Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -79,8 +79,8 @@ readonly -f preallocate
|
|||||||
# 42: on failure
|
# 42: on failure
|
||||||
#######################################
|
#######################################
|
||||||
create_attestation() {
|
create_attestation() {
|
||||||
declare rootfs_file="$1"
|
declare rootfs_file="${1}"
|
||||||
declare rootfs_attestation="$2"
|
declare rootfs_attestation="${2}"
|
||||||
declare rootfs_hash=""
|
declare rootfs_hash=""
|
||||||
declare rootfs_size=""
|
declare rootfs_size=""
|
||||||
|
|
||||||
@@ -105,9 +105,10 @@ create_attestation() {
|
|||||||
# CISS.debian.live.builder Master ${VAR_VERSION}
|
# CISS.debian.live.builder Master ${VAR_VERSION}
|
||||||
# Attestation file for filesystem.squashfs Version 1.0.0
|
# Attestation file for filesystem.squashfs Version 1.0.0
|
||||||
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
|
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
|
||||||
# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
|
# Bytes : Final filesystem.squashfs ${rootfs_size}
|
||||||
${rootfs_hash} ciss-rootfs.squashfs
|
${rootfs_hash} filesystem.squashfs
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
chmod 0444 "${rootfs_attestation}"
|
chmod 0444 "${rootfs_attestation}"
|
||||||
|
|
||||||
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
|
||||||
@@ -135,8 +136,6 @@ EOF
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
|
|
||||||
|
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
### Prevents accidental 'unset -f'.
|
### Prevents accidental 'unset -f'.
|
||||||
@@ -150,6 +149,9 @@ declare DM_LAB="crypt_liveiso"
|
|||||||
declare DEVMAP="/dev/mapper/${DM_LAB}"
|
declare DEVMAP="/dev/mapper/${DM_LAB}"
|
||||||
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
|
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
|
||||||
declare KEYFD=""
|
declare KEYFD=""
|
||||||
|
# Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
|
||||||
|
declare -i LUKS_PBKDF_MEMORY_KIB=262144
|
||||||
|
declare -i LUKS_PBKDF_PARALLEL=1
|
||||||
# shellcheck disable=SC2155
|
# shellcheck disable=SC2155
|
||||||
declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
|
declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
|
||||||
|
|
||||||
@@ -190,6 +192,8 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
|
|||||||
--luks2-keyslots-size 16777216 \
|
--luks2-keyslots-size 16777216 \
|
||||||
--luks2-metadata-size 4194304 \
|
--luks2-metadata-size 4194304 \
|
||||||
--pbkdf argon2id \
|
--pbkdf argon2id \
|
||||||
|
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
|
||||||
|
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
|
||||||
--sector-size 4096 \
|
--sector-size 4096 \
|
||||||
--type luks2 \
|
--type luks2 \
|
||||||
--use-random \
|
--use-random \
|
||||||
@@ -209,6 +213,8 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
|
|||||||
--luks2-keyslots-size 16777216 \
|
--luks2-keyslots-size 16777216 \
|
||||||
--luks2-metadata-size 4194304 \
|
--luks2-metadata-size 4194304 \
|
||||||
--pbkdf argon2id \
|
--pbkdf argon2id \
|
||||||
|
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
|
||||||
|
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
|
||||||
--sector-size 4096 \
|
--sector-size 4096 \
|
||||||
--type luks2 \
|
--type luks2 \
|
||||||
--use-random \
|
--use-random \
|
||||||
|
|||||||
@@ -50,10 +50,10 @@ private Secure Boot key names are detected in those paths before live-build chec
|
|||||||
# 4. Primitives & Parameters
|
# 4. Primitives & Parameters
|
||||||
|
|
||||||
| Component | Primitive / Parameter | Purpose |
|
| Component | Primitive / Parameter | Purpose |
|
||||||
|--------------|-----------------------------------------------------------|--------------------------------------------------------|
|
|--------------|----------------------------------------------------------------------------------|--------------------------------------------------------|
|
||||||
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
|
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
|
||||||
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity |
|
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity |
|
||||||
| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic |
|
| PBKDF | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock |
|
||||||
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
|
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
|
||||||
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
|
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
|
||||||
| Hash lists | `sha512sum` format | Deterministic content verification |
|
| Hash lists | `sha512sum` format | Deterministic content verification |
|
||||||
@@ -165,6 +165,8 @@ cryptsetup luksFormat \
|
|||||||
--luks2-keyslots-size 16777216 \
|
--luks2-keyslots-size 16777216 \
|
||||||
--luks2-metadata-size 4194304 \
|
--luks2-metadata-size 4194304 \
|
||||||
--pbkdf argon2id \
|
--pbkdf argon2id \
|
||||||
|
--pbkdf-memory 262144 \
|
||||||
|
--pbkdf-parallel 1 \
|
||||||
--sector-size 4096 \
|
--sector-size 4096 \
|
||||||
--type luks2 \
|
--type luks2 \
|
||||||
--use-random \
|
--use-random \
|
||||||
|
|||||||
Reference in New Issue
Block a user