Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -84,26 +84,56 @@ create_attestation() {
|
||||
declare rootfs_hash=""
|
||||
declare rootfs_size=""
|
||||
|
||||
|
||||
rootfs_size="$(stat -c%s -- "${rootfs_file}")"
|
||||
rootfs_hash="$(sha512sum "${rootfs_file}")"
|
||||
rootfs_hash="$(LC_ALL=C sha512sum "${rootfs_file}")"
|
||||
rootfs_hash="${rootfs_hash%% *}"
|
||||
|
||||
if printf '%s %s\n' "${rootfs_hash}" "${rootfs_file}" | LC_ALL=C sha512sum -c --strict --quiet; then
|
||||
|
||||
printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${rootfs_file}"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${rootfs_file}"
|
||||
return 42
|
||||
|
||||
fi
|
||||
|
||||
# The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many
|
||||
# bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload.
|
||||
cat << EOF >| "${rootfs_attestation}"
|
||||
# CISS rootfs attestation manifest v1
|
||||
# boundary: final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
|
||||
# rootfs-size-bytes: ${rootfs_size}
|
||||
# CISS.debian.live.builder Master ${VAR_VERSION}
|
||||
# Attestation file for filesystem.squashfs Version 1.0.0
|
||||
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
|
||||
# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
|
||||
${rootfs_hash} ciss-rootfs.squashfs
|
||||
EOF
|
||||
chmod 0444 "${rootfs_attestation}"
|
||||
|
||||
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"
|
||||
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
|
||||
|
||||
printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${rootfs_attestation}"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${rootfs_attestation}"
|
||||
return 42
|
||||
|
||||
fi
|
||||
|
||||
chmod 0444 "${rootfs_attestation}.sig"
|
||||
|
||||
gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"
|
||||
if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
|
||||
|
||||
printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${rootfs_attestation}.sig"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${rootfs_attestation}.sig"
|
||||
return 42
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
|
||||
|
||||
@@ -122,9 +152,6 @@ declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
|
||||
declare KEYFD=""
|
||||
# shellcheck disable=SC2155
|
||||
declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
|
||||
# shellcheck disable=SC2155
|
||||
declare VAR_ROOTFS_HASH="$(LC_ALL=C sha512sum "${ROOTFS}")"
|
||||
declare VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
|
||||
|
||||
### Attestation Boundary
|
||||
# - The attested boundary is the final SquashFS byte stream before LUKS wrapping.
|
||||
@@ -132,51 +159,7 @@ declare VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
|
||||
# slack after the SquashFS payload.
|
||||
printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
|
||||
|
||||
cat << EOF >| "${ROOTFS_ATTESTATION}"
|
||||
# CISS.debian.live.builder Master ${VAR_VERSION}
|
||||
# Attestation file for filesystem.squashfs Version 1.0.0
|
||||
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
|
||||
# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
|
||||
${VAR_ROOTFS_HASH} filesystem.squashfs
|
||||
EOF
|
||||
|
||||
chmod 0444 "${ROOTFS_ATTESTATION}"
|
||||
|
||||
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||
--detach-sign --output "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
|
||||
|
||||
printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
|
||||
return 42
|
||||
|
||||
fi
|
||||
|
||||
chmod 0444 "${ROOTFS_ATTESTATION}.sig"
|
||||
|
||||
if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
|
||||
|
||||
printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
|
||||
return 42
|
||||
|
||||
fi
|
||||
|
||||
if LC_ALL=C sha512sum -c --strict --quiet "${ROOTFS_ATTESTATION}"; then
|
||||
|
||||
printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
|
||||
|
||||
else
|
||||
|
||||
printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
|
||||
return 42
|
||||
|
||||
fi
|
||||
create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
|
||||
|
||||
printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user