V8.02.512.2025.05.30

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/preseed/.ash/di_scripting_password.sh

@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# No bash in the installer environment, only BusyBox.
+
+set -o errexit
+set -o nounset
+set -o noclobber
+
+# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
+umask 0077
+TMP_PASSPHRASE_FILE=$(mktemp)
+readonly TMP_PASSPHRASE_FILE
+grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
+
+# Create an include file for debian-installer with the passphrase as answers to the questions.
+DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
+readonly DEB_INSTALLER_CRYPT_INC_FILE
+
+# Read the first line (the passphrase) – POSIX-compliant
+# IFS= prevents leading/trailing spaces from being truncated,
+# -r ensures that backslashes are not interpreted.
+IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
+
+# A single printf call with exactly one redirect
+# – ShellCheck-compliant and valid in POSIX-sh
+printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
+
+printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
+
+# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
+# Without file:// will try and fetch from the webserver this preseed was served from.
+echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
+
+# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
+readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
+
+cat - >> /tmp/late-command-script << LATE_EOF
+##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
+
+umask 0077
+
+mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
+
+cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
+
+# Use /root as /tmp might be noexec
+
+cat - >/target/root/configure-crypt-unlock <<EOF
+#!/usr/bin/bash
+
+# Standard bash safety features
+set -eufo pipefail
+
+if grep -q UMASK /etc/initramfs-tools/initramfs.conf
+then
+  sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
+else
+  echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
+fi
+
+# Include keyfile in initramfs
+sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
+
+# Configure crypt to use keyfile to unlock encrypted partition(s)
+sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
+
+# Update initramfs with key file
+update-initramfs -u
+exit 0
+EOF
+
+sleep 1
+
+chmod 500 /target/root/configure-crypt-unlock
+in-target /root/configure-crypt-unlock
+rm /target/root/configure-crypt-unlock
+
+exit 0
+##### END ADDED BY preseed-crypto-key preseed/include_command
+LATE_EOF
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh