------------------------------------------
src_dir="/etc/ciss/keys"
dst_dir="${DESTDIR}/etc/ciss/keys"
key=""
if [ -d "${src_dir}" ]; then
install -d -m 0755 "${dst_dir}"
for key in "${src_dir}"/*.gpg; do
[ -e "${key}" ] || continue
install -m 0444 "${key}" "${dst_dir}/"
printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
done
fi
printf "\e[92mSuccessfully executed: [ciss_debian_live_builder] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder
chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

20
config/hooks/live/0020_dropbear_build.chroot
View File

@@ -36,13 +36,22 @@ cd "${var_build_dir}"
# -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
# shellcheck disable=SC2016,SC2312
setsid bash -c '
if ! setsid bash -c '
### Sterile environment for the build-process.
export -n SHELLOPTS
export -n SHELLOPTS || true
set +u
unset PATH_SEPARATOR
PATH_SEPARATOR=":"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
if ! command -v musl-gcc >/dev/null 2>&1; then
echo "ERROR: musl-gcc not found. Install musl-tools in chroot." >&2
exit 1
fi
CC=musl-gcc \
CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
@@ -55,6 +64,13 @@ setsid bash -c '
# shellcheck disable=2312
make -j"$(nproc)"
' >| "${var_logfile}" 2>&1
then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
tail -n 42 "${var_logfile}" >&2 || true
exit 42
fi
rm -rf /root/dropbear

106
config/hooks/live/0021_dropbear_initramfs.chroot
View File

@@ -1,6 +1,6 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,60 +13,45 @@ set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
### Declare Arrays, HashMaps, and Variables.
declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
### Declare Arrays, HashMaps, and Variables.
declare var_file=""
declare -r var_logfile="/root/.ciss/cdi/log/4311_dropbear_initramfs.log"
declare var_target="${TARGET}"
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get purge -y dropbear dropbear-run 2>&1 | tee -a "${var_logfile}"
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
### Check for TARGET / RECOVERY.
[[ "${VAR_RUN_RECOVERY}" == "true" ]] && var_target="${RECOVERY}"
chroot_logger "${var_target}${var_logfile}"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a ${var_logfile}
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get purge -y dropbear dropbear-run || true
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a ${var_logfile}
"
chroot_script "${var_target}" "
export INITRD=No
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a ${var_logfile}
"
mv "${var_target}/usr/sbin/dropbear" "${var_target}/usr/sbin/dropbear.trixie"
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${var_target}/usr/sbin/"
do_log "debug" "file_only" "4311() Installation [dropbear] successful."
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
install -m 0755 -o root -g root /root/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear
rm -f /root/dropbear
mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie
install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
for var_file in dbclient dropbearconvert dropbearkey; do
mv "${var_target}/usr/bin/${var_file}" "${var_target}/usr/bin/${var_file}.trixie"
install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${var_target}/usr/bin/"
do_log "debug" "file_only" "4311() Installation [${var_file}] successful."
mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie"
install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
done
mkdir -p "${var_target}/etc/initramfs-tools/scripts/init-bottom"
mkdir -p /etc/initramfs-tools/scripts/init-bottom
cat << 'EOF' >| "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
PREREQ=""
prereqs() { echo "${PREREQ}"; }
@@ -91,12 +76,22 @@ exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0755 "${var_target}/etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill"
chmod 0755 /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear"
# Never install the dropbear daemon package at all.
Package: dropbear
Pin: release *
Pin-Priority: -1
@@ -104,10 +99,20 @@ Pin-Priority: -1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
insert_header "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
insert_comments "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
cat << 'EOF' >> "${var_target}/etc/apt/preferences.d/99-mask-dropbear-initramfs"
cat << EOF >| /etc/apt/preferences.d/99-mask-dropbear-initramfs
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Keep the currently installed initramfs integration; never upgrade it.
Package: dropbear-initramfs
Pin: release *
Pin-Priority: -1
@@ -115,8 +120,7 @@ Pin-Priority: -1
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
chroot_script "${var_target}" "systemctl mask dropbear.service dropbear.socket"
do_log "info" "file_only" "4311() Masked: [dropbear.service dropbear.socket]"
systemctl mask dropbear.service dropbear.socket
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

149
config/hooks/live/0022_dropbear_setup.chroot Normal file
View File

@@ -0,0 +1,149 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
#######################################
# Set up the 'dropbear-initramfs' environment.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
dropbear_setup() {
### Declare Arrays, HashMaps, and Variables.
declare network_static_ipv4ntpserver_0="192.53.103.108"
# shellcheck disable=SC2155
declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
### Prepare strong dropbear host keys.
rm -f /etc/dropbear/initramfs/dropbear*key*
if [[ -d /root/ssh ]]; then
dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key
dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key /etc/dropbear/initramfs/dropbear_rsa_host_key
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
else
# shellcheck disable=SC2312
/usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key -C "root@live-$(date -I)"
# shellcheck disable=SC2312
/usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key -C "root@live-$(date -I)"
fi
### Prepare dropbear authorized_keys.
printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
chmod 0600 /etc/dropbear/initramfs/authorized_keys
install -m 0644 -o root -g root /etc/banner /etc/dropbear/initramfs/banner
### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
### "IP=:::::<NIC>:dhcp"
printf "IP=::::::dhcp\n" >| /etc/initramfs-tools/conf.d/ip
### Generate dropbear configuration file.
write_dropbear_conf
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f dropbear_setup
#######################################
# Write '/etc/dropbear/initramfs/dropbear.conf'.
# Globals:
# None
# Arguments:
# None
# Returns:
# 0: on success
#######################################
write_dropbear_conf() {
# shellcheck disable=SC2155
declare sshport="$(< /root/sshport)"
rm -f /root/sshport
[[ -z "${sshport:-}" ]] && sshport="2222"
cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Configuration options for the dropbear-initramfs boot scripts.
# Variable assignment follow shell semantics and escaping/quoting rules.
# You must run update-initramfs(8) to effect changes to this file (like
# for other files in the '/etc/dropbear/initramfs' directory).
# Command line options to pass to dropbear(8).
# Dropbear options for 2025+:
# -b: Display the contents of bannerfile before user login
# -E: Log to stderr
# -I: Idle timeout in seconds
# -K: Keepalive interval in seconds
# -p: Specify port (and optionally address)
# -w: Disable root login (SHOULD NOT be implemented for initramfs)
DROPBEAR_OPTIONS="-b /etc/dropbear/banner -E -I 300 -K 60 -p ${sshport}"
# On local (non-NFS) mounts, interfaces matching this pattern are
# brought down before exiting the ramdisk to avoid dirty network
# configuration in the normal kernel.
# The special value 'none' keeps all interfaces up and preserves routing
# tables and addresses.
#IFDOWN="*"
# On local (non-NFS) mounts, the network stack and dropbear are started
# asynchronously at init-premount stage. This value specifies the
# maximum number of seconds to wait (while the network/dropbear are
# being configured) at init-bottom stage before terminating dropbear and
# bringing the network down.
# If the timeout is too short, and if the boot process is not blocking
# on user input supplied via SSHd (ie no remote unlocking), then the
# initrd might pivot to init(1) too early, thereby causing a race
# condition between network configuration from initramfs vs from the
# normal system.
#DROPBEAR_SHUTDOWN_TIMEOUT=60
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f write_dropbear_conf
dropbear_setup
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

490
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh Normal file
View File

@@ -0,0 +1,490 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
set -Ceu -o pipefail -o ignoreeof
shopt -s failglob
shopt -s lastpipe
shopt -u nullglob
umask 0077
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
#######################################
# Variable declaration
#######################################
# shellcheck disable=SC2016
declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
# shellcheck disable=SC2155
declare -r CURRENTDATE=$(date +"%F %T")
declare -g ERRTRAP='false'
declare -r GRE='\e[0;92m'
declare -r MAG='\e[0;95m'
declare -r RED='\e[0;91m'
declare -r RES='\e[0m'
declare -r NL='\n'
declare -g NUKE_ENABLED='false'
declare -g NUKE_HASH=''
declare -g PASSPHRASE=''
#######################################
# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
# Arguments:
# 1: Prompt to print on terminal
# 2: Variable name to capture passphrase
#######################################
ask_via_stdin() {
declare -r prompt="$1"
declare -r varname="$2"
### Prompt to STDERR so pipes don't capture it.
printf "%s" "${prompt}" >&2
### Silent, canonical read from FD 0 (SSH channel when forced-command).
IFS= read -r -s "${varname?}" <&0
printf "\n" >&2
return 0
}
#######################################
# Printed text in color.
# Arguments:
# 1: Color code.
# *: Text to print.
#######################################
color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
#######################################
# Die Helper: print and then exit hard.
# Globals:
# NC
# RED
# Arguments:
# 1: Message string to print.
#######################################
die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
#######################################
# Drop into the bash environment.
# Arguments:
# None
#######################################
drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
#######################################
# Extract the 'nuke=' parameter from '/proc/cmdline'.
# Globals:
# GRE
# NUKE_ENABLED
# NUKE_HASH
# RED
# REGEX
# Arguments:
# None
# Returns:
# 0: on success
#######################################
extract_nuke_hash() {
declare ARG="" CMDLINE=""
### Read '/proc/cmdline' into a single line safely.
read -r CMDLINE < /proc/cmdline
for ARG in ${CMDLINE}; do
case "${ARG,,}" in
nuke=*)
NUKE_HASH="${ARG#*=}"
if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
declare -g NUKE_ENABLED="true"
color_echo "${GRE}" "✅ System self check: [ok]"
return 0
else
### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
color_echo "${RED}" "✘ Dropping to bash ...:"
drop_bash
fi
;;
esac
done
color_echo "${GRE}" "✅ No Nuke Hash found."
return 0
}
#######################################
# Gather information of all LUKS Devices available on the system.
# Arguments:
# None
#######################################
gather_luks_devices() {
declare prev=() curr=()
declare -i tries=0
while ((tries < 10)); do
# shellcheck disable=SC2312
mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
if [[ "${curr[*]}" == "${prev[*]}" ]]; then
break
fi
prev=("${curr[@]}")
tries=$((tries + 1))
sleep 1
done
printf '%s\n' "${curr[@]}"
return 0
}
#######################################
# Erase the LUKS headers on all LUKS devices, then shut down the system.
# Globals:
# DEVICES_LUKS
# RED
# Arguments:
# None
#######################################
nuke() {
declare dev=""
for dev in "${DEVICES_LUKS[@]}"; do
cryptsetup erase --batch-mode "${dev}" || true
color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
done
secure_unset_pass
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
power_off 16
}
#######################################
# Unified power-off routine.
# Arguments:
# 1: Sleep time before power-off in seconds (Default to 0 seconds).
#######################################
power_off() {
declare -r wait="${1:-0}"
sleep "${wait}"
sync
echo 1 >| /proc/sys/kernel/sysrq
echo o >| /proc/sysrq-trigger
### The System powers off immediately; no further code is executed.
}
#######################################
# Print Error Message for Trap on 'ERR' on Terminal.
# Globals:
# NL
# RED
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
print_scr_err() {
declare -r scr_err_errcode="$1"
declare -r scr_err_errscrt="$2"
declare -r scr_err_errline="$3"
declare -r scr_err_errfunc="$4"
declare -r scr_err_errcmmd="$5"
printf "%b" "${NL}" >&2
color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
printf "%b" "${NL}" >&2
color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2
color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2
color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2
color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2
color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2
printf "%b" "${NL}" >&2
return 0
}
#######################################
# Print Error Message for '0'-Exit-Code on Terminal.
# Globals:
# GRE
# Arguments:
# None
#######################################
print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
#######################################
# Generates an informative shell prompt.
# Globals:
# PS1
# Arguments:
# None
#######################################
prompt_string() {
declare -gx PS1="\
\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
\[\033[1;95m\]\h\[\033[0m\]:\
\[\033[1;96m\]\w\[\033[0m\]/>>\
\$(if [[ \$? -eq 0 ]]; then \
# Show exit status in green if zero
echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
else \
# Show exit status in red otherwise
echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
fi)\
|~\$ "
}
#######################################
# Read the passphrase interactively.
# Globals:
# NUKE_ENABLED
# NUKE_HASH
# PASSPHRASE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
read_passphrase() {
declare -i ROUNDS=0
declare CAND="" SALT=""
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
ask_via_stdin "Enter passphrase: " PASSPHRASE
### NUKE pre-check.
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
ROUNDS="${ROUNDS#rounds=}"
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
### NUKE final check.
if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
nuke
fi
fi
return 0
}
#######################################
# Securely unset the 'PASSPHRASE'-variable.
# Globals:
# PASSPHRASE
# Arguments:
# None
#######################################
secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
#######################################
# Trap function to be called on 'ERR'.
# Arguments:
# 1: ${?}
# 2: ${BASH_SOURCE[0]}
# 3: ${LINENO}
# 4: ${FUNCNAME[0]:-main}
# 5: ${BASH_COMMAND}
#######################################
trap_on_err() {
declare -r errcode="$1"
declare -r errscrt="$2"
declare -r errline="$3"
declare -r errfunc="$4"
declare -r errcmmd="$5"
declare -g ERRTRAP='true'
trap - ERR INT TERM
stty echo 2>/dev/null || true
print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
power_off 16
}
#######################################
# Security Trap on 'EXIT'.
# Globals:
# ERRTRAP
# Arguments:
# None
#######################################
trap_on_exit() {
trap - ERR EXIT INT TERM
[[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
}
#######################################
# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
# Globals:
# NL
# RED
# Arguments:
# None
#######################################
trap_on_term() {
trap - ERR INT TERM
stty echo 2>/dev/null || true
printf "%b" "${NL}"
color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
power_off 3
}
#######################################
# Check the integrity and authenticity of this script itself.
# Globals:
# GRE
# MAG
# RED
# Arguments:
# 0: Script Name
#######################################
verify_script() {
declare dir
# shellcheck disable=SC2312
dir="$(dirname "$(readlink -f "${0}")")"
declare script; script="$(basename "${0}")"
declare -a algo=( "sha512" )
declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
for item in "${algo[@]}"; do
hashfile="${dir}/${script}.${item}"
sigfile="${hashfile}.sig"
cmd="${item}sum"
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds."
power_off 3
else
color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
fi
color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
# shellcheck disable=SC2312
read -r computed _ < <("${cmd}" "${dir}/${script}")
read -r expected < "${hashfile}"
if [[ "${computed}" != "${expected}" ]]; then
color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds."
power_off 3
fi
color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
done
color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
return 0
}
#######################################
# Main Program Sequence.
# Globals:
# CURRENTDATE
# DEVICES_LUKS
# GRE
# MAG
# NL
# PASSPHRASE
# RED
# Arguments:
# None
#######################################
main() {
exec 1>&2
trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
trap 'trap_on_exit' EXIT
trap 'trap_on_term' INT TERM
uname -a
printf "%b" "${NL}"
color_echo "${RED}" "Coresecret Connection established."
color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
printf "%b" "${NL}"
color_echo "${MAG}" "Integrity self-check ..."
verify_script
### Read newline-separated output into an array.
printf "%b" "${NL}"
color_echo "${MAG}" "Scanning for LUKS devices ..."
# shellcheck disable=SC2312
mapfile -t DEVICES_LUKS < <(gather_luks_devices)
### If there are no LUKS devices at all, drop to bash.
if (( ${#DEVICES_LUKS[@]} == 0 )); then
printf "%b" "${NL}"
color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
drop_bash
fi
### Extract the 'nuke='-parameter from '/proc/cmdline'.
printf "%b" "${NL}"
extract_nuke_hash
### Read passphrase interactively.
read_passphrase
if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
secure_unset_pass
exit 0
else
secure_unset_pass
printf "%b" "${NL}"
color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..."
color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
drop_bash
fi
}
main "${@}"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512 Normal file
View File

@@ -0,0 +1 @@
2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6

BIN
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig Normal file
View File

Binary file not shown.

BIN
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_pubring.gpg Normal file
View File

Binary file not shown.

78
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh Normal file
View File

@@ -0,0 +1,78 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
set -Ceuo pipefail
### Paths
declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
declare -r GNUPGHOME="/root/.ciss/gnupg"
### Output Files
declare -r HASH384="${SCRIPT}.sha384"
declare -r HASH512="${SCRIPT}.sha512"
declare -r SIG384="${HASH384}.sig"
declare -r SIG512="${HASH512}.sig"
### Ensure GNUPGHOME exists with secure permissions
mkdir -p "${GNUPGHOME}"
chmod 0700 "${GNUPGHOME}"
### Import private key only if not already present
if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
printf "\e[0;92m✅ Importing private key ... \e[0m\n"
gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
else
printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
fi
### Extract fingerprint of the first secret key
# shellcheck disable=SC2155
declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
if [[ -z "${FPR}" ]]; then
printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
exit 1
fi
printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
### Hashing (only the hash value, no filename)
printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
fi
if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
fi
printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
### Signing Hashes
printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
fi
if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
fi
printf "\e[0;92m🔑 Signing hashes done. \e[0m\n"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

42
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
mkdir -p "${DESTDIR}/etc"
cat >| "${DESTDIR}/etc/profile" << 'EOF'
export PS1='$( STATUS=$?; \
if [ "${STATUS}" -eq 0 ]; then \
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
else \
printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
fi; ) '
EOF
printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

155
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh Normal file
View File

@@ -0,0 +1,155 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -e
printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
. /usr/share/initramfs-tools/hook-functions
### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
install -d -m 0755 "${DESTDIR}/etc/ciss/keys"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/conf.d"
install -d -m 0755 "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
install -d -m 0755 "${DESTDIR}/usr/bin"
install -d -m 0755 "${DESTDIR}/usr/local/bin"
install -d -m 0755 "${DESTDIR}/usr/sbin"
### Include 'bash' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/bash /usr/bin/bash
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
### Include 'blkid' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/sbin/blkid /usr/sbin/blkid
printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
### Include 'busybox' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
copy_exec /usr/bin/sort /usr/bin/sort
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/gpgv /usr/bin/gpgv
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/lsblk /usr/bin/lsblk
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/mkpasswd /usr/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
copy_exec /usr/bin/udevadm /usr/bin/udevadm
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
### Include 'tree' -------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/tree /usr/bin/tree
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
### Include 'whois' ------------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/whois /usr/bin/whois
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
### Link busybox applets for compatibility -------------------------------------------------------------------------------------
for dir in bin usr/bin; do
ln -sf busybox "${DESTDIR}/${dir}/cat"
ln -sf busybox "${DESTDIR}/${dir}/sleep"
done
### Install GPG signing keys ---------------------------------------------------------------------------------------------------
src_dir="/etc/ciss/keys"
dst_dir="${DESTDIR}/etc/ciss/keys"
key=""
if [ -d "${src_dir}" ]; then
install -d -m 0755 "${dst_dir}"
for key in "${src_dir}"/*.gpg; do
[ -e "${key}" ] || continue
install -m 0444 "${key}" "${dst_dir}/"
printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
done
fi
### Install Dropbear configuration ---------------------------------------------------------------------------------------------
install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
# TODO: Update the scripts to be usable for upcoming Live ISO encryption
# TODO: Integrate online signing
### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}"
install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"
# TODO: Refactor with online signing
### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------
install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}"
### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
### EOS
printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -e
PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
mkdir -p /run/ciss
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
### Make sure /usr/local/bin is in front of 'PATH'.
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_late.log
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

33
config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -e
PREREQ=""
prereqs() { echo "${PREREQ}"; }
# shellcheck disable=SC2249
case "${1}" in
prereqs) prereqs; exit 0 ;;
esac
mkdir -p /run/ciss
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log
### Make sure /usr/local/bin is in front of 'PATH'.
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_late.log
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
config/includes.chroot/etc/ssh/ssh_known_hosts
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.400.2025.11.08
# Version Master V8.13.404.2025.11.10
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.400.2025.11.08
# Version Master V8.13.404.2025.11.10
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

2
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.400.2025.11.08
# Version Master V8.13.404.2025.11.10
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.400.2025.11.08"
declare -gr VERSION="Master V8.13.404.2025.11.10"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542

4
config/includes.chroot/usr/lib/live/boot/0030-verify-checksums
View File

@@ -209,12 +209,12 @@ Verify_checksums() {
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}"
printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
else
_RETURN_SHA="${?}"
printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
fi

65
config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
PREREQ="udev"
prereqs() {
echo "${PREREQ}"
}
# shellcheck disable=SC2249
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
# shellcheck disable=SC2292
[ -x /sbin/dropbear ] || exit 0
run_dropbear() {
### CISS.debian.live.builder
### Remove old flags for dropbear version 2025.88-2.
### Only accepts flags from '/etc/dropbear/dropbear.conf'.
#local flags="Fs"
# shellcheck disable=SC2034,SC2154,SC2292
[ "${debug}" != y ] || flags="E${flags}" # log to standard error
# Always run configure_networking() before dropbear(8); on NFS
# mounts this has been done already
# shellcheck disable=SC2292
[ "${BOOT}" = nfs ] || configure_networking
log_begin_msg "Starting dropbear"
# Using exec and keeping dropbear in the foreground enables the
# init-bottom script to kill the remaining ipconfig processes if
# someone unlocks the rootfs from the console while the network is
# being configured
# shellcheck disable=SC2086
exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
}
# shellcheck disable=SC2292
if [ -e /etc/dropbear/dropbear.conf ]; then
. /etc/dropbear/dropbear.conf
fi
. /scripts/functions
# On NFS mounts, wait until the network is configured. On local mounts,
# configure the network in the background (in run_dropbear()) so someone
# with console access can enter the passphrase immediately. (With the
# default ip=dhcp, configure_networking hangs for 5mins or so when the
# network is unavailable, for instance.)
# shellcheck disable=SC2292
[ "${BOOT}" != nfs ] || configure_networking
run_dropbear &
echo $! >/run/dropbear.pid
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh