KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
efb69887191b3f573f091ae86b34a660a99916f1
football/config/hooks/installed/luks-kdf-configure.sh
reachableceo 3d2ef3d5c2 fix: honest remediation batch 3 - fix broken claims and real Argon2id 
Previous commits marked findings as  that were actually superficial or
broken. This commit fixes the real problems honestly.

Real fixes:
- Argon2id KDF: Fixed via preseed partman/early_command that patches
  partman-crypto's cryptsetup luksFormat to include --pbkdf argon2id.
  Previous luks-kdf-configure.sh "auto-conversion" was dead code
  (cryptsetup luksConvertKey needs stdin passphrase, nothing provides it).
  Now the hook is an honest verifier, not a fake converter.
- src/security-hardening.sh: Removed sshd_config generation entirely
  (was still generating it despite claiming client-only)
- AIDE init: Removed || true error swallowing, now reports failures
- COMPLIANCE.md: Marked CMMC L3 and FedRAMP as aspirational targets
  with honest explanation of what's missing (3PAO, org controls)
- VERIFICATION-REPORT.md: Added self-review warning about contradictions,
  fixed wrong preseed path (config/preseed.cfg → includes.installer/)
- Removed phantom knel-compliance-check.sh reference from COMPLIANCE.md
- encryption-setup.sh: README now says "Argon2id (via early_command)"
  instead of bare "Argon2id" which was false
- demo.preseed.cfg: Added same Argon2id early_command
- Added .dockerignore (was missing)
- Fixed .gitignore *key* pattern (too broad, matched keyboard.conf etc)

Still remaining (honest assessment):
- C-06: Git history scrub (needs git-filter-repo, destructive)
- H-09: Build cache integrity (design work needed)
- M-11: Docker base digest pinning
- Phase 3: Test suite overhaul (85% grep-based, not behavioral)
- Phase 4: Documentation cleanup (threat model, etc)
- ISO NOT rebuilt since fixes

786 tests pass, 0 shellcheck warnings.

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
2026-05-08 12:51:20 -05:00

171 lines
5.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# LUKS KDF verification hook
# PRD FR-001 requires Argon2id. The preseed early_command patches
# partman-crypto to use --pbkdf argon2id at format time. This hook
# verifies the conversion succeeded and creates fallback tools if not.
#
# Reference: PRD.md FR-001, security-model.md
# Copyright 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only
set -euo pipefail
echo "Verifying LUKS KDF configuration..."
# Find the LUKS device
LUKS_DEVICE=""
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/nvme1n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
LUKS_DEVICE="$dev"
break
fi
done
if [ -z "$LUKS_DEVICE" ] && command -v lsblk >/dev/null 2>&1; then
LUKS_DEVICE=$(lsblk -lnpo NAME,FSTYPE 2>/dev/null | awk '$2 == "crypto_LUKS" {print $1; exit}')
fi
if [ -z "$LUKS_DEVICE" ]; then
echo "WARNING: No LUKS device found for KDF verification"
else
echo "Found LUKS device: $LUKS_DEVICE"
CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown")
echo "Current KDF: $CURRENT_KDF"
if [ "$CURRENT_KDF" = "argon2id" ]; then
echo "KDF verification PASSED: Argon2id confirmed"
touch /var/lib/knel-kdf-optimized
else
echo "WARNING: KDF is $CURRENT_KDF, expected argon2id"
echo "The early_command patch may not have applied."
echo "Run /usr/local/bin/convert-luks-kdf.sh after first boot to convert."
fi
fi
# Create the KDF conversion helper script
cat > /usr/local/bin/convert-luks-kdf.sh <<'SCRIPT'
#!/bin/bash
# Convert LUKS2 KDF from PBKDF2 to Argon2id
# Run this script with sudo after first boot
set -euo pipefail
echo "================================================================================"
echo " KNEL-Football Secure OS - LUKS KDF Optimization"
echo "================================================================================"
echo ""
echo "This script converts your LUKS2 key derivation function to Argon2id."
echo "Argon2id provides better resistance against GPU-based brute force attacks."
echo ""
echo "You will need to enter your encryption passphrase."
echo ""
# Check root privileges
if [ "$EUID" -ne 0 ]; then
echo "ERROR: This script must be run as root (use sudo)"
exit 1
fi
# Find the LUKS device (typically /dev/sda3 or /dev/nvme0n1p3)
LUKS_DEVICE=""
for dev in /dev/sda3 /dev/nvme0n1p3 /dev/vda3; do
if [ -b "$dev" ] && cryptsetup isLuks "$dev" 2>/dev/null; then
LUKS_DEVICE="$dev"
break
fi
done
if [ -z "$LUKS_DEVICE" ]; then
echo "ERROR: No LUKS device found"
echo "Checked: /dev/sda3, /dev/nvme0n1p3, /dev/vda3"
exit 1
fi
echo "Found LUKS device: $LUKS_DEVICE"
echo ""
# Check current KDF
CURRENT_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}' || echo "unknown")
echo "Current KDF: $CURRENT_KDF"
if [ "$CURRENT_KDF" = "argon2id" ]; then
echo ""
echo "SUCCESS: KDF is already configured as Argon2id"
echo "No conversion needed."
# Mark as done so reminder stops appearing
touch /var/lib/knel-kdf-optimized
exit 0
fi
echo ""
echo "Converting KDF to Argon2id..."
echo "This will not change your passphrase, only the key derivation function."
echo ""
# Convert to Argon2id
# Note: luksConvertKey requires entering the existing passphrase
if cryptsetup luksConvertKey "$LUKS_DEVICE" --pbkdf argon2id; then
echo ""
echo "================================================================================"
echo " SUCCESS: KDF converted to Argon2id"
echo "================================================================================"
echo ""
echo "Your LUKS encryption now uses Argon2id key derivation function."
echo "This provides better protection against brute force attacks."
echo ""
# Mark as done so reminder stops appearing
touch /var/lib/knel-kdf-optimized
# Verify the conversion
NEW_KDF=$(cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | grep -E "^\s+KDF:" | head -1 | awk '{print $2}')
echo "Verified KDF: $NEW_KDF"
else
echo ""
echo "ERROR: KDF conversion failed"
echo "This may happen if the passphrase was incorrect."
echo "Your encryption is still working with the previous KDF."
exit 1
fi
SCRIPT
chmod +x /usr/local/bin/convert-luks-kdf.sh
# Create login reminder for the user
cat > /etc/profile.d/knel-kdf-reminder.sh <<'REMINDER'
#!/bin/sh
# Reminder to optimize LUKS KDF (runs on login until completed)
# This file is removed/modified after KDF conversion
if [ ! -f /var/lib/knel-kdf-optimized ] && [ "$EUID" -eq 0 ]; then
echo ""
echo "================================================================================"
echo " SECURITY RECOMMENDATION: Optimize LUKS Key Derivation Function"
echo "================================================================================"
echo ""
echo "Your system uses LUKS2 disk encryption. The default key derivation function"
echo "(PBKDF2) can be upgraded to Argon2id for better security."
echo ""
echo "To upgrade, run:"
echo " sudo /usr/local/bin/convert-luks-kdf.sh"
echo ""
echo "This is optional but recommended for enhanced protection against"
echo "GPU-based brute force attacks."
echo ""
fi
REMINDER
chmod +x /etc/profile.d/knel-kdf-reminder.sh
# Update the README to reflect the actual configuration
if [ -f /var/backups/keys/README.txt ]; then
sed -i 's/- KDF: Argon2id (run \/usr\/local\/bin\/convert-luks-kdf.sh to enable)/- KDF: Argon2id/' /var/backups/keys/README.txt 2>/dev/null || true
fi
echo "LUKS KDF configuration completed."
echo "Helper script: /usr/local/bin/convert-luks-kdf.sh"
if [ -f /var/lib/knel-kdf-optimized ]; then
echo "Status: Argon2id ENFORCED"
else
echo "Status: Argon2id pending (manual conversion required on first login)"
fi
Reference in New Issue View Git Blame Copy Permalink