V8.00.000.2025.06.17
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 2s
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 2s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
39
func/cdi_5000_recovery/5133_installation_masking.sh
Normal file
39
func/cdi_5000_recovery/5133_installation_masking.sh
Normal file
@@ -0,0 +1,39 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
guard_sourcing
|
||||
|
||||
#######################################
|
||||
# Turn off Energy saving mode and ctrl-alt-del.
|
||||
# Globals:
|
||||
# TARGET
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
installation_masking() {
|
||||
chroot_script "${TARGET}" "
|
||||
systemctl mask ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target
|
||||
"
|
||||
|
||||
do_log "info" "file_only" "4133() Masked: [ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target]"
|
||||
|
||||
chroot_script "${TARGET}" "
|
||||
systemctl mask plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service
|
||||
"
|
||||
|
||||
do_log "info" "file_only" "4133() Masked: [plymouth-start.service plymouth-quit.service plymouth-quit-wait.service plymouth-read-write.service]"
|
||||
|
||||
guard_dir && return 0
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
300
upgrades/linux-image/linux_image_clang_options.sh
Normal file
300
upgrades/linux-image/linux_image_clang_options.sh
Normal file
@@ -0,0 +1,300 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
set -o errexit
|
||||
set -o ignoreeof
|
||||
set -o noclobber
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
shopt -s failglob
|
||||
shopt -s inherit_errexit
|
||||
shopt -s lastpipe
|
||||
shopt -u expand_aliases
|
||||
shopt -u dotglob
|
||||
shopt -u extglob
|
||||
shopt -u nullglob
|
||||
|
||||
declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
declare -gx IFS=$' \t\n'
|
||||
declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
|
||||
declare -gx LLVM="1"
|
||||
declare -gx CC="clang-18 -target x86_64-linux-gnu"
|
||||
declare -gx LD="ld.lld-18"
|
||||
declare -gx HOSTCC="clang-18"
|
||||
declare -gx HOSTCXX="clang++-18"
|
||||
umask 0022
|
||||
|
||||
# --- Identity / naming -------------------------------------------------------
|
||||
# Ensure unique artifact names in /boot to avoid collisions with Production.
|
||||
scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
|
||||
|
||||
# --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
|
||||
# Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
|
||||
# and do NOT normalize integer types (only needed for Rust interop).
|
||||
scripts/config --enable CONFIG_CFI_CLANG
|
||||
scripts/config --disable CONFIG_CFI_PERMISSIVE
|
||||
scripts/config --disable CONFIG_CFI_AUTO_DEFAULT
|
||||
scripts/config --disable CONFIG_CFI_ICALL_NORMALIZE_INTEGERS
|
||||
|
||||
# --- Rust support (if not using Rust drivers) --------------------------------
|
||||
scripts/config --disable CONFIG_RUST
|
||||
|
||||
# --- Console / EFI plumbing --------------------------------------------------
|
||||
scripts/config --enable CONFIG_EFI_VARS
|
||||
scripts/config --enable CONFIG_EFIVAR_FS
|
||||
scripts/config --enable CONFIG_SERIAL_8250
|
||||
scripts/config --enable CONFIG_SERIAL_8250_CONSOLE
|
||||
|
||||
# --- Framebuffer legacy (keep console via VGA/serial, no fbdev needed) -------
|
||||
# Keep VT/tty consoles unless you truly want serial-only:
|
||||
scripts/config --enable CONFIG_VT
|
||||
scripts/config --enable CONFIG_VT_CONSOLE
|
||||
scripts/config --enable CONFIG_TTY
|
||||
scripts/config --enable CONFIG_FB
|
||||
scripts/config --enable CONFIG_FB_EFI
|
||||
scripts/config --disable CONFIG_DUMMY_CONSOLE
|
||||
|
||||
# --- Keep minimal input/usb hid for emergency keyboard over IP-KVM -----------
|
||||
scripts/config --enable CONFIG_HID
|
||||
scripts/config --enable CONFIG_USB_HID
|
||||
scripts/config --enable CONFIG_HID_GENERIC
|
||||
|
||||
# --- Filesystems typically encountered in rescue scenarios -------------------
|
||||
scripts/config --enable CONFIG_BTRFS_FS
|
||||
scripts/config --enable CONFIG_BTRFS_FS_POSIX_ACL
|
||||
scripts/config --enable CONFIG_EXT4_FS
|
||||
scripts/config --enable CONFIG_EXFAT_FS
|
||||
scripts/config --enable CONFIG_FAT_FS
|
||||
scripts/config --enable CONFIG_ISO9660_FS
|
||||
scripts/config --enable CONFIG_MSDOS_FS
|
||||
scripts/config --enable CONFIG_VFAT_FS
|
||||
scripts/config --enable CONFIG_XFS
|
||||
scripts/config --disable CONFIG_CEPH_FS
|
||||
scripts/config --disable CONFIG_EXT2
|
||||
scripts/config --disable CONFIG_EXT3
|
||||
scripts/config --disable CONFIG_HFSPLUS_FS
|
||||
scripts/config --disable CONFIG_JFS_FS
|
||||
scripts/config --disable CONFIG_NILFS2_FS
|
||||
scripts/config --disable CONFIG_NTFS3_FS
|
||||
scripts/config --disable CONFIG_OVERLAY_FS
|
||||
scripts/config --disable CONFIG_REISERFS_FS
|
||||
scripts/config --disable CONFIG_SQUASHFS
|
||||
scripts/config --disable CONFIG_UDF_FS
|
||||
scripts/config --disable CONFIG_VXFS_FS
|
||||
|
||||
# --- Early-boot critical storage path ----------------------------------------
|
||||
scripts/config --enable CONFIG_SATA_AHCI
|
||||
scripts/config --enable CONFIG_BLK_DEV_NVME
|
||||
scripts/config --enable CONFIG_SCSI
|
||||
scripts/config --enable CONFIG_BLK_DEV_SD
|
||||
scripts/config --enable CONFIG_VIRTIO_PCI
|
||||
scripts/config --enable CONFIG_VIRTIO_BLK
|
||||
scripts/config --enable CONFIG_VIRTIO_SCSI
|
||||
scripts/config --enable CONFIG_USB_XHCI_HCD
|
||||
scripts/config --enable CONFIG_USB_EHCI_HCD
|
||||
scripts/config --enable CONFIG_USB_STORAGE
|
||||
scripts/config --disable CONFIG_ATA_SFF
|
||||
scripts/config --disable CONFIG_CHR_DEV_SG
|
||||
scripts/config --disable CONFIG_PATA_*
|
||||
|
||||
# --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
|
||||
scripts/config --enable CONFIG_BLK_DEV_DM
|
||||
scripts/config --enable CONFIG_BLK_DEV_MD
|
||||
scripts/config --enable CONFIG_DM_CRYPT
|
||||
scripts/config --enable CONFIG_DM_MOD
|
||||
scripts/config --enable CONFIG_MD
|
||||
scripts/config --enable CONFIG_MD_AUTODETECT
|
||||
scripts/config --enable CONFIG_MD_RAID1
|
||||
scripts/config --enable CONFIG_MD_RAID10
|
||||
scripts/config --enable CONFIG_MD_RAID456
|
||||
|
||||
# --- Do not allow device-mapper table creation from the kernel command line --
|
||||
scripts/config --disable CONFIG_DM_INIT
|
||||
|
||||
# --- Crypto primitives needed for LUKS (and general use) ---------------------
|
||||
scripts/config --enable CONFIG_CRYPTO_AES
|
||||
scripts/config --enable CONFIG_CRYPTO_AES_NI_INTEL # x86_64 AES-NI (harmless if absent)
|
||||
scripts/config --enable CONFIG_CRYPTO_CHACHA20_POLY1305
|
||||
scripts/config --enable CONFIG_CRYPTO_CRC32C
|
||||
scripts/config --enable CONFIG_CRYPTO_CURVE25519
|
||||
scripts/config --enable CONFIG_CRYPTO_JITTERENTROPY
|
||||
scripts/config --enable CONFIG_CRYPTO_SHA256
|
||||
scripts/config --enable CONFIG_CRYPTO_SHA384
|
||||
scripts/config --enable CONFIG_CRYPTO_SHA512
|
||||
scripts/config --enable CONFIG_CRYPTO_XTS
|
||||
|
||||
# --- Networking for Dropbear/SSH and generic connectivity --------------------
|
||||
scripts/config --enable CONFIG_IGB
|
||||
scripts/config --enable CONFIG_INET
|
||||
scripts/config --enable CONFIG_IPV6
|
||||
scripts/config --enable CONFIG_VMXNET3
|
||||
scripts/config --enable CONFIG_E1000E
|
||||
scripts/config --enable CONFIG_IXGBE
|
||||
scripts/config --enable CONFIG_I40E
|
||||
scripts/config --enable CONFIG_ICE
|
||||
scripts/config --enable CONFIG_VLAN_8021Q
|
||||
scripts/config --disable CONFIG_BRIDGE
|
||||
scripts/config --disable CONFIG_BONDING
|
||||
scripts/config --disable CONFIG_BNX2X
|
||||
scripts/config --disable CONFIG_IGC
|
||||
scripts/config --disable CONFIG_R8169
|
||||
|
||||
# --- Virtualization ----------------------------------------------------------
|
||||
scripts/config --enable CONFIG_HW_RANDOM_VIRTIO
|
||||
scripts/config --enable CONFIG_KVM
|
||||
scripts/config --enable CONFIG_VIRTIO_BALLOON
|
||||
scripts/config --enable CONFIG_VIRTIO_BLK
|
||||
scripts/config --enable CONFIG_VIRTIO_CONSOLE
|
||||
scripts/config --enable CONFIG_VIRTIO_FS
|
||||
scripts/config --enable CONFIG_VIRTIO_INPUT
|
||||
scripts/config --enable CONFIG_VIRTIO_NET
|
||||
scripts/config --enable CONFIG_VIRTIO_PCI
|
||||
scripts/config --enable CONFIG_VIRTIO_SCSI
|
||||
scripts/config --enable CONFIG_VMXNET3
|
||||
scripts/config --disable CONFIG_HYPERV
|
||||
scripts/config --disable CONFIG_VIRTIO_GPU
|
||||
scripts/config --disable CONFIG_XEN
|
||||
|
||||
# --- Media, Sound, Wireless --------------------------------------------------
|
||||
scripts/config --disable CONFIG_BT
|
||||
scripts/config --disable CONFIG_CFG80211
|
||||
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
||||
scripts/config --disable CONFIG_NFC
|
||||
scripts/config --disable CONFIG_SND
|
||||
|
||||
# --- Disable entire DRM/GPU graphics stack -----------------------------------
|
||||
scripts/config --enable CONFIG_DRM_SIMPLEDRM
|
||||
scripts/config --disable CONFIG_DRM
|
||||
scripts/config --disable CONFIG_DRM_AMDGPU
|
||||
scripts/config --disable CONFIG_DRM_BRIDGE
|
||||
scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
|
||||
scripts/config --disable CONFIG_DRM_I915
|
||||
scripts/config --disable CONFIG_DRM_KMS_HELPER
|
||||
scripts/config --disable CONFIG_DRM_NOUVEAU
|
||||
scripts/config --disable CONFIG_DRM_PANEL
|
||||
scripts/config --disable CONFIG_DRM_QXL
|
||||
scripts/config --disable CONFIG_DRM_RADEON
|
||||
scripts/config --disable CONFIG_DRM_VIRTIO_GPU
|
||||
scripts/config --disable CONFIG_DRM_VMWGFX
|
||||
|
||||
# --- Thermal/HWMon – keep minimal safety -------------------------------------
|
||||
scripts/config --enable CONFIG_HWMON
|
||||
scripts/config --enable CONFIG_SENSORS_CORETEMP
|
||||
scripts/config --enable CONFIG_SENSORS_K10TEMP
|
||||
scripts/config --enable CONFIG_THERMAL
|
||||
scripts/config --enable CONFIG_X86_PKG_TEMP_THERMAL
|
||||
|
||||
# --- BPF/Tracing/Debug – big size savers -------------------------------------
|
||||
scripts/config --enable CONFIG_KALLSYMS # keep symbols (panic decoding)
|
||||
scripts/config --disable CONFIG_BPF_SYSCALL
|
||||
scripts/config --disable CONFIG_DEBUG_INFO
|
||||
scripts/config --disable CONFIG_DEBUG_KERNEL
|
||||
scripts/config --disable CONFIG_FTRACE
|
||||
scripts/config --disable CONFIG_GCOV_KERNEL
|
||||
scripts/config --disable CONFIG_KALLSYMS_ALL
|
||||
scripts/config --disable CONFIG_KPROBES
|
||||
scripts/config --disable CONFIG_KUNIT
|
||||
|
||||
# --- Initrd / modules & (optional) compression -------------------------------
|
||||
scripts/config --disable CONFIG_KERNEL_XZ # smaller than zstd; slower
|
||||
scripts/config --enable CONFIG_KERNEL_ZSTD
|
||||
scripts/config --enable CONFIG_BLK_DEV_INITRD
|
||||
scripts/config --enable CONFIG_MODULES
|
||||
scripts/config --enable CONFIG_MODULE_COMPRESS
|
||||
scripts/config --enable CONFIG_MODULE_COMPRESS_ZSTD
|
||||
scripts/config --disable CONFIG_MODULE_COMPRESS_GZIP
|
||||
scripts/config --disable CONFIG_MODULE_COMPRESS_XZ # or ZSTD for faster load
|
||||
|
||||
# --- Decompression support in early userspace --------------------------------
|
||||
scripts/config --set-val CONFIG_DECOMPRESS_ZSTD y
|
||||
scripts/config --set-val CONFIG_RD_ZSTD y
|
||||
|
||||
# --- Secure Boot: accept MOK, sign all modules with SHA-512 ------------------
|
||||
# Keep FORCE off unless the signing pipeline is 100% enforced end-to-end.
|
||||
scripts/config --enable CONFIG_INTEGRITY_MACHINE_KEYRING
|
||||
scripts/config --enable CONFIG_MODULE_SIG
|
||||
scripts/config --enable CONFIG_MODULE_SIG_ALL
|
||||
scripts/config --enable CONFIG_MODULE_SIG_SHA512
|
||||
scripts/config --disable CONFIG_MODULE_SIG_FORCE
|
||||
|
||||
# --- Apply intended core DM + crypto as builtins -----------------------------
|
||||
scripts/config --set-val CONFIG_DM_CRYPT y
|
||||
scripts/config --set-val CONFIG_DM_INTEGRITY y
|
||||
|
||||
# --- Crypto primitives required by dm-crypt(LUKS) ----------------------------
|
||||
scripts/config --set-val CONFIG_CRYPTO_XTS y
|
||||
scripts/config --set-val CONFIG_CRYPTO_AES y
|
||||
scripts/config --set-val CONFIG_CRYPTO_AES_X86_64 y
|
||||
scripts/config --set-val CONFIG_CRYPTO_AES_NI_INTEL y
|
||||
scripts/config --set-val CONFIG_CRYPTO_SHA256 y
|
||||
scripts/config --set-val CONFIG_CRYPTO_SHA384 y
|
||||
scripts/config --set-val CONFIG_CRYPTO_SHA512 y
|
||||
|
||||
# --- If you use Argon2 for LUKS2 key-derivation inside initramfs: ------------
|
||||
scripts/config --set-val CONFIG_CRYPTO_ARGON2 y
|
||||
|
||||
# --- Optional but prudent for integrity stacks: ------------------------------
|
||||
scripts/config --set-val CONFIG_CRYPTO_POLY1305 y
|
||||
scripts/config --set-val CONFIG_CRYPTO_CHACHA20 y
|
||||
|
||||
# --- Kill the full 802.11 wireless stack -------------------------------------
|
||||
scripts/config --disable CONFIG_WIRELESS
|
||||
scripts/config --disable CONFIG_CFG80211
|
||||
scripts/config --disable CONFIG_MAC80211
|
||||
scripts/config --disable CONFIG_WLAN
|
||||
scripts/config --disable CONFIG_IWLWIFI
|
||||
scripts/config --disable CONFIG_ATH_COMMON
|
||||
scripts/config --disable CONFIG_ATH9K
|
||||
scripts/config --disable CONFIG_ATH10K
|
||||
scripts/config --disable CONFIG_MT76
|
||||
scripts/config --disable CONFIG_RTW88
|
||||
scripts/config --disable CONFIG_BRCMFMAC
|
||||
|
||||
# --- RFKill and Bluetooth off (server baseline) ------------------------------
|
||||
scripts/config --disable CONFIG_RFKILL
|
||||
scripts/config --disable CONFIG_BT
|
||||
scripts/config --disable CONFIG_BT_HCIUART
|
||||
scripts/config --disable CONFIG_BT_INTEL
|
||||
scripts/config --disable CONFIG_BT_BREDR
|
||||
|
||||
# --- Multimedia (V4L2/DVB/camera/sdr) off ------------------------------------
|
||||
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
||||
scripts/config --disable CONFIG_VIDEO_DEV
|
||||
scripts/config --disable CONFIG_DVB_CORE
|
||||
scripts/config --disable CONFIG_MEDIA_USB_SUPPORT
|
||||
scripts/config --disable CONFIG_MEDIA_PCI_SUPPORT
|
||||
scripts/config --disable CONFIG_MEDIA_PLATFORM_SUPPORT
|
||||
|
||||
# --- Optional footprint cuts -------------------------------------------------
|
||||
# Sound off (ALSA/OSS); safe for server:
|
||||
scripts/config --disable CONFIG_SOUND
|
||||
scripts/config --disable CONFIG_SND
|
||||
scripts/config --disable CONFIG_SND_HDA_INTEL
|
||||
|
||||
# --- NFC and IEEE 802.15.4 (rare on servers) ---------------------------------
|
||||
scripts/config --disable CONFIG_NFC
|
||||
scripts/config --disable CONFIG_IEEE802154
|
||||
|
||||
# --- Disable entire GPIO subsystem (prevents PCI GPIO expanders etc.) --------
|
||||
scripts/config --disable CONFIG_GPIOLIB
|
||||
scripts/config --disable CONFIG_GPIO_CDEV
|
||||
scripts/config --disable CONFIG_GPIO_SYSFS
|
||||
scripts/config --disable CONFIG_GPIO_ACPI
|
||||
scripts/config --disable CONFIG_GPIO_PCI
|
||||
scripts/config --disable CONFIG_PINCTRL
|
||||
|
||||
# --- Disable any other features ----------------------------------------------
|
||||
scripts/config --disable CONFIG_TEGRA_HOST1X
|
||||
|
||||
exit 0
|
||||
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user