diff options
Diffstat (limited to 'installer/lib')
| -rw-r--r-- | installer/lib/btrfs.sh | 11 | ||||
| -rw-r--r-- | installer/lib/common.sh | 18 |
2 files changed, 27 insertions, 2 deletions
diff --git a/installer/lib/btrfs.sh b/installer/lib/btrfs.sh index 09127b2..f704fd7 100644 --- a/installer/lib/btrfs.sh +++ b/installer/lib/btrfs.sh @@ -204,6 +204,8 @@ configure_luks_initramfs() { # Add encrypt hook before filesystems (configure_btrfs_initramfs overwrites # this with the final hook list, using sd-encrypt for multi-disk setups) + # No sed verification needed: a missing HOOKS= line makes mkinitcpio -P + # fail loudly downstream. (Audited 2026-04-27 against silent-sed pattern.) sed -i 's/^HOOKS=.*/HOOKS=(base udev microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)/' \ /mnt/etc/mkinitcpio.conf @@ -247,7 +249,8 @@ configure_luks_grub() { info "Testing mode: adding cryptkey parameter for automated unlock" fi - sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards ${cryptkey_param}|" \ + prepend_grub_cmdline_linux \ + "cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards ${cryptkey_param}" \ /mnt/etc/default/grub info "GRUB configured with cryptdevice parameter and cryptodisk enabled." @@ -613,7 +616,8 @@ EOF cryptkey_param="cryptkey=rootfs:$LUKS_KEYFILE " info "Testing mode: adding cryptkey parameter for automated unlock" fi - sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards ${cryptkey_param}|" \ + prepend_grub_cmdline_linux \ + "cryptdevice=UUID=$uuid:$LUKS_MAPPER_NAME:allow-discards ${cryptkey_param}" \ /mnt/etc/default/grub info "Added cryptdevice parameter for LUKS partition." fi @@ -844,6 +848,9 @@ EOF # Configure hooks for btrfs # Include encrypt hook if LUKS is enabled, btrfs hook if multi-device + # No sed verification needed on the four HOOKS= seds below: a missing + # HOOKS= line makes mkinitcpio -P fail loudly downstream. (Audited + # 2026-04-27 against silent-sed pattern.) local num_disks=${#SELECTED_DISKS[@]} local luks_enabled="no" [[ "$NO_ENCRYPT" != "yes" && -n "$LUKS_PASSPHRASE" ]] && luks_enabled="yes" diff --git a/installer/lib/common.sh b/installer/lib/common.sh index 3040799..dfeb245 100644 --- a/installer/lib/common.sh +++ b/installer/lib/common.sh @@ -302,3 +302,21 @@ enable_sshd_root_login() { grep -q '^PermitRootLogin yes$' "$config_file" \ || error "PermitRootLogin not set in $config_file (no matching line to replace)" } + +############################# +# GRUB Configuration +############################# + +# Prepend a string just inside the GRUB_CMDLINE_LINUX="..." quotes in +# /etc/default/grub. Errors if the line isn't present in the file. +# Silently doing nothing here would leave the kernel without the +# parameter — for cryptdevice= that means the system can't unlock the +# root partition at boot, so we want a loud failure during install +# rather than an unbootable system after first reboot. +prepend_grub_cmdline_linux() { + local addition="$1" + local config_file="$2" + sed -i "s|^GRUB_CMDLINE_LINUX=\"|GRUB_CMDLINE_LINUX=\"${addition}|" "$config_file" + grep -qF "GRUB_CMDLINE_LINUX=\"${addition}" "$config_file" \ + || error "GRUB_CMDLINE_LINUX not modified in $config_file (line missing or pattern unmatched)" +} |