V8.13.440.2025.11.19
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -1,10 +0,0 @@
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
@@ -26,17 +26,18 @@ OVERLAY_BASE="/run/live/overlay"
|
||||
UPPER="${OVERLAY_BASE}/upper"
|
||||
WORK="${OVERLAY_BASE}/work"
|
||||
|
||||
### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile.
|
||||
### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. -------------------------------------------
|
||||
: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
|
||||
|
||||
### Create a base dir with restrictive perms.
|
||||
### Create a base dir with restrictive perms. ----------------------------------------------------------------------------------
|
||||
# shellcheck disable=SC2174
|
||||
mkdir -p -m 0700 "${OVERLAY_BASE}"
|
||||
|
||||
### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path.
|
||||
### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. --------------------
|
||||
mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
|
||||
printf "\e[92m[INFO] mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs \"%s\" \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}"
|
||||
|
||||
# Prepare upper/work with tight perms.
|
||||
### Prepare upper /work with tight perms. -------------------------------------------------------------------------------------
|
||||
# shellcheck disable=SC2174
|
||||
mkdir -p -m 0700 "${UPPER}" "${WORK}"
|
||||
|
||||
|
||||
@@ -37,31 +37,35 @@ log() {
|
||||
fi
|
||||
}
|
||||
|
||||
### Declare variables ----------------------------------------------------------------------------------------------------------
|
||||
CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
|
||||
CDLB_ISO_LABEL="CISS.debian.live"
|
||||
### Declare variables. ---------------------------------------------------------------------------------------------------------
|
||||
export CDLB_ISO_LABEL="CISS.debian.live"
|
||||
export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
|
||||
export CDLB_MAPPER_NAME="ciss_rootfs.crypt"
|
||||
MNT_MEDIUM="/run/live/medium"
|
||||
MNT_ROOTFS="/run/live/rootfs"
|
||||
_PARAMETER=""
|
||||
_dev=""
|
||||
|
||||
### Read the kernel cmdline once -----------------------------------------------------------------------------------------------
|
||||
### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
|
||||
CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
|
||||
|
||||
for _PARAMETER in ${CMDLINE}; do
|
||||
|
||||
case "${_PARAMETER}" in
|
||||
|
||||
ciss_crypt_path=*) CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
|
||||
ciss_iso_label=* ) CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
|
||||
ciss_crypt_path=*) export CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
|
||||
ciss_iso_label=* ) export CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
|
||||
|
||||
esac
|
||||
|
||||
done
|
||||
|
||||
printf "\e[92m[INFO] CDLB_LUKS_FS : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
|
||||
printf "\e[92m[INFO] CDLB_ISO_LABEL : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
|
||||
|
||||
mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
|
||||
|
||||
### Mount the live medium (ISO) read-only, unless already mounted --------------------------------------------------------------
|
||||
### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
|
||||
if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
|
||||
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
|
||||
@@ -82,10 +86,8 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
### Skip non-block entries early.
|
||||
[ -b "${_dev}" ] || continue
|
||||
|
||||
### Try ISO9660 first, then UDF; only unmount on failure
|
||||
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null \
|
||||
|| mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null
|
||||
then
|
||||
### Try ISO9660 first, then UDF; only unmount on failure.
|
||||
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
|
||||
|
||||
mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
|
||||
|
||||
@@ -102,20 +104,25 @@ fi
|
||||
if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
|
||||
log "No live medium mounted, defer to default live-boot path."
|
||||
printf "\e[91m[FATAL] No live medium mounted, defer to default live-boot path. \n\e[0m"
|
||||
exit 0
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}"
|
||||
|
||||
### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
|
||||
if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then
|
||||
|
||||
log "Encrypted root not found at: [${MNT_MEDIUM}/${CDLB_LUKS_FS}]"
|
||||
printf "\e[91m[FATAL] Encrypted root not found at: [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
exit 0
|
||||
|
||||
fi
|
||||
|
||||
### Create/read FIFO compatible with cryptsetup-initramfs (if present). This allows 'cryptroot-unlock' to feed the passphrase
|
||||
### over SSH (dropbear).
|
||||
printf "\e[92m[INFO] CISS LUKS FS : [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
|
||||
### Create/read FIFO compatible with cryptsetup-initramfs. This allows 'cryptroot-unlock' to feed the passphrase over SSH. -----
|
||||
mkdir -p /lib/cryptsetup
|
||||
[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo
|
||||
|
||||
@@ -127,16 +134,18 @@ attempts=0
|
||||
while true; do
|
||||
|
||||
attempts=$((attempts+1))
|
||||
echo "Unlock '${CDLB_LUKS_FS}' (try ${attempts}): use 'cryptroot-unlock' over SSH or enter on console" >/dev/console 2>/dev/null || true
|
||||
|
||||
## Non-blocking read from FIFO (Dropbear and cryptroot-unlock path).
|
||||
printf "\e[93m[INFO] Unlock: [%s] Attempt: [%s] Use 'cryptroot-unlock' over SSH or enter on console: \n\e[0m" \
|
||||
"${CDLB_LUKS_FS}" "${attempts}" >/dev/console 2>/dev/null || true
|
||||
|
||||
### Non-blocking read from FIFO (Dropbear and cryptroot-unlock path). --------------------------------------------------------
|
||||
if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then
|
||||
|
||||
break
|
||||
|
||||
fi
|
||||
|
||||
### Interactive fallback on the console.
|
||||
### Interactive fallback on the console. -------------------------------------------------------------------------------------
|
||||
if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then
|
||||
|
||||
break
|
||||
@@ -145,16 +154,17 @@ while true; do
|
||||
|
||||
done
|
||||
|
||||
### Mount the decrypted payload as SquashFS under '/run/live/rootfs'. ----------------------------------------------------------
|
||||
mount -r -t squashfs /dev/mapper/crypt_liveiso "${MNT_ROOTFS}" || { log "mount squashfs failed"; exit 1; }
|
||||
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
|
||||
echo "/dev/mapper/crypt_liveiso" >| /run/ciss-rootdev
|
||||
|
||||
### Ensure live-boot keeps using our medium (bind-mount for consistency). ------------------------------------------------------
|
||||
mount --bind "${MNT_MEDIUM}" "${MNT_MEDIUM}" 2>/dev/null || true
|
||||
chmod 0644 /run/ciss-rootdev 2>/dev/null || true
|
||||
|
||||
log "Encrypted squashfs is mounted at: [${MNT_ROOTFS}] (device=/dev/mapper/crypt_liveiso)"
|
||||
|
||||
printf "\e[92m[INFO] Encrypted squashfs is mounted at: [%s] (device=/dev/mapper/crypt_liveiso) \n\e[0m" "${MNT_ROOTFS}"
|
||||
export CISS_ROOT_DEV="/dev/mapper/crypt_liveiso"
|
||||
export CISS_ROOT_DIR=""
|
||||
|
||||
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso]"
|
||||
|
||||
printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso] \n\e[0m"
|
||||
|
||||
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
|
||||
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
# 0 : Successful verification
|
||||
#######################################
|
||||
Verify_checksums() {
|
||||
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
|
||||
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
|
||||
|
||||
### Declare variables --------------------------------------------------------------------------------------------------------
|
||||
|
||||
|
||||
@@ -31,8 +31,8 @@ export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
|
||||
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-ciss_rootfs.crypt}"
|
||||
|
||||
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
|
||||
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
|
||||
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
|
||||
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
|
||||
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
|
||||
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
|
||||
|
||||
### Declare functions ----------------------------------------------------------------------------------------------------------
|
||||
|
||||
@@ -22,25 +22,33 @@
|
||||
|
||||
setup_unionfs ()
|
||||
{
|
||||
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
|
||||
|
||||
image_directory="${1}"
|
||||
rootmnt="${2}"
|
||||
addimage_directory="${3}"
|
||||
|
||||
# --- CISS hook: allow explicit root override --------------------------------------------------------------------------------
|
||||
if [ -n "${CISS_ROOT_DEV}" ]; then
|
||||
### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
|
||||
if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
|
||||
|
||||
### Treat a block device as a plain root.
|
||||
CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
|
||||
|
||||
fi
|
||||
|
||||
if [ -n "${CISS_ROOT_DEV:-}" ]; then
|
||||
|
||||
### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
|
||||
PLAIN_ROOT=1
|
||||
image_directory="${CISS_ROOT_DEV}"
|
||||
|
||||
elif [ -n "${CISS_ROOT_DIR}" ]; then
|
||||
elif [ -n "${CISS_ROOT_DIR:-}" ]; then
|
||||
|
||||
### Treat a directory as a plain root.
|
||||
### Alternative: explicitly provided root directory.
|
||||
PLAIN_ROOT=1
|
||||
image_directory="${CISS_ROOT_DIR}"
|
||||
|
||||
fi
|
||||
# ----------------------------------------------------------------------------------------------------------------------------
|
||||
### --------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
modprobe -q -b ${UNIONTYPE}
|
||||
@@ -484,4 +492,6 @@ setup_unionfs ()
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
|
||||
}
|
||||
|
||||
@@ -168,7 +168,7 @@ cryptsetup luksFormat \
|
||||
|
||||
**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
|
||||
|
||||
* **Attestation files:** `/.ciss/attest/rootfs.sha512[.sig]`
|
||||
* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]`
|
||||
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
|
||||
* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
|
||||
#######################################
|
||||
# Integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts:
|
||||
# - /.ciss/attestation/VAR_SIGNING_KEY_FPR.*
|
||||
# - /root/.ciss/attestation/VAR_SIGNING_KEY_FPR.*
|
||||
# - /etc/initramfs-tools/files/unlock_wrapper.sh
|
||||
# - /usr/lib/live/boot/0030-ciss-verify-checksums
|
||||
# Globals:
|
||||
@@ -31,10 +31,10 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
ciss_upgrades_boot() {
|
||||
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
|
||||
declare -ar _ary_target=(
|
||||
"/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
"/root/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
|
||||
"/etc/initramfs-tools/files/unlock_wrapper.sh"
|
||||
"/usr/lib/live/boot/0030-ciss-verify-checksums"
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user