msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V9.14.024.2026.06.11
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2026-06-11 18:54:19 +01:00
parent ab827e9c05
commit f6ca83fb26
2 changed files with 23 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
+12 -6
View File
@@ -79,8 +79,8 @@ readonly -f preallocate
# 42: on failure # 42: on failure
####################################### #######################################
create_attestation() { create_attestation() {
declare rootfs_file="$1" declare rootfs_file="${1}"
declare rootfs_attestation="$2" declare rootfs_attestation="${2}"
declare rootfs_hash="" declare rootfs_hash=""
declare rootfs_size="" declare rootfs_size=""
@@ -105,9 +105,10 @@ create_attestation() {
# CISS.debian.live.builder Master ${VAR_VERSION} # CISS.debian.live.builder Master ${VAR_VERSION}
# Attestation file for filesystem.squashfs Version 1.0.0 # Attestation file for filesystem.squashfs Version 1.0.0
# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
# Bytes : Final filesystem.squashfs ${VAR_ROOTFS_SIZE} # Bytes : Final filesystem.squashfs ${rootfs_size}
${rootfs_hash} ciss-rootfs.squashfs ${rootfs_hash} filesystem.squashfs
EOF EOF
chmod 0444 "${rootfs_attestation}" chmod 0444 "${rootfs_attestation}"
if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \ if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
@@ -135,8 +136,6 @@ EOF
fi fi
printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
return 0 return 0
} }
### Prevents accidental 'unset -f'. ### Prevents accidental 'unset -f'.
@@ -150,6 +149,9 @@ declare DM_LAB="crypt_liveiso"
declare DEVMAP="/dev/mapper/${DM_LAB}" declare DEVMAP="/dev/mapper/${DM_LAB}"
declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}" declare LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
declare KEYFD="" declare KEYFD=""
# Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
declare -i LUKS_PBKDF_MEMORY_KIB=262144
declare -i LUKS_PBKDF_PARALLEL=1
# shellcheck disable=SC2155 # shellcheck disable=SC2155
declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")" declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
@@ -190,6 +192,8 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
--luks2-keyslots-size 16777216 \ --luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \ --luks2-metadata-size 4194304 \
--pbkdf argon2id \ --pbkdf argon2id \
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
--sector-size 4096 \ --sector-size 4096 \
--type luks2 \ --type luks2 \
--use-random \ --use-random \
@@ -209,6 +213,8 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
--luks2-keyslots-size 16777216 \ --luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \ --luks2-metadata-size 4194304 \
--pbkdf argon2id \ --pbkdf argon2id \
--pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
--pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
--sector-size 4096 \ --sector-size 4096 \
--type luks2 \ --type luks2 \
--use-random \ --use-random \
docs/MAN_CISS_ISO_BOOT_CHAIN.md
+11 -9
View File
@@ -49,15 +49,15 @@ private Secure Boot key names are detected in those paths before live-build chec
# 4. Primitives & Parameters # 4. Primitives & Parameters
| Component | Primitive / Parameter | Purpose | | Component | Primitive / Parameter | Purpose |
|--------------|-----------------------------------------------------------|--------------------------------------------------------| |--------------|----------------------------------------------------------------------------------|--------------------------------------------------------|
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) | | LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity | | dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity |
| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic | | PBKDF | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock |
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | | Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs | | Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
| Hash lists | `sha512sum` format | Deterministic content verification | | Hash lists | `sha512sum` format | Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock | | Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock |
# 5. Diagram: CISS Live ISO Boot Flow # 5. Diagram: CISS Live ISO Boot Flow
```mermaid ```mermaid
@@ -165,6 +165,8 @@ cryptsetup luksFormat \
--luks2-keyslots-size 16777216 \ --luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \ --luks2-metadata-size 4194304 \
--pbkdf argon2id \ --pbkdf argon2id \
--pbkdf-memory 262144 \
--pbkdf-parallel 1 \
--sector-size 4096 \ --sector-size 4096 \
--type luks2 \ --type luks2 \
--use-random \ --use-random \