Fix emerg-shutdown and ensure-shutdown libexec scripts, start emerg-shutdown and ensure-shutdown earlier

usr/lib/systemd/system/block-shutdown.service

@@ -0,0 +1,29 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This unit, if uncommented and started, will prevent the system from ever
+## shutting down unless ensure-shutdown.service is enabled and correctly
+## configured. If you have enabled ensure-shutdown.service and tuned the
+## ENSURE_SHUTDOWN_TIMEOUT and DefaultTimeoutStopSec variables (in
+## /etc/security-misc/emerg-shutdown/30_security_misc.conf and
+## /etc/systemd/system.conf respectively) and want to make sure
+## ensure-shutdown.service actually works, you can uncomment this unit and
+## start it with `sudo systemctl start block-shutdown.service`. If the systems
+## successfully powers down even with this unit started,
+## ensure-shutdown.service is working.
+
+# [Unit]
+# Description=Blocks shutdown indefinitely unless ensure-shutdown.service is enabled
+#
+# [Service]
+# Type=exec
+# ExecStart=bash -c -- "trap '' SIGTERM; sleep infinity"
+# KillSignal=SIGTERM
+# FinalKillSignal=SIGTERM
+# RestartKillSignal=SIGTERM
+# WatchdogSignal=SIGTERM
+# SendSIGHUP=no
+# TimeoutStopSec=infinity
+#
+# [Install]
+# WantedBy=multi-user.target

usr/lib/systemd/system/emerg-shutdown.service

@@ -4,6 +4,12 @@
 [Unit]
 Description=Emergency shutdown when boot media is removed
 Documentation=https://github.com/Kicksecure/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=udev.service
+After=udev.service
+Requires=local-fs.service
+After=local-fs.service
 
 [Service]
 Type=notify
@@ -11,4 +17,4 @@ ExecStart=/usr/libexec/security-misc/emerg-shutdown
 NotifyAccess=main
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target

usr/lib/systemd/system/ensure-shutdown-trigger.service

@@ -0,0 +1,18 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## NOTE: If enabling this unit, also enable ensure-shutdown.service, otherwise
+## this will do nothing.
+
+[Unit]
+Description=Forcibly shut down the system if normal shutdown gets stuck (alternate trigger unit)
+Documentation=https://github.com/Kicksecure/security-misc
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=true
+ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger'
+
+[Install]
+WantedBy=multi-user.target

usr/lib/systemd/system/ensure-shutdown.service

@@ -1,9 +1,16 @@
 ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
+## NOTE: If enabling this unit, also enable ensure-shutdown-trigger.service,
+## otherwise this will likely be unable to unstick a stuck shutdown.
+
 [Unit]
 Description=Forcibly shut down the system if normal shutdown gets stuck
 Documentation=https://github.com/Kicksecure/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=udev.service
+After=udev.service
 Wants=emerg-shutdown.service
 After=emerg-shutdown.service
 
@@ -15,4 +22,4 @@ ExecStop=bash -c -- 'echo "d" > /run/emerg-shutdown-trigger'
 KillMode=process
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target