From a8ff9ecfef8085bfe1d60c82cec11b5f6a4fc3eedfc29ce6c35fdbd454725aad Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 21 Nov 2025 10:16:32 +0000 Subject: [PATCH] V8.13.440.2025.11.19 Signed-off-by: Marc S. Weidner --- .../usr/lib/live/boot/0024-ciss-crypt-squash | 89 +++++++++++++------ 1 file changed, 62 insertions(+), 27 deletions(-) diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index 5962909..ea276b2 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -41,6 +41,9 @@ log() { export CDLB_ISO_LABEL="CISS.debian.live" export CDLB_LUKS_FS="/live/ciss_rootfs.crypt" export CDLB_MAPPER_NAME="crypt_liveiso" +export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" +CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-10}" +CDLB_MAX_TRIES="${CDLB_MAX_TRIES:-3}" MNT_MEDIUM="/run/live/medium" MNT_ROOTFS="/run/live/rootfs" _PARAMETER="" @@ -112,59 +115,91 @@ fi printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}" ### Locate the encrypted root container on the medium. ------------------------------------------------------------------------- -if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then +if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then log "Encrypted root not found at: [${MNT_MEDIUM}/${CDLB_LUKS_FS}]" - printf "\e[91m[FATAL] Encrypted root not found at: [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" + printf "\e[91m[FATAL] Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" exit 0 fi -printf "\e[92m[INFO] CISS LUKS FS : [%s/%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" - -### Create/read FIFO compatible with cryptsetup-initramfs. This allows 'cryptroot-unlock' to feed the passphrase over SSH. ----- -mkdir -p /lib/cryptsetup -[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo +printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}" ### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- -LOOP="$(losetup -f --show -r "${MNT_MEDIUM}/${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } +LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; } -### Try to open the LUKS container, first via FIFO (SSH unlock), then interactively. ------------------------------------------- -attempts=0 -while true; do +### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. ----------------------------------------------------- +mkdir -p /run 2>/dev/null || true +echo "${LOOP}" >| /run/ciss-loopdev 2>/dev/null || true +chmod 0600 /run/ciss-loopdev 2>/dev/null || true - attempts=$((attempts+1)) +### Wait briefly for the LUKS container to open via dropbear. ------------------------------------------------------------------ +if [ ! -b "${CDLB_MAPPER_DEV}" ]; then - printf "\e[93m[INFO] Unlock: [%s] Attempt: [%s] Use 'cryptroot-unlock' over SSH or enter on console: \n\e[0m" \ - "${CDLB_LUKS_FS}" "${attempts}" >/dev/console 2>/dev/null || true + REMAINING="${CDLB_REMOTE_WAIT_SECS}" - ### Non-blocking read from FIFO (Dropbear and cryptroot-unlock path). -------------------------------------------------------- - if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then + while [ "${REMAINING}" -gt 0 ]; do - break + if [ -b "${CDLB_MAPPER_DEV}" ]; then - fi + log "LUKS mapping [${CDLB_MAPPER_DEV}] opened remotely by dropbear unlock_wrapper.sh." + printf "\e[92m[INFO] LUKS mapping : [%s] opened remotely by dropbear unlock_wrapper.sh. \n\e[0m" "${CDLB_MAPPER_DEV}" + break - ### Interactive fallback on the console. ------------------------------------------------------------------------------------- - if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then + fi - break + sleep 1 + REMAINING=$((REMAINING - 1)) - fi + done -done +fi + +### Fallback: interactive password entry on the console. ----------------------------------------------------------------------- +if [ ! -b "${CDLB_MAPPER_DEV}" ]; then + + attempts=0 + + while [ "${attempts}" -lt "${CDLB_MAX_TRIES}" ] && [ ! -b "${LUKS_MAPPER_DEV}" ]; do + + attempts=$((attempts + 1)) + + printf "\e[93m[INFO] Unlock : [%s] Attempts: [%s/%s] Enter Passphrase on console: \n\e[0m" \ + "${CDLB_LUKS_FS}" "${attempts}" "${CDLB_MAX_TRIES}" >/dev/console 2>/dev/null || true + + ### Let cryptsetup handle the prompt on /dev/console; no keyfile, no FIFO. + if cryptsetup open --type luks --readonly "${LOOP}" "${LUKS_MAPPER_NAME}"; then + + log "LUKS mapping [${CDLB_MAPPER_DEV}] opened via local console." + printf "\e[92m[INFO] LUKS mapping : [%s] Opened via local console. \n\e[0m" "${CDLB_MAPPER_DEV}" + break + + fi + + done + +fi + +### Final sanity check. -------------------------------------------------------------------------------------------------------- +if [ ! -b "${CDLB_MAPPER_DEV}" ]; then + + log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console." + printf "\e[91m[WARN] Failed unlock : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}" + exit 42 + +fi ### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. --- -echo "/dev/mapper/crypt_liveiso" >| /run/ciss-rootdev +echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev chmod 0644 /run/ciss-rootdev 2>/dev/null || true -export CISS_ROOT_DEV="/dev/mapper/crypt_liveiso" +export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}" export CISS_ROOT_DIR="" -log "Decrypted root device exposed at [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso]" +log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]" -printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [/dev/mapper/crypt_liveiso] \n\e[0m" +printf "\e[92m[INFO] Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"