msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.024.2026.06.11
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-11 18:54:19 +01:00
parent ab827e9c05
commit f6ca83fb26
2 changed files with 23 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+12 -6
View File
@@ -79,8 +79,8 @@ readonly -f preallocate
# 42: on failure
#######################################
create_attestation() {
declare rootfs_file="$1"
declare rootfs_attestation="$2"
declare rootfs_file="${1}"
declare rootfs_attestation="${2}"
declare rootfs_hash=""
declare rootfs_size=""
@@ -105,9 +105,10 @@ create_attestation() {
# CISS.debian.live.builder Master ${VAR_VERSION}
# Attestation file for filesystem.squashfs Version 1.0.0
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
${rootfs_hash} ciss-rootfs.squashfs
# Bytes : Final filesystem.squashfs ${rootfs_size}
${rootfs_hash} filesystem.squashfs
EOF
chmod 0444 "${rootfs_attestation}"
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
@@ -135,8 +136,6 @@ EOF
fi
printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
return 0
}
### Prevents accidental 'unset -f'.
@@ -150,6 +149,9 @@ declare DM_LAB="crypt_liveiso"
declare DEVMAP="/dev/mapper/${DM_LAB}"
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
declare KEYFD=""
# Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
declare -i LUKS_PBKDF_MEMORY_KIB=262144
declare -i LUKS_PBKDF_PARALLEL=1
# shellcheck disable=SC2155
declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
@@ -190,6 +192,8 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
--luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \
--pbkdf argon2id \
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
--sector-size 4096 \
--type luks2 \
--use-random \
@@ -209,6 +213,8 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
--luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \
--pbkdf argon2id \
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
--sector-size 4096 \
--type luks2 \
--use-random \