msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.026.2026.06.17
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-18 06:46:41 +01:00
parent 0f28dad6c2
commit f31ac3503f
2 changed files with 56 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+40
View File
@@ -295,6 +295,10 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}" export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
export CDLB_MNT_MEDIUM="/run/live/medium" export CDLB_MNT_MEDIUM="/run/live/medium"
export CDLB_MNT_ROOTFS="/run/live/rootfs" export CDLB_MNT_ROOTFS="/run/live/rootfs"
export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}" export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
_PARAMETER="" _PARAMETER=""
_dev="" _dev=""
@@ -377,6 +381,38 @@ fi
printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}" printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
printf "\e[91m[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
sleep 8
log "[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
panic "[FATAL] Boot failure : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
fi
mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
printf "\e[91m[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
sleep 8
log "[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
panic "[FATAL] Boot failure : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
fi
chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" 2>&- || true
printf "\e[92m[INFO] Rootfs attestation : Preserved [%s] and [%s] \n\e[0m" \
"${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
### Attach a loop device read-only to the encrypted file. ---------------------------------------------------------------------- ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
@@ -587,6 +623,10 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV} export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM} export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS} export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS} export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
EOF EOF
chmod 0444 /run/ciss-rootdev 2>&- || true chmod 0444 /run/ciss-rootdev 2>&- || true
config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+16 -5
View File
@@ -23,7 +23,7 @@
# SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope. # SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
# - Panics on missing, malformed, unauthentic, or mismatched evidence. # - Panics on missing, malformed, unauthentic, or mismatched evidence.
#set -eu set -eu
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m" printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
@@ -42,6 +42,7 @@ export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"
CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}" CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}" CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}" CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
CDLB_ROOTFS_ATTEST_CACHE_DIR="${CDLB_ROOTFS_ATTEST_CACHE_DIR:-/run/ciss-rootfs-attestation}"
CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}" CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}" CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
@@ -78,10 +79,9 @@ log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
if ! command -v panic >/dev/null 2>&1; then if ! command -v panic >/dev/null 2>&1; then
panic() { panic() {
log_er "DEBUG: panic suppressed: ${*}" log_er "${*}"
printf '%s\n' "0042 DEBUG: panic suppressed: ${*}" >/dev/console 2>/dev/null || : printf '%s\n' "0042 FATAL: ${*}" >/dev/console 2>/dev/null || :
sleep 3 exit 1
return 0
} }
fi fi
@@ -161,6 +161,17 @@ resolve_rootfs_attestation_artifacts() {
fi fi
manifest_path="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
signature_path="${manifest_path}.sig"
if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
return 0
fi
for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
[ -n "${medium_path}" ] || continue [ -n "${medium_path}" ] || continue