From b8abd17237aa34e903633ee35d3158bb6ccb57f2ec18bdc11d00c4deab7473a0 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Wed, 3 Dec 2025 14:30:25 +0100 Subject: [PATCH] V8.13.528.2025.12.03 Signed-off-by: Marc S. Weidner --- .../lib/live/boot/0030-ciss-verify-checksums | 2 +- .../live/boot/0042_ciss_post_decrypt_attest | 20 +- .../usr/lib/live/boot/9990-main.sh | 4 +- .../usr/lib/live/boot/9990-networking.sh | 218 ++++++++++++++++++ .../usr/lib/live/boot/9990-overlay.sh | 2 +- lib/lib_cdi.sh | 2 +- lib/lib_lb_config_write_trixie.sh | 2 +- lib/lib_provider_netcup.sh | 8 +- 8 files changed, 235 insertions(+), 23 deletions(-) create mode 100644 config/includes.chroot/usr/lib/live/boot/9990-networking.sh diff --git a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums index 850dd85..abdc6da 100644 --- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums +++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums @@ -16,7 +16,7 @@ ### Modified Version of the original file: ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums' -### In case of successful verification of the offered checksum, proceed with booting; otherwise panic. +### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic. ####################################### # Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification. diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest index 969f636..15fc470 100644 --- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest +++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest @@ -92,9 +92,9 @@ HASH_FILE="${CDLB_ATTEST_FPR_SHA}" SIGN_FILE="${CDLB_ATTEST_FPR_SIG}" KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg" -[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } -[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; } -[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; } +[ -s "${KEYFILE}" ] || { log_er "0042() : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; } +[ -s "${HASH_FILE}" ] || { log_er "0042() : Attestation data missing: [${HASH_FILE}]"; exit 42; } +[ -s "${SIGN_FILE}" ] || { log_er "0042() : Attestation signature missing: [${SIGN_FILE}]"; exit 42; } log_in "0042() : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR." @@ -108,7 +108,7 @@ if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then else - log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" + log_er "0042() : Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]" #sleep 8 #panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]." @@ -127,7 +127,7 @@ if [ -e "${MAP_DEV}" ]; then else - log_er "0042() : Top layer is NOT 'crypt'." + log_er "0042() : Top layer is NOT 'crypt'." #sleep 8 #panic "[FATAL] Top layer is NOT 'crypt'." @@ -139,7 +139,7 @@ if [ -e "${MAP_DEV}" ]; then else - log_er "0042() : Cipher does not look like AES-XTS." + log_er "0042() : Cipher does not look like AES-XTS." #sleep 8 #panic "[FATAL] Cipher does not look like AES-XTS." @@ -168,10 +168,10 @@ esac log_in "Checking underlying integrity target: ${CHILD_NAME}" CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)" -printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; } -printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; } -printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; } -printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; } +printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042() : Underlying layer is not 'integrity'"; } +printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "0042() : Integrity target not using keyed MAC (hmac)"; } +printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "0042() : Integrity algo not sha512"; } +printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "0042() : Expected 4096-byte sector size not found"; } log_ok "0042() : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy." diff --git a/config/includes.chroot/usr/lib/live/boot/9990-main.sh b/config/includes.chroot/usr/lib/live/boot/9990-main.sh index 0dce673..50f7e8d 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-main.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-main.sh @@ -15,8 +15,8 @@ # SPDX-Security-Contact: security@coresecret.eu ### Modified Version of the original file: -### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh' -### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). +### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh' +### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. # set -e diff --git a/config/includes.chroot/usr/lib/live/boot/9990-networking.sh b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh new file mode 100644 index 0000000..7a47d22 --- /dev/null +++ b/config/includes.chroot/usr/lib/live/boot/9990-networking.sh @@ -0,0 +1,218 @@ +#!/bin/sh +# bashsupport disable=BP5007 +# shellcheck disable=SC2249 +# shellcheck shell=sh + +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +### Modified Version of the original file: +### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh' +### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten. + +# set -e + +printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-networking.sh] \n\e[0m" + +Device_from_bootif () +{ + # Support for Syslinux IPAPPEND parameter + # it sets the BOOTIF variable on the kernel parameter + + if [ -n "${BOOTIF}" ] + then + # Pxelinux sets BOOTIF to a value based on the mac address of the + # network card used to PXE boot, so use this value for DEVICE rather + # than a hard-coded device name from initramfs.conf. This facilitates + # network booting when machines may have multiple network cards. + # Pxelinux sets BOOTIF to 01-$mac_address + + # Strip off the leading "01-", which isn't part of the mac + # address + temp_mac=${BOOTIF#*-} + + # Convert to the typical mac address format by replacing "-" with ":" + bootif_mac="" + IFS='-' + for x in ${temp_mac} + do + if [ -z "${bootif_mac}" ] + then + bootif_mac="${x}" + else + bootif_mac="${bootif_mac}:${x}" + fi + done + unset IFS + + # Look for devices with matching mac address and set DEVICE to + # appropriate value if match is found. + + for device in /sys/class/net/* + do + if [ -f "${device}/address" ] + then + current_mac=$(cat "${device}/address") + + if [ "${bootif_mac}" = "${current_mac}" ] + then + DEVICE=${device##*/} + break + fi + fi + done + fi +} + +do_netsetup () +{ + printf "\e[95m[INFO] do_netsetup() : [/usr/lib/live/boot/9990-networking.sh] \n\e[0m" + modprobe -q af_packet # For DHCP + + udevadm trigger + udevadm settle + + [ -n "${ETHDEV_TIMEOUT}" ] || ETHDEV_TIMEOUT=15 + echo "Using timeout of ${ETHDEV_TIMEOUT} seconds for network configuration." + + if [ -z "${NETBOOT}" ] && [ -z "${FETCH}" ] && [ -z "${HTTPFS}" ] && [ -z "${FTPFS}" ] + then + # See if we can select the device from BOOTIF + Device_from_bootif + + # if ethdevice was not specified on the kernel command line, + # make sure we try to get a working network configuration + # for *every* present network device (except for loopback of course) + if [ -z "${ETHDEVICE}" ] + then + echo "If you want to boot from a specific device use bootoption ethdevice=..." + for device in /sys/class/net/* + do + dev=${device##*/} + if [ "${dev}" != "lo" ] + then + ETHDEVICE="${ETHDEVICE} ${dev}" + fi + done + fi + + # Split args of ethdevice=eth0,eth1 into "eth0 eth1" + for device in $(echo "${ETHDEVICE}" | sed 's/,/ /g') + do + devlist="${devlist} ${device}" + done + + for dev in ${devlist} + do + echo "Executing ipconfig -t ${ETHDEV_TIMEOUT} ${dev}" + ipconfig -t "${ETHDEV_TIMEOUT}" "${dev}" | tee -a /netboot.config + + # if configuration of a device worked, we should have an assigned + # IP address, if so, let's use the device as $DEVICE for later usage. + # Simple and primitive approach, which seems to work fine + if ifconfig "${dev}" | grep -q -E 'inet.*addr:|inet [0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*' + then + export DEVICE="${dev}" + break + fi + done + else + for interface in ${DEVICE}; do + ipconfig -t "${ETHDEV_TIMEOUT}" "${interface}" | tee "/netboot-${interface}.config" + + # shellcheck disable=SC1090 + [ -e "/run/net-${interface}.conf" ] && . "/run/net-${interface}.conf" + + if [ "${IPV4ADDR}" != "0.0.0.0" ] + then + break + fi + done + fi + + for interface in ${DEVICE} + do + # source relevant ipconfig output + OLDHOSTNAME=${HOSTNAME} + + # shellcheck disable=SC1090 + [ -e "/run/net-${interface}.conf" ] && . "/run/net-${interface}.conf" + + [ -z "${HOSTNAME}" ] && HOSTNAME="${OLDHOSTNAME}" + export HOSTNAME + + if [ -n "${interface}" ] + then + # HWADDR used by do_iscsi from 9990-mount-iscsi.sh + # shellcheck disable=SC2034 + HWADDR="$(cat "/sys/class/net/${interface}/address")" + fi + + if [ ! -e "/etc/hostname" ] && [ -n "${HOSTNAME}" ] + then + echo "Creating /etc/hostname" + echo "${HOSTNAME}" > /etc/hostname + fi + + # Only create /etc/hosts if FQDN is known (to let 'hostname -f' query + # this file). Otherwise, DNS will be queried to determine the FQDN. + if [ ! -e "/etc/hosts" ] && [ -n "${DNSDOMAIN}" ] + then + echo "Creating /etc/hosts" + cat > /etc/hosts < /etc/resolv.conf + fi + + for i in ${IPV4DNS0} ${IPV4DNS1} ${IPV4DNS1} ${DNSSERVERS} + do + if [ -n "${i}" ] && [ "${i}" != 0.0.0.0 ] + then + echo "nameserver ${i}" >> /etc/resolv.conf + fi + done + + if [ -n "${DOMAINSEARCH}" ] + then + echo "search ${DOMAINSEARCH}" >> /etc/resolv.conf + elif [ -n "${DNSDOMAIN}" ] + then + echo "search ${DNSDOMAIN}" >> /etc/resolv.conf + fi + fi + + # Check if we have a network device at all + if ! ls /sys/class/net/"${interface}" > /dev/null 2>&1 && \ + ! ls /sys/class/net/eth0 > /dev/null 2>&1 && \ + ! ls /sys/class/net/wlan0 > /dev/null 2>&1 && \ + ! ls /sys/class/net/ath0 > /dev/null 2>&1 && \ + ! ls /sys/class/net/ra0 > /dev/null 2>&1 + then + panic "No supported network device found, maybe a non-mainline driver is required." + fi + done + printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-networking.sh/do_netsetup()] \n\e[0m" +} diff --git a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh index 0a216ef..ba4e0fe 100644 --- a/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh +++ b/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh @@ -16,7 +16,7 @@ ### Modified Version of the original file: ### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh' -### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash). +### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened. #set -e diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index 25a4d00..d363da9 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -44,7 +44,7 @@ cdi() { tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { - linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} + linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} initrd /live/initrd.img-${VAR_KERNEL} } EOF diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index e7f444f..a8a676a 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -45,7 +45,7 @@ lb_config_write_trixie() { --binary-filesystem fat32 \ --binary-image iso-hybrid \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ - --bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ + --bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \ --bootloaders grub-efi \ --cache true \ --checksums sha512 sha384 sha256 \ diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh index ed1ffcb..d68bf2c 100644 --- a/lib/lib_provider_netcup.sh +++ b/lib/lib_provider_netcup.sh @@ -19,7 +19,6 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" # BASH_SOURCE # VAR_HANDLER_BUILD_DIR # VAR_HANDLER_NETCUP_IPV6 -# VAR_WORKDIR # Arguments: # None # Returns: @@ -57,7 +56,7 @@ DNS=138.199.237.109 DNS=2a01:4f9:c012:a813:135:181:207:105 DNS=2a0a:4cc0:1:e6:89:58:62:53 DNS=2a01:4f8:c013:8011:138:199:237:109 -DNSOverTLS=opportunistic +DNSOverTLS=yes DNSSEC=yes IPv6AcceptRA=no LinkLocalAddressing=ipv6 @@ -81,11 +80,6 @@ UseHostname=no # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf EOF - #sed -i "s|MUST_BE_REPLACED|${handler_netcup_ipv6_string}|g" "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" - #rm -f "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - #cp "${VAR_WORKDIR}/scripts/etc/network/9999_interfaces_update_netcup.chroot" "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - #chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/hooks/live/9999_interfaces_update.chroot" - printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" fi