msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
fd4ebbcd3c415762533dfa8bc83bfaeb9c59350cd6fd9b607aef1c50ee8e8cc5
CISS.debian.live.builder/config/includes.chroot/usr/lib/live/boot/9990-overlay.sh
Marc S. Weidner de1a577b23
Some checks failed
💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 55s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
V8.13.528.2025.12.03 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-12-03 11:09:16 +01:00

502 lines
16 KiB
Bash
Raw Blame History

#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
#set -e
printf "\e[95m[INFO] Sourcing : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
setup_unionfs ()
{
printf "\e[95m[INFO] Starting : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
image_directory="${1}"
rootmnt="${2}"
addimage_directory="${3}"
### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
if [ -r /run/ciss-rootdev ]; then
. /run/ciss-rootdev
export PLAIN_ROOT=1
export image_directory="${CDLB_MAPPER_DEV}"
printf "\e[92m[INFO] setup_unionfs() : [image_directory=%s] \n\e[0m" "${image_directory}"
printf "\e[92m[INFO] setup_unionfs() : [rootmnt=%s] \n\e[0m" "${rootmnt}"
printf "\e[92m[INFO] setup_unionfs() : [addimage_directory=%s] \n\e[0m" "${addimage_directory}"
fi
### --------------------------------------------------------------------------------------------------------------------------
# shellcheck disable=SC2086
modprobe -q -b ${UNIONTYPE}
if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$"
then
panic "${UNIONTYPE} not available."
fi
croot="/run/live/rootfs"
# Let's just mount the read-only file systems first
rootfslist=""
if [ -z "${PLAIN_ROOT}" ]
then
# Read image names from ${MODULE}.module if it exists
# shellcheck disable=SC2153
if [ -e "${image_directory}/filesystem.${MODULE}.module" ]
then
# shellcheck disable=SC2013,SC2086
for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module)
do
image_string="${image_string} ${image_directory}/${IMAGE}"
done
elif [ -e "${image_directory}/${MODULE}.module" ]
then
# shellcheck disable=SC2013,SC2086
for IMAGE in $(cat ${image_directory}/${MODULE}.module)
do
image_string="${image_string} ${image_directory}/${IMAGE}"
done
else
# ${MODULE}.module does not exist, create a list of images
for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
do
for IMAGE in "${image_directory}"/*."${FILESYSTEM}"
do
if [ -e "${IMAGE}" ]
then
image_string="${image_string} ${IMAGE}"
fi
done
done
if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ]
then
for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
do
for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}"
do
if [ -e "${IMAGE}" ]
then
image_string="${image_string} ${IMAGE}"
fi
done
done
fi
# Now sort the list
# shellcheck disable=SC2086
image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )"
fi
# shellcheck disable=SC2086
[ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})"
mkdir -p "${croot}"
for image in ${image_string}
do
imagename=$(basename "${image}")
export image devname
maybe_break live-realpremount
log_begin_msg "Running /scripts/live-realpremount"
run_scripts /scripts/live-realpremount
log_end_msg
if [ -d "${image}" ]
then
# It is a plain directory: do nothing
rootfslist="${image} ${rootfslist}"
elif [ -f "${image}" ]
then
if losetup --help 2>&1 | grep -q -- "-r\b"
then
backdev=$(get_backing_device "${image}" "-r")
else
backdev=$(get_backing_device "${image}")
fi
fstype=$(get_fstype "${backdev}")
case "${fstype}" in
unknown)
panic "Unknown file system type on ${backdev} (${image})"
;;
"")
fstype="${imagename##*.}"
log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}."
;;
esac
mpoint=$(trim_path "${croot}/${imagename}")
rootfslist="${mpoint} ${rootfslist}"
mount_options=""
# Setup dm-verity support if a device has it supported
hash_device="${image}.verity"
# shellcheck disable=SC2086
if [ -f ${hash_device} ]
then
log_begin_msg "Start parsing dm-verity options for ${image}"
backdev_roothash=$(get_backing_device ${hash_device})
verity_mount_options="-o verity.hashdevice=${backdev_roothash}"
root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH})
valid_config="true"
case $(mount --version) in
*verity*)
;;
*)
valid_config="false"
log_warning_msg "mount does not have support for dm-verity. Ignoring mount options"
;;
esac
if [ -n "${root_hash}" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}"
# Check if the root hash is saved on disk
elif [ -f "${image}.roothash" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash"
else
valid_config="false"
log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring"
fi
fec="${image}.fec"
fec_roots="${image}.fec.roots"
if [ -f ${fec} ] && [ -f ${fec_roots} ]
then
backdev_fec=$(get_backing_device ${fec})
roots=$(cat ${fec_roots})
verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}"
fi
signature="${image}.roothash.p7s"
if [ -f "${signature}" ]
then
verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}"
elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ]
then
panic "dm-verity signature checking was enforced but no signature could be found for ${image}!"
fi
if [ -n "${DM_VERITY_ONCORRUPTION}" ]
then
if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart"
then
verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}"
else
log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!"
log_warning_msg "Ignoring setting"
fi
fi
if [ "${valid_config}" = "true" ]
then
mount_options="${mount_options} ${verity_mount_options}"
fi
log_end_msg "Finished parsing dm-verity options for ${image}"
fi
mkdir -p "${mpoint}"
log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\""
# shellcheck disable=SC2086
mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}"
log_end_msg
else
log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake."
fi
done
else
# We have a plain root system
mkdir -p "${croot}/filesystem"
log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\""
# shellcheck disable=SC2046,SC2312
mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \
panic "Can not mount ${image_directory} on ${croot}/filesystem" && \
rootfslist="${croot}/filesystem ${rootfslist}"
# Probably broken:
# shellcheck disable=SC2086,SC2250
mount -o bind ${croot}/filesystem $mountpoint
log_end_msg
fi
# tmpfs file systems
touch /etc/fstab
mkdir -p /run/live/overlay
# Looking for persistence devices or files
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
then
if [ -z "${QUICKUSBMODULES}" ]
then
# Load USB modules
# shellcheck disable=SC2012
num_block=$(ls -l /sys/block | wc -l)
for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage
do
# shellcheck disable=SC2086
modprobe -q -b ${module}
done
udevadm trigger
udevadm settle
# For some reason, udevsettle does not block in this scenario,
# so we sleep for a little while.
#
# See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591
# shellcheck disable=SC2034
for timeout in 5 4 3 2 1
do
sleep 1
# shellcheck disable=SC2012,SC2046,SC2086,SC2312
if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ]
then
break
fi
done
fi
# shellcheck disable=SC3043
local whitelistdev
whitelistdev=""
if [ -n "${PERSISTENCE_MEDIA}" ]
then
case "${PERSISTENCE_MEDIA}" in
removable)
whitelistdev="$(removable_dev)"
;;
removable-usb)
whitelistdev="$(removable_usb_dev)"
;;
esac
if [ -z "${whitelistdev}" ]
then
whitelistdev="ignore_all_devices"
fi
fi
# shellcheck disable=SC2086
if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD}
then
overlays="${custom_overlay_label}"
fi
# shellcheck disable=SC3043
local overlay_devices
overlay_devices=""
if [ "${whitelistdev}" != "ignore_all_devices" ]
then
for media in $(find_persistence_media "${overlays}" "${whitelistdev}")
do
# shellcheck disable=SC2086
media="$(echo ${media} | tr ":" " ")"
for overlay_label in ${custom_overlay_label}
do
case ${media} in
${overlay_label}=*)
device="${media#*=}"
overlay_devices="${overlay_devices} ${device}"
;;
esac
done
done
fi
elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ]
then
# Check if there are any nfs options
# shellcheck disable=SC2086
if echo ${NFS_COW} | grep -q ','
then
# shellcheck disable=SC2086
nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)"
nfs_cow=$(echo ${NFS_COW}|cut -d, -f1)
else
nfs_cow_opts="-o nolock"
nfs_cow=${NFS_COW}
fi
if [ -n "${PERSISTENCE_READONLY}" ]
then
nfs_cow_opts="${nfs_cow_opts},nocto,ro"
fi
mac="$(get_mac)"
if [ -n "${mac}" ]
then
# shellcheck disable=SC2086
cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/")
cow_fstype="nfs"
else
panic "unable to determine mac address"
fi
fi
if [ -z "${cowdevice}" ]
then
cowdevice="tmpfs"
cow_fstype="tmpfs"
cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}"
fi
if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
then
# shellcheck disable=SC2086
mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay"
# shellcheck disable=SC2086
root_backing="/run/live/persistence/$(basename ${cowdevice})-root"
# shellcheck disable=SC2086
mkdir -p ${root_backing}
else
root_backing="/run/live/overlay"
fi
if [ "${cow_fstype}" = "nfs" ]
then
log_begin_msg \
"Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}"
# shellcheck disable=SC2086
nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \
panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}"
else
# shellcheck disable=SC2086
mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \
panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}"
fi
# shellcheck disable=SC2086
rootfscount=$(echo ${rootfslist} |wc -w)
rootfs=${rootfslist%% }
if [ -n "${EXPOSED_ROOT}" ]
then
# shellcheck disable=SC2086
if [ ${rootfscount} -ne 1 ]
then
panic "only one RO file system supported with exposedroot: ${rootfslist}"
fi
# shellcheck disable=SC2086
mount -o bind ${rootfs} ${rootmnt} || \
panic "bind mount of ${rootfs} failed"
if [ -z "${SKIP_UNION_MOUNTS}" ]
then
cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live'
else
cow_dirs=''
fi
else
cow_dirs="/"
fi
for dir in ${cow_dirs}; do
unionmountpoint=$(trim_path "${rootmnt}${dir}")
# shellcheck disable=SC2086
mkdir -p ${unionmountpoint}
cow_dir=$(trim_path "/run/live/overlay${dir}")
rootfs_dir="${rootfs}${dir}"
# shellcheck disable=SC2086
mkdir -p ${cow_dir}
if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
then
# shellcheck disable=SC2086
do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir}
else
# shellcheck disable=SC2086
do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir}
fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
done
# Remove persistence depending on boot parameter
Remove_persistence
# Correct the permissions of /:
chmod 0755 "${rootmnt}"
# Correct the permission of /tmp:
if [ -d "${rootmnt}/tmp" ]
then
chmod 1777 "${rootmnt}"/tmp
fi
# Correct the permission of /var/tmp:
if [ -d "${rootmnt}/var/tmp" ]
then
chmod 1777 "${rootmnt}"/var/tmp
fi
# Adding custom persistence
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
then
# shellcheck disable=SC3043
local custom_mounts
custom_mounts="/tmp/custom_mounts.list"
# shellcheck disable=SC2086
rm -f ${custom_mounts}
# Gather information about custom mounts from devices detected as overlays
# shellcheck disable=SC2086
get_custom_mounts ${custom_mounts} ${overlay_devices}
# shellcheck disable=SC2086
[ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence"
# Now we do the actual mounting (and symlinking)
# shellcheck disable=SC3043
local used_overlays
used_overlays=""
# shellcheck disable=SC2086
used_overlays=$(activate_custom_mounts ${custom_mounts})
# shellcheck disable=SC2086
rm -f ${custom_mounts}
# Close unused overlays (e.g., due to missing $persistence_list)
for overlay in ${overlay_devices}
do
# shellcheck disable=SC2086
if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$"
then
close_persistence_media ${overlay}
fi
done
fi
# TODO: Remove Debug
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
printf "\e[92m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
[ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ] && /usr/lib/live/boot/0042_ciss_post_decrypt_attest
printf "\e[92m[INFO] Calling : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] done. \n\e[0m"
sleep 16
### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
}
Reference in New Issue View Git Blame Copy Permalink