msw
83f6f8488c
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
145 lines
4.7 KiB
Bash
145 lines
4.7 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.live.builder
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
# shellcheck disable=SC2154,SC2312
|
|
|
|
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
|
|
|
#######################################
|
|
# Guard against accidental inclusion of CISS Secure Boot private keys.
|
|
# Globals:
|
|
# ERR_UNCRITICAL
|
|
# VAR_HANDLER_BUILD_DIR
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
# ERR_UNCRITICAL: on failure
|
|
#######################################
|
|
secureboot_profile_guard_private_keys() {
|
|
declare -a guard_roots=(
|
|
"${VAR_HANDLER_BUILD_DIR}/binary"
|
|
"${VAR_HANDLER_BUILD_DIR}/chroot"
|
|
"${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
|
|
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
|
|
"${VAR_HANDLER_BUILD_DIR}/config/includes.installer"
|
|
)
|
|
declare guard_root=""
|
|
declare private_file=""
|
|
|
|
for guard_root in "${guard_roots[@]}"; do
|
|
|
|
if [[ ! -d "${guard_root}" ]]; then
|
|
continue
|
|
fi
|
|
|
|
while IFS= read -r -d '' private_file; do
|
|
|
|
printf "\e[91m❌ Refusing private Secure Boot key inside build artifact path: '%s'. \e[0m\n" "${private_file}" >&2
|
|
return "${ERR_UNCRITICAL}"
|
|
|
|
done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
|
|
|
|
done
|
|
|
|
return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f secureboot_profile_guard_private_keys
|
|
|
|
#######################################
|
|
# Apply the selected Secure Boot profile after repository files were copied into the live-build config.
|
|
# Globals:
|
|
# BASH_SOURCE
|
|
# ERR_ARG_MSMTCH
|
|
# ERR_UNCRITICAL
|
|
# VAR_ARCHITECTURE
|
|
# VAR_CISS_SECUREBOOT_PROFILE
|
|
# VAR_HANDLER_BUILD_DIR
|
|
# VAR_WORKDIR
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
#######################################
|
|
secureboot_profile_apply() {
|
|
declare profile="${VAR_CISS_SECUREBOOT_PROFILE,,}"
|
|
declare hooks_dir="${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
|
|
declare build_uki_hook="${hooks_dir}/zzzz_ciss_build_uki.hook.binary"
|
|
declare install_uki_hook="${hooks_dir}/9910-ciss-install-uki-into-efi-img.hook.binary"
|
|
declare secureboot_dir="${VAR_WORKDIR}/ciss.secureboot"
|
|
declare secureboot_key="${secureboot_dir}/private/ciss-efi-image.key"
|
|
declare secureboot_cert="${secureboot_dir}/public/ciss-efi-image.crt"
|
|
|
|
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
|
|
|
case "${profile}" in
|
|
debian-shim | ciss-uki)
|
|
;;
|
|
*)
|
|
printf "\e[91m❌ Unsupported Secure Boot profile: '%s'. \e[0m\n" "${profile}" >&2
|
|
return "${ERR_ARG_MSMTCH}"
|
|
;;
|
|
esac
|
|
|
|
declare -gx VAR_CISS_SECUREBOOT_PROFILE="${profile}"
|
|
declare -gx VAR_CISS_SECUREBOOT_DIR="${secureboot_dir}"
|
|
declare -gx VAR_CISS_SECUREBOOT_EFI_KEY="${secureboot_key}"
|
|
declare -gx VAR_CISS_SECUREBOOT_EFI_CERT="${secureboot_cert}"
|
|
|
|
if [[ "${profile}" == "debian-shim" ]]; then
|
|
|
|
rm -f -- "${build_uki_hook}" "${install_uki_hook}"
|
|
printf "\e[92m✅ Secure Boot profile: debian-shim. Custom CISS UKI hooks disabled. \e[0m\n"
|
|
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
|
return 0
|
|
|
|
fi
|
|
|
|
if [[ "${VAR_ARCHITECTURE,,}" != "amd64" ]]; then
|
|
|
|
printf "\e[91m❌ Secure Boot profile 'ciss-uki' currently targets amd64/BOOTX64.EFI only. Got: '%s'. \e[0m\n" "${VAR_ARCHITECTURE}" >&2
|
|
return "${ERR_ARG_MSMTCH}"
|
|
|
|
fi
|
|
|
|
install -d -m 0755 "${secureboot_dir}/public" "${secureboot_dir}/manifests" "${secureboot_dir}/uki"
|
|
install -d -m 0700 "${secureboot_dir}/private"
|
|
|
|
if [[ ! -f "${secureboot_key}" ]]; then
|
|
|
|
printf "\e[91m❌ Missing CISS Secure Boot EFI signing key: '%s'. \e[0m\n" "${secureboot_key}" >&2
|
|
return "${ERR_UNCRITICAL}"
|
|
|
|
fi
|
|
|
|
if [[ ! -f "${secureboot_cert}" ]]; then
|
|
|
|
printf "\e[91m❌ Missing CISS Secure Boot EFI signing certificate: '%s'. \e[0m\n" "${secureboot_cert}" >&2
|
|
return "${ERR_UNCRITICAL}"
|
|
|
|
fi
|
|
|
|
secureboot_profile_guard_private_keys
|
|
|
|
chmod 0755 "${build_uki_hook}" "${install_uki_hook}"
|
|
|
|
printf "\e[92m❌ Secure Boot profile: ciss-uki. Custom UKI hooks enabled. \e[0m\n"
|
|
printf "\e[92m❌ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
|
|
|
return 0
|
|
}
|
|
### Prevents accidental 'unset -f'.
|
|
# shellcheck disable=SC2034
|
|
readonly -f secureboot_profile_apply
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|