V9.14.018.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 07:24:22 +01:00
parent 8b6731f1be
commit 9cdcc0a9ec
56 changed files with 204 additions and 97 deletions
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
+# - Mount it with restrictive flags and permissions before OverlayFS uses it.
+# - Prepare the upper and work directories required by the later live-boot overlay setup.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,8 +14,12 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
-# Phase  : premount (executed by live-boot inside the initramfs)
+# Module summary:
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
+# - Mount the live medium read-only and locate the encrypted SquashFS container.
+# - Attach the encrypted container through a read-only loop device.
+# - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
+# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Enforce early sysctls before services start.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Runs during live-boot premount while the system is still inside the initramfs.
+# - Applies early kernel hardening before the real root and regular services are active.
+# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
+#   exposure where supported.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,6 +14,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+# Module summary:
+# This live-boot component implements the verify-checksums mode for the mounted live medium.
+# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
+# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
+# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
+# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
+# authenticity verification fails.
+
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
@@ -14,8 +14,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : executed by live-boot inside the 9990-main.sh.
+# Module summary:
+# - Runs after the encrypted live root filesystem has been decrypted.
+# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
+#   inside the decrypted rootfs.
+# - Verifies the attestation signature with gpgv against the pinned key material.
+# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
+#   or mismatched evidence.

 _SAVED_SET_OPTS="$(set +o)"

@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
 export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"

 ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"

 ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
 CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }

+#######################################
+# Validate a boot-time attestation input file.
+# Globals:
+#   None
+# Arguments:
+#   1: Human-readable artifact label
+#   2: Absolute artifact path
+# Returns:
+#   0: on success
+#######################################
+require_attestation_file() {
+  artifact_label="${1}"
+  artifact_path="${2}"
+
+  if [ ! -e "${artifact_path}" ]; then
+
+    if [ -L "${artifact_path}" ]; then
+
+      log_er "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+      panic  "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+
+    fi
+
+    log_er "0042()              : ${artifact_label} missing: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} missing: [${artifact_path}]"
+
+  fi
+
+  if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+
+  fi
+
+  if [ ! -s "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+
+  fi
+
+  if [ ! -r "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+
+  fi
+
+  return 0
+}
+
 HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
 SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"

-if [ -s "${KEYFILE}" ]; then
-
-  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-
-fi
-
-if [ -s "${HASH_FILE}" ]; then
-
-  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
-  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
-
-fi
-
-if [ -s "${SIGN_FILE}" ]; then
-
-  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-
-fi
+require_attestation_file "Public key"            "${KEYFILE}"
+require_attestation_file "Attestation data"      "${HASH_FILE}"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"

 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
+if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
+
+  log_er "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+  if [ -n "${_STATUS}" ]; then
+
+    printf '%s\n' "${_STATUS}" >&2
+
+  fi
+
+  sleep 8
+  panic  "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+fi
+
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"

 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
@@ -14,9 +14,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# - Run early cryptroot handling before live filesystem discovery.
+# - Parse live-boot parameters, apply debug/read-only/network setup, and load initramfs configuration.
+# - Locate or reuse the live filesystem from network, iSCSI, plain root, memdisk, LVM-backed media, or the
+#   CISS encrypted SquashFS preseed.
+# - Verify checksums, optionally copy live media to RAM or disk, and mount the final live root via unionfs or image stacking.
+# - Transfer selected runtime configuration into the target root, validate the mounted root, configure fstab/netbase/swap, and
+#   preserve boot logs.

 # set -e

@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
-### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
+# Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+
+# Module summary:
+# - Resolve the boot interface from Syslinux/PXELINUX BOOTIF metadata when available.
+# - Bring up live-boot networking for local, netboot, fetch, HTTPFS, and FTPFS paths.
+# - Probe configured or discovered interfaces with ipconfig and export the selected device.
+# - Populate hostname, hosts, DNS, and HWADDR data only where needed by later boot stages.
+# - Preserve an existing /etc/resolv.conf so systemd-networkd ownership is not overwritten.

 # set -e

@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root
+# device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity
+# options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the
+# final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt
+# attestation hook after the overlay is in place.

 #set -e

@@ -152,7 +159,7 @@ setup_unionfs ()
        rootfslist="${mpoint} ${rootfslist}"
        mount_options=""

-        # Setup dm-verity support if a device has it supported
+        # Set up dm-verity support if a device has it supported
        hash_device="${image}.verity"
        # shellcheck disable=SC2086
        if [ -f ${hash_device} ]
@@ -434,7 +441,7 @@ setup_unionfs ()
    fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
  done

-  # Remove persistence depending on boot parameter
+  # Remove persistence depending on the boot parameter
  Remove_persistence

  # Correct the permissions of /: