Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -26,7 +26,6 @@
|
||||
set -eu
|
||||
|
||||
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
|
||||
sleep 2
|
||||
|
||||
### Check panic command availability -------------------------------------------------------------------------------------------
|
||||
if ! command -v panic >/dev/null 2>&1; then
|
||||
@@ -188,7 +187,6 @@ stream_rootfs_payload() {
|
||||
block_size=1048576
|
||||
full_blocks=$((payload_size / block_size))
|
||||
remainder=$((payload_size % block_size))
|
||||
remainder_offset=$((full_blocks * block_size))
|
||||
|
||||
if [ "${full_blocks}" -gt 0 ]; then
|
||||
|
||||
@@ -198,7 +196,7 @@ stream_rootfs_payload() {
|
||||
|
||||
if [ "${remainder}" -gt 0 ]; then
|
||||
|
||||
dd if="${payload_device}" bs=1 skip="${remainder_offset}" count="${remainder}" 2>/dev/null || return 1
|
||||
dd if="${payload_device}" bs="${block_size}" skip="${full_blocks}" count=1 2>/dev/null | dd bs=1 count="${remainder}" 2>/dev/null || return 1
|
||||
|
||||
fi
|
||||
|
||||
@@ -286,11 +284,17 @@ HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}"
|
||||
SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}"
|
||||
KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
|
||||
|
||||
log_in "0042() : Validating [${KEYFILE}]"
|
||||
require_attestation_file "Public key" "${KEYFILE}"
|
||||
log_in "0042() : Validating [${HASH_FILE}]"
|
||||
require_attestation_file "Rootfs attestation manifest" "${HASH_FILE}"
|
||||
log_in "0042() : Validating [${SIGN_FILE}]"
|
||||
require_attestation_file "Rootfs attestation signature" "${SIGN_FILE}"
|
||||
log_in "0042() : Validating [${CDLB_MAPPER_DEV}]"
|
||||
require_rootfs_payload_device "${CDLB_MAPPER_DEV}"
|
||||
|
||||
log_ok "0042() : Rootfs attestation inputs are present and readable."
|
||||
|
||||
log_in "0042() : Verifying rootfs attestation manifest with 'gpgv' and pinned GPG FPR."
|
||||
|
||||
if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
|
||||
|
||||
@@ -498,7 +498,6 @@ setup_unionfs ()
|
||||
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
|
||||
printf "\e[95m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
|
||||
chmod +x /usr/lib/live/boot/0042_ciss_post_decrypt_attest
|
||||
sleep 2
|
||||
|
||||
if [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ]; then
|
||||
|
||||
@@ -515,7 +514,6 @@ setup_unionfs ()
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] done. \n\e[0m"
|
||||
sleep 2
|
||||
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
|
||||
|
||||
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
|
||||
|
||||
Reference in New Issue
Block a user