V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -41,6 +41,9 @@ log() {
 export CDLB_ISO_LABEL="CISS.debian.live"
 export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
 export CDLB_MAPPER_NAME="crypt_liveiso"
+export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
+CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-10}"
+CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}"
 MNT_MEDIUM="/run/live/medium"
 MNT_ROOTFS="/run/live/rootfs"
 _PARAMETER=""
@@ -112,59 +115,91 @@ fi
 printf "\e[92m[INFO] MNT_MEDIUM     : [%s] \n\e[0m" "${MNT_MEDIUM}"
 
 ### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
-if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then
+if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
 
   log "Encrypted root not found at: [${MNT_MEDIUM}/${CDLB_LUKS_FS}]"
-  printf "\e[91m[FATAL] Encrypted root not found at: [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
+  printf "\e[91m[FATAL] Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
   exit 0
 
 fi
 
-printf "\e[92m[INFO] CISS LUKS FS   : [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
-
-### Create/read FIFO compatible with cryptsetup-initramfs. This allows 'cryptroot-unlock' to feed the passphrase over SSH. -----
-mkdir -p /lib/cryptsetup
-[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo
+printf "\e[92m[INFO] CISS LUKS FS   : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
-LOOP="$(losetup -f --show -r "${MNT_MEDIUM}/${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
+LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
 
-### Try to open the LUKS container, first via FIFO (SSH unlock), then interactively. -------------------------------------------
-attempts=0
-while true; do
+### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
+mkdir -p /run 2>/dev/null || true
+echo "${LOOP}" >| /run/ciss-loopdev 2>/dev/null || true
+chmod 0600 /run/ciss-loopdev 2>/dev/null || true
 
-  attempts=$((attempts+1))
+### Wait briefly for the LUKS container to open via dropbear. ------------------------------------------------------------------
+if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 
-  printf "\e[93m[INFO] Unlock: [%s] Attempt: [%s] Use 'cryptroot-unlock' over SSH or enter on console: \n\e[0m" \
-    "${CDLB_LUKS_FS}" "${attempts}" >/dev/console 2>/dev/null || true
+  REMAINING="${CDLB_REMOTE_WAIT_SECS}"
 
-  ### Non-blocking read from FIFO (Dropbear and cryptroot-unlock path). --------------------------------------------------------
-  if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then
+  while [ "${REMAINING}" -gt 0 ]; do
 
+    if [ -b "${CDLB_MAPPER_DEV}" ]; then
+
+      log "LUKS mapping [${CDLB_MAPPER_DEV}] opened remotely by dropbear unlock_wrapper.sh."
+      printf "\e[92m[INFO] LUKS mapping   : [%s] opened remotely by dropbear unlock_wrapper.sh. \n\e[0m" "${CDLB_MAPPER_DEV}"
       break
 
     fi
 
-  ### Interactive fallback on the console. -------------------------------------------------------------------------------------
-  if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then
+    sleep 1
+    REMAINING=$((REMAINING - 1))
 
+  done
+
+fi
+
+### Fallback: interactive password entry on the console. -----------------------------------------------------------------------
+if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
+
+  attempts=0
+
+  while [ "${attempts}" -lt "${CDLB_MAX_TRIES}" ] && [ ! -b "${LUKS_MAPPER_DEV}" ]; do
+
+    attempts=$((attempts + 1))
+
+    printf "\e[93m[INFO] Unlock         : [%s] Attempts: [%s/%s] Enter Passphrase on console: \n\e[0m" \
+      "${CDLB_LUKS_FS}" "${attempts}" "${CDLB_MAX_TRIES}" >/dev/console 2>/dev/null || true
+
+    ### Let cryptsetup handle the prompt on /dev/console; no keyfile, no FIFO.
+    if cryptsetup open --type luks --readonly "${LOOP}" "${LUKS_MAPPER_NAME}"; then
+
+      log "LUKS mapping [${CDLB_MAPPER_DEV}] opened via local console."
+      printf "\e[92m[INFO] LUKS mapping   : [%s] Opened via local console. \n\e[0m" "${CDLB_MAPPER_DEV}"
       break
 
     fi
 
   done
 
+fi
+
+### Final sanity check. --------------------------------------------------------------------------------------------------------
+if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
+
+  log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
+  printf "\e[91m[WARN] Failed unlock  : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
+  exit 42
+
+fi
+
 ### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
-echo "/dev/mapper/crypt_liveiso" >| /run/ciss-rootdev
+echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
 
 chmod 0644 /run/ciss-rootdev 2>/dev/null || true
 
-export CISS_ROOT_DEV="/dev/mapper/crypt_liveiso"
+export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
 export CISS_ROOT_DIR=""
 
-log "Decrypted root device exposed at [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso]"
+log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 
-printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso] \n\e[0m"
+printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
 
 printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"