#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu # SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command. set -Ceu -o pipefail -o ignoreeof shopt -s failglob shopt -s lastpipe shopt -u nullglob umask 0077 export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr" ####################################### # Variable declaration ####################################### # shellcheck disable=SC2016 declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$' # shellcheck disable=SC2155 declare -r CURRENTDATE=$(date +"%F %T") declare -g ERRTRAP='false' declare -r GRE='\e[0;92m' declare -r MAG='\e[0;95m' declare -r RED='\e[0;91m' declare -r RES='\e[0m' declare -r NL='\n' declare -g NUKE_ENABLED='false' declare -g NUKE_HASH='' declare -g PASSPHRASE='' ####################################### # Read passphrase strictly from STDIN (SSH channel), not '/dev/console'. # Arguments: # 1: Prompt to print on terminal # 2: Variable name to capture passphrase ####################################### ask_via_stdin() { declare -r prompt="$1" declare -r varname="$2" ### Prompt to STDERR so pipes don't capture it. printf "%s" "${prompt}" >&2 ### Silent, canonical read from FD 0 (SSH channel when forced-command). IFS= read -r -s "${varname?}" <&0 printf "\n" >&2 return 0 } ####################################### # Printed text in color. # Arguments: # 1: Color code. # *: Text to print. ####################################### color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; } ####################################### # Die Helper: print and then exit hard. # Globals: # NC # RED # Arguments: # 1: Message string to print. ####################################### die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; } ####################################### # Drop into the bash environment. # Arguments: # None ####################################### drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; } ####################################### # Extract the 'nuke=' parameter from '/proc/cmdline'. # Globals: # GRE # NUKE_ENABLED # NUKE_HASH # RED # REGEX # Arguments: # None # Returns: # 0: on success ####################################### extract_nuke_hash() { declare ARG="" CMDLINE="" ### Read '/proc/cmdline' into a single line safely. read -r CMDLINE < /proc/cmdline for ARG in ${CMDLINE}; do case "${ARG,,}" in nuke=*) NUKE_HASH="${ARG#*=}" if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then declare -g NUKE_ENABLED="true" color_echo "${GRE}" "✅ System self check: [ok]" return 0 else ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash. color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." color_echo "${RED}" "✘ Dropping to bash ...:" drop_bash fi ;; esac done color_echo "${GRE}" "✅ No Nuke Hash found." return 0 } ####################################### # Gather information of all LUKS Devices available on the system. # Arguments: # None ####################################### gather_luks_devices() { declare prev=() curr=() declare -i tries=0 while ((tries < 10)); do # shellcheck disable=SC2312 mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V) if [[ "${curr[*]}" == "${prev[*]}" ]]; then break fi prev=("${curr[@]}") tries=$((tries + 1)) sleep 1 done printf '%s\n' "${curr[@]}" return 0 } ####################################### # Erase the LUKS headers on all LUKS devices, then shut down the system. # Globals: # DEVICES_LUKS # RED # Arguments: # None ####################################### nuke() { declare dev="" for dev in "${DEVICES_LUKS[@]}"; do cryptsetup erase --batch-mode "${dev}" || true color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]." done secure_unset_pass color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds." power_off 16 } ####################################### # Unified power-off routine. # Arguments: # 1: Sleep time before power-off in seconds (Default to 0 seconds). ####################################### power_off() { declare -r wait="${1:-0}" sleep "${wait}" sync echo 1 >| /proc/sys/kernel/sysrq echo o >| /proc/sysrq-trigger ### The System powers off immediately; no further code is executed. } ####################################### # Print Error Message for Trap on 'ERR' on Terminal. # Globals: # NL # RED # Arguments: # 1: ${?} # 2: ${BASH_SOURCE[0]} # 3: ${LINENO} # 4: ${FUNCNAME[0]:-main} # 5: ${BASH_COMMAND} ####################################### print_scr_err() { declare -r scr_err_errcode="$1" declare -r scr_err_errscrt="$2" declare -r scr_err_errline="$3" declare -r scr_err_errfunc="$4" declare -r scr_err_errcmmd="$5" printf "%b" "${NL}" >&2 color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2 printf "%b" "${NL}" >&2 color_echo "${RED}" "✘ Error : [${scr_err_errcode}]" >&2 color_echo "${RED}" "✘ Line : [${scr_err_errline}]" >&2 color_echo "${RED}" "✘ Script : [${scr_err_errscrt}]" >&2 color_echo "${RED}" "✘ Function : [${scr_err_errfunc}]" >&2 color_echo "${RED}" "✘ Command : [${scr_err_errcmmd}]" >&2 printf "%b" "${NL}" >&2 return 0 } ####################################### # Print Error Message for '0'-Exit-Code on Terminal. # Globals: # GRE # Arguments: # None ####################################### print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; } ####################################### # Generates an informative shell prompt. # Globals: # PS1 # Arguments: # None ####################################### prompt_string() { declare -gx PS1="\ \[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\ \[\033[1;95m\]\h\[\033[0m\]:\ \[\033[1;96m\]\w\[\033[0m\]/>>\ \$(if [[ \$? -eq 0 ]]; then \ # Show exit status in green if zero echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \ else \ # Show exit status in red otherwise echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \ fi)\ |~\$ " } ####################################### # Read the passphrase interactively. # Globals: # NUKE_ENABLED # NUKE_HASH # PASSPHRASE # Arguments: # None # Returns: # 0: on success ####################################### read_passphrase() { declare -i ROUNDS=0 declare CAND="" SALT="" ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'. ask_via_stdin "Enter passphrase: " PASSPHRASE ### NUKE pre-check. if [[ "${NUKE_ENABLED,,}" == "true" ]]; then ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")" ROUNDS="${ROUNDS#rounds=}" SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")" CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}") ### NUKE final check. if [[ "${CAND}" == "${NUKE_HASH}" ]]; then nuke fi fi return 0 } ####################################### # Securely unset the 'PASSPHRASE'-variable. # Globals: # PASSPHRASE # Arguments: # None ####################################### secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; } ####################################### # Trap function to be called on 'ERR'. # Arguments: # 1: ${?} # 2: ${BASH_SOURCE[0]} # 3: ${LINENO} # 4: ${FUNCNAME[0]:-main} # 5: ${BASH_COMMAND} ####################################### trap_on_err() { declare -r errcode="$1" declare -r errscrt="$2" declare -r errline="$3" declare -r errfunc="$4" declare -r errcmmd="$5" declare -g ERRTRAP='true' trap - ERR INT TERM stty echo 2>/dev/null || true print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}" power_off 16 } ####################################### # Security Trap on 'EXIT'. # Globals: # ERRTRAP # Arguments: # None ####################################### trap_on_exit() { trap - ERR EXIT INT TERM [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc } ####################################### # Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine. # Globals: # NL # RED # Arguments: # None ####################################### trap_on_term() { trap - ERR INT TERM stty echo 2>/dev/null || true printf "%b" "${NL}" color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." power_off 3 } ####################################### # Check the integrity and authenticity of this script itself. # Globals: # GRE # MAG # RED # Arguments: # 0: Script Name ####################################### verify_script() { declare dir # shellcheck disable=SC2312 dir="$(dirname "$(readlink -f "${0}")")" declare script; script="$(basename "${0}")" declare -a algo=( "sha512" ) declare cmd="" computed="" expected="" hashfile="" item="" sigfile="" for item in "${algo[@]}"; do hashfile="${dir}/${script}.${item}" sigfile="${hashfile}.sig" cmd="${item}sum" color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]" if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]" color_echo "${RED}" "✘ System Power Off in 3 seconds." power_off 3 else color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful." fi color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]" # shellcheck disable=SC2312 read -r computed _ < <("${cmd}" "${dir}/${script}") read -r expected < "${hashfile}" if [[ "${computed}" != "${expected}" ]]; then color_echo "${RED}" "✘ Recomputed hash mismatch for : [${item}]" color_echo "${RED}" "✘ System Power Off in 3 seconds." power_off 3 fi color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful." done color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding." return 0 } ####################################### # Main Program Sequence. # Globals: # CURRENTDATE # DEVICES_LUKS # GRE # MAG # NL # PASSPHRASE # RED # Arguments: # None ####################################### main() { exec 1>&2 trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR trap 'trap_on_exit' EXIT trap 'trap_on_term' INT TERM uname -a printf "%b" "${NL}" color_echo "${RED}" "Coresecret Connection established." color_echo "${RED}" "Starting Time: ${CURRENTDATE}" printf "%b" "${NL}" color_echo "${MAG}" "Integrity self-check ..." verify_script ### Read newline-separated output into an array. printf "%b" "${NL}" color_echo "${MAG}" "Scanning for LUKS devices ..." # shellcheck disable=SC2312 mapfile -t DEVICES_LUKS < <(gather_luks_devices) ### If there are no LUKS devices at all, drop to bash. if (( ${#DEVICES_LUKS[@]} == 0 )); then printf "%b" "${NL}" color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..." drop_bash fi ### Extract the 'nuke='-parameter from '/proc/cmdline'. printf "%b" "${NL}" extract_nuke_hash ### Read passphrase interactively. read_passphrase if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then secure_unset_pass exit 0 else secure_unset_pass printf "%b" "${NL}" color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'." color_echo "${GRE}" " No LUKS operations performed. Dropping to bash ..." color_echo "${GRE}" " To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'." drop_bash fi } main "${@}" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh