From bb56823cc49836841ca5ef4499a375fb9a4facd48e8cd43aba3697afda275fec Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Thu, 4 Dec 2025 23:59:45 +0100 Subject: [PATCH] V8.13.536.2025.12.04 Signed-off-by: Marc S. Weidner --- .../workflows/generate_PRIVATE_trixie_0.yaml | 7 ++- .../workflows/generate_PRIVATE_trixie_1.yaml | 2 +- .gitea/workflows/generate_PUBLIC_iso.yaml | 4 +- .../initramfs-tools/files/unlock_wrapper.sh | 2 +- docs/MAN_CISS_ISO_BOOT_CHAIN.md | 55 +++++++++---------- lib/lib_clean_up.sh | 4 +- 6 files changed, 41 insertions(+), 33 deletions(-) diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index deb5797..6dc733f 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -183,6 +183,7 @@ jobs: install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt + install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt @@ -196,6 +197,7 @@ jobs: echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}" >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub echo "${{ secrets.CISS_PHYS_AGE }}" >| /dev/shm/cdlb_secrets/keys.txt echo "${{ secrets.CISS_PHYS_LUKS }}" >| /dev/shm/cdlb_secrets/luks.txt + echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}" >| /dev/shm/cdlb_secrets/signing_ca.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}" >| /dev/shm/cdlb_secrets/signing_key.asc echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}" >| /dev/shm/cdlb_secrets/signing_key_pass.txt @@ -204,12 +206,14 @@ jobs: set -euo pipefail chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'. + chmod 0400 /dev/shm/cdlb_secrets/* ./ciss_live_builder.sh \ --architecture amd64 \ --autobuild=6.17.8+deb13-amd64 \ --build-directory /opt/cdlb \ --cdi \ + --change-splash hexagon \ --control "${timestamp}" \ --debug \ --dhcp-centurion \ @@ -218,6 +222,7 @@ jobs: --key_luks=luks.txt \ --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \ --root-password-file /dev/shm/cdlb_secrets/password.txt \ + --signing_ca=signing_ca.asc \ --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \ --signing_key_pass=signing_key_pass.txt \ --signing_key=signing_key.asc \ diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 5dfe5b7..d45898f 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -206,7 +206,7 @@ jobs: set -euo pipefail chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'. chmod 0400 /dev/shm/cdlb_secrets/* ./ciss_live_builder.sh \ --architecture amd64 \ diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index f5656ce..8f6e995 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -183,12 +183,14 @@ jobs: set -euo pipefail chmod 0700 ciss_live_builder.sh timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ") - ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'. + ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'. + chmod 0400 /dev/shm/cdlb_secrets/* ./ciss_live_builder.sh \ --architecture amd64 \ --autobuild=6.17.8+deb13-amd64 \ --build-directory /opt/cdlb \ --cdi \ + --change-splash hexagon \ --control "${timestamp}" \ --debug \ --root-password-file /dev/shm/cdlb_secrets/password.txt \ diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh index 8042015..bc1aa34 100644 --- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh +++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh @@ -341,8 +341,8 @@ readonly -f verify_script ####################################### # Main Program Sequence. # Globals: +# CDLB_MAPPER_DEV # CURRENTDATE -# DEVICES_LUKS # GRE # MAG # NL diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index a3e3192..918f648 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -14,7 +14,7 @@ include_toc: true **Status:** 2025-11-12
**Audience:** CICA CISO, CISS staff, technically proficient administrators
-**Summary:** The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
# 3. Overview @@ -23,8 +23,9 @@ include_toc: true 1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin. 2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin. + * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB). -* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding. +* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding. # 4. Primitives & Parameters @@ -33,12 +34,12 @@ include_toc: true | LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) | | dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity | | PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic | -| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | +| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | | Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs | | Hash lists | `sha512sum` format | Deterministic content verification | | Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock | -# 5. Diagram: CISS Live ISO Boot Flow, complete +# 5. Diagram: CISS Live ISO Boot Flow ```mermaid flowchart TD subgraph Trusted HW Manufacturer @@ -109,7 +110,7 @@ flowchart TD 0142 -- FAIL --> X; ``` -# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete +# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering ```mermaid --- config: @@ -127,7 +128,7 @@ flowchart TD **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error. -# 7. CISS Live ISO LUKS Build-Time Core Steps, complete +# 7. CISS Live ISO LUKS Build-Time Core Steps ```sh cryptsetup luksFormat \ --batch-mode \ @@ -149,7 +150,7 @@ cryptsetup luksFormat \ **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain). -# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom) +# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom) **Goal:** Before consuming any medium content, verify: @@ -164,13 +165,12 @@ cryptsetup luksFormat \ # parse [GNUPG:] VALIDSIG ... ... ``` -# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom) +# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh) **Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology. -* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]` +* **Attestation files:** `/root/.ciss/attestation/.sha512sum.txt[.sig]` * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin) -* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B) **Core calls (initramfs):** @@ -180,36 +180,35 @@ cryptsetup luksFormat \ # 2) Optional: Content hash verification ( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" ) - -# 3) dmsetup health -dmsetup table --showkeys /dev/mapper/crypt_liveiso -dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096 ``` # 10. Failure Policy (fail-closed, deterministic) -* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology. +* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature. -# 11. CISS Dropbear (Hardened Remotely Unlock) +# 11. CISS hardened and built dropbear ```text • Public-key auth only, no passwords -• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM) -• No agent/X11/TCP forwarding, no SFTP -• Strict timeouts/keep-alives, restricted cipher/KEX set -• Port 42137 (per CISS convention) +• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM) +• No agent / X11 / TCP forwarding, no SFTP +• Strict timeouts / keep-alives, restricted cipher / KEX set +• Port 44137 (per CISS convention) ``` -*Concrete selection compiled via your `localoptions.h` at ISO build time.* +*Concrete selection compiled via [localoptions.h](../upgrades/dropbear/localoptions.h) at ISO build time.* # 12. Integration Points & Paths * **Hooks (build view):** - * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`, - * `/usr/lib/live/boot/0024-ciss-crypt-squash`, - * `/usr/lib/live/boot/0026-ciss-early-sysctl`, - * `/usr/lib/live/boot/0030-ciss-verify-checksums`, - * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`, + * [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs), + * [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash), + * [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl), + * [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums), + * [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest), + * [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh), + * [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh), + * [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh). * **Hooks (boot view):** * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, * `/scripts/live-premount/0024-ciss-crypt-squash`, @@ -217,7 +216,7 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096 * `/scripts/live-bottom/0030-ciss-verify-checksums`, * `/scripts/live-bottom/0042-ciss-post-decrypt-attest` * **Key files:** - * ISO edge (for 0030): embedded public key blob (project-specific fpr) + * ISO edge (for 0030): embedded public key blob (project-specific FPR) * Root FS (for 0042): `/etc/ciss/keys/.gpg` * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay` @@ -262,7 +261,7 @@ I -- FAIL --> X; # 14. Closing Remarks -This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic. +This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic. --- **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)** diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh index 4900d4f..3075257 100644 --- a/lib/lib_clean_up.sh +++ b/lib/lib_clean_up.sh @@ -15,14 +15,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}" ####################################### # Cleanup wrapper on the traps on 'ERR' and 'EXIT'. # Globals: -# VAR_CDLB_INSIDE_RUNNER # GNUPGHOME # LOG_ERROR +# VAR_CDLB_INSIDE_RUNNER +# VAR_EARLY_DEBUG # VAR_HANDLER_BUILD_DIR # VAR_KERNEL_INF # VAR_KERNEL_SRT # VAR_KERNEL_TMP # VAR_NOTES +# VAR_TMP_SECRET # VAR_WORKDIR # Arguments: # 1 : ${trap_on_exit_code} of trap_on_exit()