From b1ffbdf204b46ba79567b991985f90f312d99cfd402ca475e157fd72e332d7fd Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Fri, 5 Dec 2025 10:44:43 +0100 Subject: [PATCH] V8.13.544.2025.12.05 Signed-off-by: Marc S. Weidner --- .../live/zzzz_ciss_crypt_squash.hook.binary | 73 +++++++++++++------ 1 file changed, 52 insertions(+), 21 deletions(-) diff --git a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary index d34f634..3603137 100644 --- a/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary +++ b/config/hooks/live/zzzz_ciss_crypt_squash.hook.binary @@ -45,12 +45,12 @@ preallocate() { if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" return 0 else - printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}" return 42 fi @@ -76,27 +76,58 @@ declare -i ALIGN_BYTES=$(( 4096 * 1024 )) declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) )) declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES )) -preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}" +declare -i TRY_SIZE="${VAR_LUKSFS_SIZE}" +declare -i MAX_TRIES=32 +declare -i TRY=0 +declare CRYPT_RC=0 + +while (( TRY < MAX_TRIES )); do + + preallocate "${LUKSFS}" "${TRY_SIZE}" + + exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt" + + if cryptsetup luksFormat \ + --batch-mode \ + --cipher aes-xts-plain64 \ + --integrity hmac-sha512 \ + --iter-time 1000 \ + --key-file "/proc/$$/fd/${KEYFD}" \ + --key-size 512 \ + --label crypt_liveiso \ + --luks2-keyslots-size 16777216 \ + --luks2-metadata-size 4194304 \ + --pbkdf argon2id \ + --sector-size 4096 \ + --type luks2 \ + --use-random \ + --verbose \ + "${LUKSFS}" + then + CRYPT_RC=0 + exec {KEYFD}<&- + break + fi + + CRYPT_RC="$?" + exec {KEYFD}<&- + + printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [cryptsetup failed for size %s (rc=%s), increasing by %s bytes.] \e[0m\n" "${TRY_SIZE}" "${CRYPT_RC}" "${ALIGN_BYTES}" + + TRY_SIZE=$(( TRY_SIZE + ALIGN_BYTES )) + TRY=$(( TRY + 1 )) + +done + +if (( CRYPT_RC != 0 )); then + printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Unable to create LUKS2+integrity container after %s attempts. \e[0m\n" "${TRY}" + exit 42 +fi + +### At this point TRY_SIZE is the actual size used. +VAR_LUKSFS_SIZE="${TRY_SIZE}" exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt" - -cryptsetup luksFormat \ - --batch-mode \ - --cipher aes-xts-plain64 \ - --integrity hmac-sha512 \ - --iter-time 1000 \ - --key-file "/proc/$$/fd/${KEYFD}" \ - --key-size 512 \ - --label crypt_liveiso \ - --luks2-keyslots-size 16777216 \ - --luks2-metadata-size 4194304 \ - --pbkdf argon2id \ - --sector-size 4096 \ - --type luks2 \ - --use-random \ - --verbose \ - "${LUKSFS}" - cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso # shellcheck disable=SC2155