msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.536.2025.12.04
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-12-04 23:59:45 +01:00
parent c421f86d7e
commit bb56823cc4
6 changed files with 41 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
View File

@@ -183,6 +183,7 @@ jobs:
install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -196,6 +197,7 @@ jobs:
echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt
echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt
echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc
echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt
@@ -204,12 +206,14 @@ jobs:
set -euo pipefail
chmod 0700 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
chmod 0400 /dev/shm/cdlb_secrets/*
./ciss_live_builder.sh \
--architecture amd64 \
--autobuild=6.17.8+deb13-amd64 \
--build-directory /opt/cdlb \
--cdi \
--change-splash hexagon \
--control "${timestamp}" \
--debug \
--dhcp-centurion \
@@ -218,6 +222,7 @@ jobs:
--key_luks=luks.txt \
--provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
--root-password-file /dev/shm/cdlb_secrets/password.txt \
--signing_ca=signing_ca.asc \
--signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
--signing_key_pass=signing_key_pass.txt \
--signing_key=signing_key.asc \

2
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -206,7 +206,7 @@ jobs:
set -euo pipefail
chmod 0700 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
chmod 0400 /dev/shm/cdlb_secrets/*
./ciss_live_builder.sh \
--architecture amd64 \

4
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -183,12 +183,14 @@ jobs:
set -euo pipefail
chmod 0700 ciss_live_builder.sh
timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
chmod 0400 /dev/shm/cdlb_secrets/*
./ciss_live_builder.sh \
--architecture amd64 \
--autobuild=6.17.8+deb13-amd64 \
--build-directory /opt/cdlb \
--cdi \
--change-splash hexagon \
--control "${timestamp}" \
--debug \
--root-password-file /dev/shm/cdlb_secrets/password.txt \

2
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -341,8 +341,8 @@ readonly -f verify_script
#######################################
# Main Program Sequence.
# Globals:
# CDLB_MAPPER_DEV
# CURRENTDATE
# DEVICES_LUKS
# GRE
# MAG
# NL

55
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -14,7 +14,7 @@ include_toc: true
**Status:** 2025-11-12<br>
**Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
**Summary:** The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
# 3. Overview
@@ -23,8 +23,9 @@ include_toc: true
1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
# 4. Primitives & Parameters
@@ -33,12 +34,12 @@ include_toc: true
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity |
| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic |
| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
| Hash lists | `sha512sum` format | Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock |
# 5. Diagram: CISS Live ISO Boot Flow, complete
# 5. Diagram: CISS Live ISO Boot Flow
```mermaid
flowchart TD
subgraph Trusted HW Manufacturer
@@ -109,7 +110,7 @@ flowchart TD
0142 -- FAIL --> X;
```
# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete
# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
```mermaid
---
config:
@@ -127,7 +128,7 @@ flowchart TD
**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
# 7. CISS Live ISO LUKS Build-Time Core Steps, complete
# 7. CISS Live ISO LUKS Build-Time Core Steps
```sh
cryptsetup luksFormat \
--batch-mode \
@@ -149,7 +150,7 @@ cryptsetup luksFormat \
**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
**Goal:** Before consuming any medium content, verify:
@@ -164,13 +165,12 @@ cryptsetup luksFormat \
# parse [GNUPG:] VALIDSIG ... <FPR> ...
```
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]`
* **Attestation files:** `/root/.ciss/attestation/<FPR>.sha512sum.txt[.sig]`
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
**Core calls (initramfs):**
@@ -180,36 +180,35 @@ cryptsetup luksFormat \
# 2) Optional: Content hash verification
( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
# 3) dmsetup health
dmsetup table --showkeys /dev/mapper/crypt_liveiso
dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
```
# 10. Failure Policy (fail-closed, deterministic)
* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature.
# 11. CISS Dropbear (Hardened Remotely Unlock)
# 11. CISS hardened and built dropbear
```text
• Public-key auth only, no passwords
• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
• No agent/X11/TCP forwarding, no SFTP
• Strict timeouts/keep-alives, restricted cipher/KEX set
• Port 42137 (per CISS convention)
• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
• No agent / X11 / TCP forwarding, no SFTP
• Strict timeouts / keep-alives, restricted cipher / KEX set
• Port 44137 (per CISS convention)
```
*Concrete selection compiled via your `localoptions.h` at ISO build time.*
*Concrete selection compiled via [localoptions.h](../upgrades/dropbear/localoptions.h) at ISO build time.*
# 12. Integration Points & Paths
* **Hooks (build view):**
* `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
* `/usr/lib/live/boot/0024-ciss-crypt-squash`,
* `/usr/lib/live/boot/0026-ciss-early-sysctl`,
* `/usr/lib/live/boot/0030-ciss-verify-checksums`,
* `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
* [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs),
* [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash),
* [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl),
* [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums),
* [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest),
* [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh),
* [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh),
* [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh).
* **Hooks (boot view):**
* `/scripts/live-premount/0022-ciss-overlay-tmpfs`,
* `/scripts/live-premount/0024-ciss-crypt-squash`,
@@ -217,7 +216,7 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
* `/scripts/live-bottom/0030-ciss-verify-checksums`,
* `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
* **Key files:**
* ISO edge (for 0030): embedded public key blob (project-specific fpr)
* ISO edge (for 0030): embedded public key blob (project-specific FPR)
* Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
@@ -262,7 +261,7 @@ I -- FAIL --> X;
# 14. Closing Remarks
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

4
lib/lib_clean_up.sh
View File

@@ -15,14 +15,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
# Globals:
# VAR_CDLB_INSIDE_RUNNER
# GNUPGHOME
# LOG_ERROR
# VAR_CDLB_INSIDE_RUNNER
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_KERNEL_INF
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_NOTES
# VAR_TMP_SECRET
# VAR_WORKDIR
# Arguments:
# 1 : ${trap_on_exit_code} of trap_on_exit()