#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

set   -o errexit
set   -o ignoreeof
set   -o noclobber
set   -o nounset
set   -o pipefail
shopt -s failglob
shopt -s inherit_errexit
shopt -s lastpipe
shopt -u expand_aliases
shopt -u dotglob
shopt -u extglob
shopt -u nullglob

declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -gx IFS=$' \t\n'
declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
declare -gx LLVM="1"
declare -gx CC="clang-18 -target x86_64-linux-gnu"
declare -gx LD="ld.lld-18"
declare -gx HOSTCC="clang-18"
declare -gx HOSTCXX="clang++-18"
declare -gx AR="llvm-ar-18" NM="llvm-nm-18" OBJCOPY="llvm-objcopy-18" STRIP="llvm-strip-18"
umask 0022

# --- Identity / naming -------------------------------------------------------
# Ensure unique artifact names in /boot to avoid collisions with Production.
scripts/config --set-str CONFIG_LOCALVERSION "-rescue"

# --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
# Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
# and do NOT normalize integer types (only needed for Rust interop).
scripts/config --enable  CONFIG_CFI_CLANG
scripts/config --disable CONFIG_CFI_PERMISSIVE
scripts/config --disable CONFIG_CFI_AUTO_DEFAULT
scripts/config --disable CONFIG_CFI_ICALL_NORMALIZE_INTEGERS

# --- Rust support (if not using Rust drivers) --------------------------------
scripts/config --disable CONFIG_RUST

# --- Console / EFI plumbing --------------------------------------------------
scripts/config --enable  CONFIG_EFI_VARS
scripts/config --enable  CONFIG_EFIVAR_FS
scripts/config --enable  CONFIG_SERIAL_8250
scripts/config --enable  CONFIG_SERIAL_8250_CONSOLE

# --- Framebuffer legacy (keep console via VGA/serial, no fbdev needed) -------
# Keep VT/tty consoles unless you truly want serial-only:
scripts/config --enable  CONFIG_VT
scripts/config --enable  CONFIG_VT_CONSOLE
scripts/config --enable  CONFIG_TTY
scripts/config --enable  CONFIG_FB
scripts/config --enable  CONFIG_FB_EFI
scripts/config --disable CONFIG_DUMMY_CONSOLE

# --- Keep minimal input/usb hid for emergency keyboard over IP-KVM -----------
scripts/config --enable  CONFIG_HID
scripts/config --enable  CONFIG_USB_HID
scripts/config --enable  CONFIG_HID_GENERIC

# --- Filesystems typically encountered in rescue scenarios -------------------
scripts/config --enable  CONFIG_BTRFS_FS
scripts/config --enable  CONFIG_BTRFS_FS_POSIX_ACL
scripts/config --enable  CONFIG_EXT4_FS
scripts/config --enable  CONFIG_FAT_FS
scripts/config --enable  CONFIG_ISO9660_FS
scripts/config --enable  CONFIG_VFAT_FS
scripts/config --enable  CONFIG_XFS
scripts/config --disable CONFIG_CEPH_FS
scripts/config --disable CONFIG_EXFAT_FS
scripts/config --disable CONFIG_EXT2
scripts/config --disable CONFIG_EXT3
scripts/config --disable CONFIG_HFSPLUS_FS
scripts/config --disable CONFIG_JFS_FS
scripts/config --disable CONFIG_MSDOS_FS
scripts/config --disable CONFIG_NILFS2_FS
scripts/config --disable CONFIG_NTFS3_FS
scripts/config --disable CONFIG_OVERLAY_FS
scripts/config --disable CONFIG_REISERFS_FS
scripts/config --disable CONFIG_SQUASHFS
scripts/config --disable CONFIG_UDF_FS
scripts/config --disable CONFIG_VXFS_FS

# --- Early-boot critical storage path ----------------------------------------
scripts/config --enable  CONFIG_SATA_AHCI
scripts/config --enable  CONFIG_BLK_DEV_NVME
scripts/config --enable  CONFIG_SCSI
scripts/config --enable  CONFIG_BLK_DEV_SD
scripts/config --enable  CONFIG_USB_XHCI_HCD
scripts/config --enable  CONFIG_USB_STORAGE
scripts/config --disable CONFIG_ATA_SFF
scripts/config --disable CONFIG_CHR_DEV_SG
scripts/config --disable CONFIG_USB_EHCI_HCD

# --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
scripts/config --enable  CONFIG_BLK_DEV_DM
scripts/config --enable  CONFIG_DM_CRYPT
scripts/config --enable  CONFIG_DM_MOD
scripts/config --disable CONFIG_MD_RAID1
scripts/config --disable CONFIG_MD_RAID10
scripts/config --disable CONFIG_MD_RAID456
scripts/config --disable CONFIG_BLK_DEV_MD
scripts/config --disable CONFIG_MD
scripts/config --disable CONFIG_MD_AUTODETECT

# --- Do not allow device-mapper table creation from the kernel command line --
scripts/config --disable CONFIG_DM_INIT

# --- Crypto primitives needed for LUKS (and general use) ---------------------
scripts/config --enable  CONFIG_CRYPTO_AES
scripts/config --enable  CONFIG_CRYPTO_AES_NI_INTEL   # x86_64 AES-NI (harmless if absent)
scripts/config --enable  CONFIG_CRYPTO_CHACHA20_POLY1305
scripts/config --enable  CONFIG_CRYPTO_CRC32C
scripts/config --enable  CONFIG_CRYPTO_CURVE25519
scripts/config --enable  CONFIG_CRYPTO_JITTERENTROPY
scripts/config --enable  CONFIG_CRYPTO_SHA256
scripts/config --enable  CONFIG_CRYPTO_SHA384
scripts/config --enable  CONFIG_CRYPTO_SHA512
scripts/config --enable  CONFIG_CRYPTO_XTS

# --- Networking for Dropbear/SSH and generic connectivity --------------------
scripts/config --enable  CONFIG_IGB
scripts/config --enable  CONFIG_INET
scripts/config --enable  CONFIG_IPV6
scripts/config --enable  CONFIG_VMXNET3
scripts/config --enable  CONFIG_E1000E
scripts/config --enable  CONFIG_IXGBE
scripts/config --enable  CONFIG_I40E
scripts/config --enable  CONFIG_ICE
scripts/config --enable  CONFIG_VLAN_8021Q
scripts/config --disable CONFIG_BRIDGE
scripts/config --disable CONFIG_BONDING
scripts/config --disable CONFIG_BNX2X
scripts/config --disable CONFIG_IGC
scripts/config --disable CONFIG_R8169

# --- Virtualization ----------------------------------------------------------
scripts/config --enable  CONFIG_HW_RANDOM_VIRTIO
scripts/config --enable  CONFIG_KVM
scripts/config --enable  CONFIG_VIRTIO_BALLOON
scripts/config --enable  CONFIG_VIRTIO_BLK
scripts/config --enable  CONFIG_VIRTIO_CONSOLE
scripts/config --enable  CONFIG_VIRTIO_FS
scripts/config --enable  CONFIG_VIRTIO_INPUT
scripts/config --enable  CONFIG_VIRTIO_NET
scripts/config --enable  CONFIG_VIRTIO_PCI
scripts/config --enable  CONFIG_VIRTIO_SCSI
scripts/config --disable CONFIG_HYPERV
scripts/config --disable CONFIG_VIRTIO_GPU
scripts/config --disable CONFIG_VMXNET3
scripts/config --disable CONFIG_XEN

# --- Media, Sound, Wireless --------------------------------------------------
scripts/config --disable CONFIG_BT
scripts/config --disable CONFIG_CFG80211
scripts/config --disable CONFIG_MEDIA_SUPPORT
scripts/config --disable CONFIG_NFC
scripts/config --disable CONFIG_SND

# --- Disable entire DRM/GPU graphics stack -----------------------------------
scripts/config --disable CONFIG_DRM
scripts/config --disable CONFIG_DRM_AMDGPU
scripts/config --disable CONFIG_DRM_BRIDGE
scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
scripts/config --disable CONFIG_DRM_I915
scripts/config --disable CONFIG_DRM_KMS_HELPER
scripts/config --disable CONFIG_DRM_NOUVEAU
scripts/config --disable CONFIG_DRM_PANEL
scripts/config --disable CONFIG_DRM_QXL
scripts/config --disable CONFIG_DRM_RADEON
scripts/config --disable CONFIG_DRM_SIMPLEDRM
scripts/config --disable CONFIG_DRM_VIRTIO_GPU
scripts/config --disable CONFIG_DRM_VMWGFX

# --- Thermal/HWMon – keep minimal safety -------------------------------------
scripts/config --enable  CONFIG_HWMON
scripts/config --enable  CONFIG_SENSORS_CORETEMP
scripts/config --enable  CONFIG_SENSORS_K10TEMP
scripts/config --enable  CONFIG_THERMAL
scripts/config --enable  CONFIG_X86_PKG_TEMP_THERMAL

# --- BPF/Tracing/Debug – big size savers -------------------------------------
scripts/config --enable  DEBUG_INFO_NONE
scripts/config --disable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
scripts/config --disable DEBUG_INFO_DWARF4
scripts/config --disable DEBUG_INFO_DWARF5
scripts/config --enable  CONFIG_KALLSYMS        # keep symbols (panic decoding)
scripts/config --disable CONFIG_BPF_SYSCALL
scripts/config --disable CONFIG_DEBUG_INFO
scripts/config --disable CONFIG_DEBUG_KERNEL
scripts/config --disable CONFIG_FTRACE
scripts/config --disable CONFIG_GCOV_KERNEL
scripts/config --disable CONFIG_KALLSYMS_ALL
scripts/config --disable CONFIG_KPROBES
scripts/config --disable CONFIG_KUNIT

# --- Initrd / modules & (optional) compression -------------------------------
scripts/config --disable CONFIG_KERNEL_XZ           # smaller than zstd; slower
scripts/config --enable  CONFIG_KERNEL_ZSTD
scripts/config --enable  CONFIG_BLK_DEV_INITRD
scripts/config --enable  CONFIG_MODULES
scripts/config --enable  CONFIG_MODULE_COMPRESS
scripts/config --enable  CONFIG_MODULE_COMPRESS_ZSTD
scripts/config --disable CONFIG_MODULE_COMPRESS_GZIP
scripts/config --disable CONFIG_MODULE_COMPRESS_XZ    # or ZSTD for faster load

# --- Decompression support in early userspace --------------------------------
scripts/config --set-val  CONFIG_DECOMPRESS_ZSTD y
scripts/config --set-val  CONFIG_RD_ZSTD y

# --- Secure Boot: accept MOK, sign all modules with SHA-512 ------------------
# Keep FORCE off unless the signing pipeline is 100% enforced end-to-end.
scripts/config --enable  CONFIG_INTEGRITY_MACHINE_KEYRING
scripts/config --enable  CONFIG_MODULE_SIG
scripts/config --enable  CONFIG_MODULE_SIG_ALL
scripts/config --enable  CONFIG_MODULE_SIG_SHA512
scripts/config --disable CONFIG_MODULE_SIG_FORCE

# --- Apply intended core DM + crypto as builtins -----------------------------
scripts/config --set-val CONFIG_DM_CRYPT y
scripts/config --set-val CONFIG_DM_INTEGRITY n

# --- Crypto primitives required by dm-crypt(LUKS) ----------------------------
scripts/config --set-val CONFIG_CRYPTO_XTS y
scripts/config --set-val CONFIG_CRYPTO_AES y
scripts/config --set-val CONFIG_CRYPTO_AES_X86_64 y
scripts/config --set-val CONFIG_CRYPTO_AES_NI_INTEL y
scripts/config --set-val CONFIG_CRYPTO_SHA256 y
scripts/config --set-val CONFIG_CRYPTO_SHA384 y
scripts/config --set-val CONFIG_CRYPTO_SHA512 y

# --- If you use Argon2 for LUKS2 key-derivation inside initramfs: ------------
scripts/config --set-val CONFIG_CRYPTO_ARGON2 y

# --- Optional but prudent for integrity stacks: ------------------------------
scripts/config --set-val CONFIG_CRYPTO_POLY1305 y
scripts/config --set-val CONFIG_CRYPTO_CHACHA20 y

# --- Kill the full 802.11 wireless stack -------------------------------------
scripts/config --disable CONFIG_WIRELESS
scripts/config --disable CONFIG_CFG80211
scripts/config --disable CONFIG_MAC80211
scripts/config --disable CONFIG_WLAN
scripts/config --disable CONFIG_IWLWIFI
scripts/config --disable CONFIG_ATH_COMMON
scripts/config --disable CONFIG_ATH9K
scripts/config --disable CONFIG_ATH10K
scripts/config --disable CONFIG_MT76
scripts/config --disable CONFIG_RTW88
scripts/config --disable CONFIG_BRCMFMAC

# --- RFKill and Bluetooth off (server baseline) ------------------------------
scripts/config --disable CONFIG_RFKILL
scripts/config --disable CONFIG_BT
scripts/config --disable CONFIG_BT_HCIUART
scripts/config --disable CONFIG_BT_INTEL
scripts/config --disable CONFIG_BT_BREDR

# --- Multimedia (V4L2/DVB/camera/sdr) off ------------------------------------
scripts/config --disable CONFIG_MEDIA_SUPPORT
scripts/config --disable CONFIG_VIDEO_DEV
scripts/config --disable CONFIG_DVB_CORE
scripts/config --disable CONFIG_MEDIA_USB_SUPPORT
scripts/config --disable CONFIG_MEDIA_PCI_SUPPORT
scripts/config --disable CONFIG_MEDIA_PLATFORM_SUPPORT

# --- Optional footprint cuts -------------------------------------------------
# Sound off (ALSA/OSS); safe for server:
scripts/config --disable CONFIG_SOUND
scripts/config --disable CONFIG_SND
scripts/config --disable CONFIG_SND_HDA_INTEL

# --- NFC and IEEE 802.15.4 (rare on servers) ---------------------------------
scripts/config --disable CONFIG_NFC
scripts/config --disable CONFIG_IEEE802154

# --- Disable entire GPIO subsystem (prevents PCI GPIO expanders etc.) --------
scripts/config --disable CONFIG_GPIOLIB
scripts/config --disable CONFIG_GPIO_CDEV
scripts/config --disable CONFIG_GPIO_SYSFS
scripts/config --disable CONFIG_GPIO_ACPI
scripts/config --disable CONFIG_GPIO_PCI
scripts/config --disable CONFIG_PINCTRL

# --- Disable any other features ----------------------------------------------
scripts/config --disable CONFIG_TEGRA_HOST1X

exit 0

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh