94 lines
3.4 KiB
Bash
94 lines
3.4 KiB
Bash
#!/bin/sh
|
||
# SPDX-Version: 3.0
|
||
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||
# SPDX-FileCopyrightText: 2024–2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-FileType: SOURCE
|
||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||
# SPDX-PackageName: CISS.debian.live.builder
|
||
# SPDX-Security-Contact: security@coresecret.eu
|
||
|
||
# No bash in the installer environment, only BusyBox.
|
||
|
||
set -o errexit
|
||
set -o nounset
|
||
set -o noclobber
|
||
|
||
# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
|
||
umask 0077
|
||
TMP_PASSPHRASE_FILE=$(mktemp)
|
||
readonly TMP_PASSPHRASE_FILE
|
||
grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"
|
||
|
||
# Create an include file for debian-installer with the passphrase as answers to the questions.
|
||
DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
|
||
readonly DEB_INSTALLER_CRYPT_INC_FILE
|
||
|
||
# Read the first line (the passphrase) – POSIX-compliant
|
||
# IFS= prevents leading/trailing spaces from being truncated,
|
||
# -r ensures that backslashes are not interpreted.
|
||
IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"
|
||
|
||
# A single printf call with exactly one redirect
|
||
# – ShellCheck-compliant and valid in POSIX-sh
|
||
printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
|
||
|
||
printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"
|
||
|
||
# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
|
||
# Without file:// will try and fetch from the webserver this preseed was served from.
|
||
echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"
|
||
|
||
# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
|
||
readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key
|
||
|
||
cat - >> /tmp/late-command-script << LATE_EOF
|
||
##### BEGIN ADDED BY preseed-crypto-key preseed/include_command
|
||
|
||
umask 0077
|
||
|
||
mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")
|
||
|
||
cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"
|
||
|
||
# Use /root as /tmp might be noexec
|
||
|
||
cat - >/target/root/configure-crypt-unlock <<EOF
|
||
#!/usr/bin/bash
|
||
|
||
# Standard bash safety features
|
||
set -eufo pipefail
|
||
|
||
if grep -q UMASK /etc/initramfs-tools/initramfs.conf
|
||
then
|
||
sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
|
||
else
|
||
echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
|
||
fi
|
||
|
||
# Include keyfile in initramfs
|
||
sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook
|
||
|
||
# Configure crypt to use keyfile to unlock encrypted partition(s)
|
||
sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab
|
||
|
||
# Update initramfs with key file
|
||
update-initramfs -u
|
||
exit 0
|
||
EOF
|
||
|
||
sleep 1
|
||
|
||
chmod 500 /target/root/configure-crypt-unlock
|
||
in-target /root/configure-crypt-unlock
|
||
rm /target/root/configure-crypt-unlock
|
||
|
||
exit 0
|
||
##### END ADDED BY preseed-crypto-key preseed/include_command
|
||
LATE_EOF
|
||
|
||
exit 0
|
||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|