msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
12f366e8426fba1bb810021171e71af4edb4b050cc7966ffaacd1017259900aa
CISS.debian.live.builder/config/includes.chroot/preseed/.ash/di_scripting_password.sh
Marc S. Weidner 3ad1726770
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 1m11s
Details
V8.03.400.2025.06.05 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-06-05 22:38:12 +02:00

94 lines
3.4 KiB
Bash
Raw Blame History

#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# No bash in the installer environment, only BusyBox.
set -o errexit
set -o nounset
set -o noclobber
# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
umask 0077
TMP_PASSPHRASE_FILE=$(mktemp)
readonly TMP_PASSPHRASE_FILE
grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
# Create an include file for debian-installer with the passphrase as answers to the questions.
DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
readonly DEB_INSTALLER_CRYPT_INC_FILE
# Read the first line (the passphrase) - POSIX-compliant
# IFS= prevents leading/trailing spaces from being truncated,
# -r ensures that backslashes are not interpreted.
IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
# A single printf call with exactly one redirect
# - ShellCheck-compliant and valid in POSIX-sh
printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
# Without file:// will try and fetch from the webserver this preseed was served from.
echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
cat - >> /tmp/late-command-script << LATE_EOF
##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
umask 0077
mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
# Use /root as /tmp might be noexec
cat - >/target/root/configure-crypt-unlock <<EOF
#!/usr/bin/bash
# Standard bash safety features
set -eufo pipefail
if grep -q UMASK /etc/initramfs-tools/initramfs.conf
then
sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
else
echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
fi
# Include keyfile in initramfs
sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
# Configure crypt to use keyfile to unlock encrypted partition(s)
sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
# Update initramfs with key file
update-initramfs -u
exit 0
EOF
sleep 1
chmod 500 /target/root/configure-crypt-unlock
in-target /root/configure-crypt-unlock
rm /target/root/configure-crypt-unlock
exit 0
##### END ADDED BY preseed-crypto-key preseed/include_command
LATE_EOF
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink