From ccaaa0a94912434e49b2a6126f6ba5f5e305936fcb0fbc4ad37542f8f6c5826a Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Wed, 3 Dec 2025 16:13:22 +0100
Subject: [PATCH] V8.13.528.2025.12.03

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 .../hooks/live/0000_basic_chroot_setup.chroot | 17 +++++++
 .../lib/live/boot/0030-ciss-verify-checksums  |  4 +-
 .../live/boot/0042_ciss_post_decrypt_attest   | 48 +++++++++----------
 lib/lib_provider_netcup.sh                    |  2 +-
 4 files changed, 44 insertions(+), 27 deletions(-)

diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot
index 7236b72..ba9d160 100644
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -258,6 +258,23 @@ ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-us
 
 ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
 
+cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
+[Unit]
+Description=Force systemd-resolved stub resolv.conf
+After=network-online.target
+Before=apt-daily.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm -f /etc/resolv.conf
+ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
diff --git a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
index abdc6da..a1b03db 100644
--- a/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
+++ b/config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
@@ -46,7 +46,7 @@ Verify_checksums() {
   # Arguments:
   #   *: String to print
   #######################################
-  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
+  log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
 
 
   #######################################
@@ -56,7 +56,7 @@ Verify_checksums() {
   # Arguments:
   #   *: String to print
   #######################################
-  log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
+  log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 
   #######################################
   # Helper for colored text output on stdout.
diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
index d58c142..2750247 100644
--- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
@@ -78,7 +78,7 @@ KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
 
 
 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
+_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
 
 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
@@ -96,7 +96,7 @@ fi
 
 ### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
 MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
-if [ -e "${MAP_DEV}" ]; then
+if [ -b "${MAP_DEV}" ]; then
 
   log_in "0042()               : Checking dmsetup table for ${MAP_DEV}"
 
@@ -125,35 +125,35 @@ if [ -e "${MAP_DEV}" ]; then
 
   fi
 
-### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
-CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
-CHILD_NAME="${CHILD_TOK}"
+  ### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
+  CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
+  CHILD_NAME="${CHILD_TOK}"
 
-case "${CHILD_TOK}" in
+  case "${CHILD_TOK}" in
 
-  *:* )
-    if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
-      CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
-      [ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
-    fi
-    ;;
+    *:* )
+      if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
+        CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
+        [ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
+      fi
+      ;;
 
-  /dev/* )
-    CHILD_NAME="$(basename -- "${CHILD_TOK}")"
-    ;;
+    /dev/* )
+      CHILD_NAME="$(basename -- "${CHILD_TOK}")"
+      ;;
 
-esac
+  esac
 
-#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
-log_in "Checking underlying integrity target: ${CHILD_NAME}"
+  #### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
+  log_in "Checking underlying integrity target: ${CHILD_NAME}"
 
-CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
-printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042()              : Underlying layer is not 'integrity'"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac'       || { log_er "0042()              : Integrity target not using keyed MAC (hmac)"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512'     || { log_er "0042()              : Integrity algo not sha512"; }
-printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b'   || { log_er "0042()              : Expected 4096-byte sector size not found"; }
+  CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
+  printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "0042()              : Underlying layer is not 'integrity'"; }
+  printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac'       || { log_er "0042()              : Integrity target not using keyed MAC (hmac)"; }
+  printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512'     || { log_er "0042()              : Integrity algo not sha512"; }
+  printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b'   || { log_er "0042()              : Expected 4096-byte sector size not found"; }
 
-log_ok "0042()               : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
+  log_ok "0042()               : dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
 
 fi
 
diff --git a/lib/lib_provider_netcup.sh b/lib/lib_provider_netcup.sh
index d68bf2c..4db323c 100644
--- a/lib/lib_provider_netcup.sh
+++ b/lib/lib_provider_netcup.sh
@@ -56,7 +56,7 @@ DNS=138.199.237.109
 DNS=2a01:4f9:c012:a813:135:181:207:105
 DNS=2a0a:4cc0:1:e6:89:58:62:53
 DNS=2a01:4f8:c013:8011:138:199:237:109
-DNSOverTLS=yes
+DNSOverTLS=opportunistic
 DNSSEC=yes
 IPv6AcceptRA=no
 LinkLocalAddressing=ipv6