#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu ### https://kspp.github.io/ set -o errexit set -o noclobber set -o nounset set -o pipefail shopt -s failglob shopt -s inherit_errexit shopt -s lastpipe shopt -u expand_aliases shopt -u dotglob shopt -u extglob shopt -u nullglob umask 0077 declare VAR_BRANCH="${1-}" declare -grx VAR_BRANCH="${VAR_BRANCH,,}" declare -gx IFS=$' \t\n' declare -gx PATH="/usr/lib/llvm-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" declare -gx AR="llvm-ar-18" declare -gx CC="clang-18 -target x86_64-linux-gnu" declare -gx HOSTCC="clang-18" declare -gx HOSTCXX="clang++-18" declare -gx LD="ld.lld-18" declare -gx LLVM="1" declare -gx LLVM_IAS="1" declare -gx NM="llvm-nm-18" declare -gx OBJCOPY="llvm-objcopy-18" # shellcheck disable=SC2155 declare -gx SOURCE_DATE_EPOCH=$(date -ud '2025-10-11 00:00:00Z' +%s) declare -gx STRIP="llvm-strip-18" unset LOCALVERSION || true cd "${HOME}" if [[ -d "${HOME}/src/kernel" ]]; then rm -rf --one-file-system -- "${HOME}/src/kernel" fi declare -gx DEBIAN_FRONTEND="noninteractive" apt-get update -qq apt-get install -y \ bc \ bison \ build-essential \ clang-18 \ dpkg-dev \ fakeroot \ flex \ git \ libelf-dev \ libncurses-dev \ libssl-dev \ lld-18 \ llvm-18-dev \ rsync ####################################### # Extract the kernel version from a freshly unpacked 'apt-get source linux' tree. # Exports (declare -g): # var_kver_debian = e.g., "6.16.3-1~deb13u1" # var_kver = e.g., "6.16.3" # var_srcdir = e.g., "linux-6.16.3" # Globals: # var_kver # var_kver_debian # var_srcdir # Arguments: # None # Returns: # 0: on success # 1: on failure ####################################### extract_kver_from_apt_source_linux() { ### Prefer debian/changelog in linux-* (more canonical), then fall back to .dsc. shopt -s nullglob ### Try A: from debian/changelog in linux-*/ declare -a _srcdirs=(linux-*/) if [[ ${#_srcdirs[@]} -ge 1 ]]; then ### Pick the first match; in a clean workdir there should be exactly one. declare _dir="${_srcdirs[0]%/}" declare _chg="${_dir}/debian/changelog" if [[ -f "${_chg}" ]]; then ### Read the first line: "linux (6.x.y-... ) suite; urgency=...". declare _line IFS= read -r _line < "${_chg}" || _line= ### Extract between '(' and ')' ### 1) strip prefix up to '(' declare _ver="${_line#*\(}" ### 2) strip suffix after ')' _ver="${_ver%%\)*}" ### Debian full version (may include epoch and Debian revision). declare -gx var_kver_debian="${_ver}" ### Upstream version (strip optional epoch "N:" and Debian revision "-..."). declare _noepoch="${_ver#*:}" # Drop "1:" if present, else no change. declare -gx var_kver="${_noepoch%%-*}" # Drop the "-deb" part. declare -gx var_srcdir="${_dir}" shopt -u nullglob return 0 fi fi ### Try B: from the .dsc file (fallback). declare -a _dscs=(linux_*.dsc) if [[ ${#_dscs[@]} -ge 1 ]]; then ### Pick the first .dsc (in a clean workdir there should be exactly one). declare _dsc="${_dscs[0]}" declare _verline _ver ### Read the 'Version: ...' line without grep/sed. while IFS= read -r _verline; do # shellcheck disable=SC2249 case "${_verline}" in Version:*) _ver="${_verline#Version: }" break ;; esac done < "${_dsc}" [[ -n "${_ver:-}" ]] || return 1 declare -gx var_kver_debian="${_ver}" declare _noepoch="${_ver#*:}" declare -gx var_kver="${_noepoch%%-*}" ### Best-effort srcdir guess from the upstream part (common unpacking layout). declare _up="${var_kver}" if [[ -d "linux-${_up}" ]]; then declare -gx var_srcdir="linux-${_up}" else declare -gx var_srcdir="" fi shopt -u nullglob return 0 fi ### Nothing found. shopt -u nullglob return 1 } # --- Prevents accidental 'unset -f' ------------------------------------------ # shellcheck disable=SC2034 readonly -f extract_kver_from_apt_source_linux # --- Generate skeleton and download sources ---------------------------------- case "${VAR_BRANCH}" in bpo) mkdir -p ~/src/kernel/bpo && cd ~/src/kernel/bpo apt-get source -t trixie-backports linux apt-get -y build-dep -t trixie-backports linux ;; security) mkdir -p ~/src/kernel/security && cd ~/src/kernel/security apt-get source -t trixie-security linux apt-get -y build-dep -t trixie-security linux ;; *) printf "No valid branch selected.\n" exit 1 ;; esac extract_kver_from_apt_source_linux printf '%b var_srcdir=%s\n var_kver_debian=%s\n var_kver=%s%b\n' '\e[92m' "${var_srcdir:-}" "${var_kver_debian:-}" "${var_kver:-}" '\e[0m' case "${VAR_BRANCH}" in bpo) cd "${HOME}/src/kernel/bpo/${var_srcdir}" ;; security) cd "${HOME}/src/kernel/security/${var_srcdir}" ;; *) printf "No valid branch selected.\n" exit 1 ;; esac # --- Identify yourself for Maintainer and Changed-By ------------------------- declare -gx DEBFULLNAME="Marc S. Weidner" declare -gx DEBEMAIL="msw@coresecret.dev" # --- Embed build user/host in 'uname -v' string of the kernel ---------------- declare -gx KBUILD_BUILD_USER="msw" declare -gx KBUILD_BUILD_HOST="coresecret.dev" # --- Package/version labelling for Debian packages --------------------------- declare -gx KDEB_PKGVERSION="${var_kver}-1ciss0" declare -gx KDEB_CHANGELOG_DIST="trixie" # --- Identity / naming ------------------------------------------------------- # Ensure unique artifact names in /boot to avoid collisions with Production. scripts/config --set-str CONFIG_LOCALVERSION "-rescue" scripts/config --disable CONFIG_LOCALVERSION_AUTO # --- Control-Flow Integrity (Clang kCFI as strict default) ------------------- # Enable Clang CFI; keep strict (no permissive), keep kCFI as default, # and do NOT normalize integer types (only needed for Rust interop). scripts/config --enable CONFIG_CFI_CLANG scripts/config --disable CONFIG_CFI_PERMISSIVE scripts/config --disable CONFIG_CFI_AUTO_DEFAULT scripts/config --disable CONFIG_CFI_ICALL_NORMALIZE_INTEGERS # --- Rust support (if not using Rust drivers) -------------------------------- scripts/config --disable CONFIG_RUST # --- Console / EFI plumbing -------------------------------------------------- scripts/config --enable CONFIG_EFI_VARS scripts/config --enable CONFIG_EFIVAR_FS scripts/config --enable CONFIG_SERIAL_8250 scripts/config --enable CONFIG_SERIAL_8250_CONSOLE # --- Framebuffer legacy (keep console via VGA/serial, no fbdev needed) ------- # Keep VT/tty consoles unless you truly want serial-only: scripts/config --enable CONFIG_VT scripts/config --enable CONFIG_VT_CONSOLE scripts/config --enable CONFIG_TTY scripts/config --enable CONFIG_FB scripts/config --enable CONFIG_FB_EFI scripts/config --disable CONFIG_DUMMY_CONSOLE # --- Keep minimal input/usb hid for emergency keyboard over IP-KVM ----------- scripts/config --enable CONFIG_HID scripts/config --enable CONFIG_USB_HID scripts/config --enable CONFIG_HID_GENERIC # --- Filesystems typically encountered in rescue scenarios ------------------- scripts/config --enable CONFIG_BTRFS_FS scripts/config --enable CONFIG_BTRFS_FS_POSIX_ACL scripts/config --enable CONFIG_EXT4_FS scripts/config --enable CONFIG_FAT_FS scripts/config --enable CONFIG_ISO9660_FS scripts/config --enable CONFIG_VFAT_FS scripts/config --enable CONFIG_XFS scripts/config --disable CONFIG_CEPH_FS scripts/config --disable CONFIG_EXFAT_FS scripts/config --disable CONFIG_EXT2 scripts/config --disable CONFIG_EXT3 scripts/config --disable CONFIG_HFSPLUS_FS scripts/config --disable CONFIG_JFS_FS scripts/config --disable CONFIG_MSDOS_FS scripts/config --disable CONFIG_NILFS2_FS scripts/config --disable CONFIG_NTFS3_FS scripts/config --disable CONFIG_OVERLAY_FS scripts/config --disable CONFIG_REISERFS_FS scripts/config --disable CONFIG_SQUASHFS scripts/config --disable CONFIG_UDF_FS scripts/config --disable CONFIG_VXFS_FS # --- Early-boot critical storage path ---------------------------------------- scripts/config --enable CONFIG_SATA_AHCI scripts/config --enable CONFIG_BLK_DEV_NVME scripts/config --enable CONFIG_SCSI scripts/config --enable CONFIG_BLK_DEV_SD scripts/config --enable CONFIG_USB_EHCI_HCD scripts/config --enable CONFIG_USB_XHCI_HCD scripts/config --enable CONFIG_USB_STORAGE scripts/config --disable CONFIG_ATA_SFF scripts/config --disable CONFIG_CHR_DEV_SG # --- Device-mapper and software RAID (rescue on unknown hosts) --------------- scripts/config --enable CONFIG_BLK_DEV_DM scripts/config --enable CONFIG_DM_CRYPT scripts/config --enable CONFIG_DM_MOD scripts/config --enable CONFIG_MD_RAID1 scripts/config --enable CONFIG_MD_RAID10 scripts/config --enable CONFIG_MD_RAID456 scripts/config --enable CONFIG_BLK_DEV_MD scripts/config --enable CONFIG_MD scripts/config --disable CONFIG_MD_AUTODETECT # --- Do not allow device-mapper table creation from the kernel command line -- scripts/config --disable CONFIG_DM_INIT # --- Crypto primitives needed for LUKS (and general use) --------------------- scripts/config --enable CONFIG_CRYPTO_AES scripts/config --enable CONFIG_CRYPTO_AES_NI_INTEL scripts/config --enable CONFIG_CRYPTO_CHACHA20_POLY1305 scripts/config --enable CONFIG_CRYPTO_CRC32C scripts/config --enable CONFIG_CRYPTO_CURVE25519 scripts/config --enable CONFIG_CRYPTO_JITTERENTROPY scripts/config --enable CONFIG_CRYPTO_SHA256 scripts/config --enable CONFIG_CRYPTO_SHA384 scripts/config --enable CONFIG_CRYPTO_SHA512 scripts/config --enable CONFIG_CRYPTO_XTS # --- Networking for Dropbear/SSH and generic connectivity -------------------- scripts/config --enable CONFIG_IGB scripts/config --enable CONFIG_INET scripts/config --enable CONFIG_IPV6 scripts/config --enable CONFIG_VMXNET3 scripts/config --enable CONFIG_E1000E scripts/config --enable CONFIG_IXGBE scripts/config --enable CONFIG_I40E scripts/config --enable CONFIG_ICE scripts/config --enable CONFIG_VLAN_8021Q scripts/config --disable CONFIG_BRIDGE scripts/config --disable CONFIG_BONDING scripts/config --disable CONFIG_BNX2X scripts/config --enable CONFIG_IGC scripts/config --enable CONFIG_R8169 # --- Virtualization ---------------------------------------------------------- scripts/config --enable CONFIG_HW_RANDOM_VIRTIO scripts/config --enable CONFIG_KVM scripts/config --enable CONFIG_VIRTIO_BALLOON scripts/config --enable CONFIG_VIRTIO_BLK scripts/config --enable CONFIG_VIRTIO_CONSOLE scripts/config --enable CONFIG_VIRTIO_FS scripts/config --enable CONFIG_VIRTIO_INPUT scripts/config --enable CONFIG_VIRTIO_NET scripts/config --enable CONFIG_VIRTIO_PCI scripts/config --enable CONFIG_VIRTIO_SCSI scripts/config --disable CONFIG_HYPERV scripts/config --disable CONFIG_VIRTIO_GPU scripts/config --disable CONFIG_XEN # --- Media, Sound, Wireless -------------------------------------------------- scripts/config --disable CONFIG_BT scripts/config --disable CONFIG_CFG80211 scripts/config --disable CONFIG_MEDIA_SUPPORT scripts/config --disable CONFIG_NFC scripts/config --disable CONFIG_SND # --- Disable entire DRM/GPU graphics stack ----------------------------------- scripts/config --enable CONFIG_DRM scripts/config --enable CONFIG_DRM_SIMPLEDRM scripts/config --disable CONFIG_DRM_AMDGPU scripts/config --disable CONFIG_DRM_BRIDGE scripts/config --disable CONFIG_DRM_FBDEV_EMULATION scripts/config --disable CONFIG_DRM_I915 scripts/config --disable CONFIG_DRM_KMS_HELPER scripts/config --disable CONFIG_DRM_NOUVEAU scripts/config --disable CONFIG_DRM_PANEL scripts/config --disable CONFIG_DRM_QXL scripts/config --disable CONFIG_DRM_RADEON scripts/config --disable CONFIG_DRM_VIRTIO_GPU scripts/config --disable CONFIG_DRM_VMWGFX # --- Thermal/HWMon - keep minimal safety ------------------------------------- scripts/config --enable CONFIG_HWMON scripts/config --enable CONFIG_SENSORS_CORETEMP scripts/config --enable CONFIG_SENSORS_K10TEMP scripts/config --enable CONFIG_THERMAL scripts/config --enable CONFIG_X86_PKG_TEMP_THERMAL # --- BPF/Tracing/Debug - big size savers ------------------------------------- scripts/config --enable DEBUG_INFO_NONE scripts/config --disable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT scripts/config --disable DEBUG_INFO_DWARF4 scripts/config --disable DEBUG_INFO_DWARF5 scripts/config --enable CONFIG_KALLSYMS # keep symbols (panic decoding) scripts/config --disable CONFIG_BPF_SYSCALL scripts/config --disable CONFIG_DEBUG_INFO scripts/config --disable CONFIG_DEBUG_KERNEL scripts/config --disable CONFIG_FTRACE scripts/config --disable CONFIG_GCOV_KERNEL scripts/config --disable CONFIG_KALLSYMS_ALL scripts/config --disable CONFIG_KPROBES scripts/config --disable CONFIG_KUNIT # --- Initrd / modules & (optional) compression ------------------------------- scripts/config --disable CONFIG_KERNEL_XZ # smaller than zstd; slower scripts/config --enable CONFIG_KERNEL_ZSTD scripts/config --enable CONFIG_BLK_DEV_INITRD scripts/config --enable CONFIG_MODULES scripts/config --enable CONFIG_MODULE_COMPRESS scripts/config --enable CONFIG_MODULE_COMPRESS_ZSTD scripts/config --disable CONFIG_MODULE_COMPRESS_GZIP scripts/config --disable CONFIG_MODULE_COMPRESS_XZ # or ZSTD for faster load # --- Decompression support in early userspace -------------------------------- scripts/config --set-val CONFIG_DECOMPRESS_ZSTD y scripts/config --set-val CONFIG_RD_ZSTD y # --- Secure Boot: accept MOK, sign all modules with SHA-512 ------------------ # Keep FORCE off unless the signing pipeline is 100% enforced end-to-end. scripts/config --enable CONFIG_INTEGRITY_MACHINE_KEYRING scripts/config --enable CONFIG_MODULE_SIG scripts/config --enable CONFIG_MODULE_SIG_ALL scripts/config --enable CONFIG_MODULE_SIG_SHA512 scripts/config --disable CONFIG_MODULE_SIG_FORCE #scripts/config --set-str CONFIG_MODULE_SIG_KEY="certs/ciss-sb-db-leaf-production-2025-RSA-3072.private.key" #scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS="certs/ciss-sb-db-leaf-production-2025-RSA-3072.crt" # --- Apply intended core DM + crypto as builtins ----------------------------- scripts/config --set-val CONFIG_DM_CRYPT y scripts/config --set-val CONFIG_DM_INTEGRITY n # --- Crypto primitives required by dm-crypt(LUKS) ---------------------------- scripts/config --set-val CONFIG_CRYPTO_XTS y scripts/config --set-val CONFIG_CRYPTO_AES y scripts/config --set-val CONFIG_CRYPTO_AES_X86_64 y scripts/config --set-val CONFIG_CRYPTO_AES_NI_INTEL y scripts/config --set-val CONFIG_CRYPTO_SHA256 y scripts/config --set-val CONFIG_CRYPTO_SHA384 y scripts/config --set-val CONFIG_CRYPTO_SHA512 y # --- If you use Argon2 for LUKS2 key-derivation inside initramfs: ------------ scripts/config --set-val CONFIG_CRYPTO_ARGON2 y # --- Optional but prudent for integrity stacks: ------------------------------ scripts/config --set-val CONFIG_CRYPTO_POLY1305 y scripts/config --set-val CONFIG_CRYPTO_CHACHA20 y # --- Kill the full 802.11 wireless stack ------------------------------------- scripts/config --disable CONFIG_WIRELESS scripts/config --disable CONFIG_CFG80211 scripts/config --disable CONFIG_MAC80211 scripts/config --disable CONFIG_WLAN scripts/config --disable CONFIG_IWLWIFI scripts/config --disable CONFIG_ATH_COMMON scripts/config --disable CONFIG_ATH9K scripts/config --disable CONFIG_ATH10K scripts/config --disable CONFIG_MT76 scripts/config --disable CONFIG_RTW88 scripts/config --disable CONFIG_BRCMFMAC # --- RFKill and Bluetooth off (server baseline) ------------------------------ scripts/config --disable CONFIG_RFKILL scripts/config --disable CONFIG_BT scripts/config --disable CONFIG_BT_HCIUART scripts/config --disable CONFIG_BT_INTEL scripts/config --disable CONFIG_BT_BREDR # --- Multimedia (V4L2/DVB/camera/sdr) off ------------------------------------ scripts/config --disable CONFIG_MEDIA_SUPPORT scripts/config --disable CONFIG_VIDEO_DEV scripts/config --disable CONFIG_DVB_CORE scripts/config --disable CONFIG_MEDIA_USB_SUPPORT scripts/config --disable CONFIG_MEDIA_PCI_SUPPORT scripts/config --disable CONFIG_MEDIA_PLATFORM_SUPPORT # --- Optional footprint cuts ------------------------------------------------- # Sound off (ALSA/OSS); safe for server: scripts/config --disable CONFIG_SOUND scripts/config --disable CONFIG_SND scripts/config --disable CONFIG_SND_HDA_INTEL # --- NFC and IEEE 802.15.4 (rare on servers) --------------------------------- scripts/config --disable CONFIG_NFC scripts/config --disable CONFIG_IEEE802154 # --- Disable entire GPIO subsystem (prevents PCI GPIO expanders etc.) -------- scripts/config --disable CONFIG_GPIOLIB scripts/config --disable CONFIG_GPIO_CDEV scripts/config --disable CONFIG_GPIO_SYSFS scripts/config --disable CONFIG_GPIO_ACPI scripts/config --disable CONFIG_GPIO_PCI scripts/config --disable CONFIG_PINCTRL # --- Disable any other features ---------------------------------------------- scripts/config --disable CONFIG_TEGRA_HOST1X # --- Harden memory permissions and control-flow ------------------------------ scripts/config --enable CONFIG_STRICT_KERNEL_RWX scripts/config --enable CONFIG_DEBUG_WX scripts/config --enable CONFIG_VMAP_STACK scripts/config --enable CONFIG_FORTIFY_SOURCE scripts/config --enable CONFIG_REFCOUNT_FULL scripts/config --enable CONFIG_STACKPROTECTOR scripts/config --enable CONFIG_STACKPROTECTOR_STRONG scripts/config --enable CONFIG_INIT_STACK_ALL_ZERO scripts/config --enable CONFIG_RANDOMIZE_BASE scripts/config --enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT # --- Allocator hardening ----------------------------------------------------- scripts/config --enable CONFIG_SLAB_FREELIST_RANDOM scripts/config --enable CONFIG_SLAB_FREELIST_HARDENED scripts/config --disable CONFIG_SLAB_MERGE_DEFAULT scripts/config --enable CONFIG_SHUFFLE_PAGE_ALLOCATOR # --- LSM / Lockdown ---------------------------------------------------------- scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM_EARLY scripts/config --enable CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY scripts/config --enable CONFIG_SECURITY_YAMA scripts/config --enable CONFIG_SECURITY_LANDLOCK # --- IOMMU / DMA ------------------------------------------------------------- scripts/config --enable CONFIG_EFI_DISABLE_PCI_DMA scripts/config --enable CONFIG_IOMMU_SUPPORT scripts/config --enable CONFIG_IOMMU_DEFAULT_DMA_STRICT scripts/config --enable CONFIG_INTEL_IOMMU scripts/config --enable CONFIG_INTEL_IOMMU_DEFAULT_ON scripts/config --enable CONFIG_AMD_IOMMU scripts/config --enable CONFIG_AMD_IOMMU_V2 # --- Page table isolation and checks ----------------------------------------- scripts/config --enable CONFIG_MITIGATION_PAGE_TABLE_ISOLATION scripts/config --enable CONFIG_PAGE_TABLE_CHECK scripts/config --enable CONFIG_PAGE_TABLE_CHECK_ENFORCED # --- UBSAN / KFENCE (low overhead) ------------------------------------------- scripts/config --enable CONFIG_UBSAN scripts/config --enable CONFIG_UBSAN_TRAP scripts/config --enable CONFIG_UBSAN_BOUNDS scripts/config --enable CONFIG_UBSAN_LOCAL_BOUNDS scripts/config --enable CONFIG_KFENCE # --- x86 specifics ----------------------------------------------------------- scripts/config --enable CONFIG_X86_KERNEL_IBT scripts/config --enable CONFIG_CFI_CLANG scripts/config --disable CONFIG_X86_VSYSCALL_EMULATION scripts/config --enable CONFIG_LEGACY_VSYSCALL_NONE # --- Remove legacy debug / attack surfaces ----------------------------------- scripts/config --disable CONFIG_DEVMEM scripts/config --enable CONFIG_STRICT_DEVMEM scripts/config --enable CONFIG_IO_STRICT_DEVMEM scripts/config --disable CONFIG_DEVKMEM scripts/config --disable CONFIG_DEBUG_FS scripts/config --disable CONFIG_PROC_KCORE # --- Optional, stricter ------------------------------------------------------ scripts/config --enable CONFIG_PANIC_ON_OOPS scripts/config --set-val CONFIG_PANIC_TIMEOUT -1 make olddefconfig make -s kernelrelease grep -E '^(CONFIG_LOCALVERSION|CONFIG_LOCALVERSION_AUTO)=' .config || true env | grep -E '^LOCALVERSION=' || true touch build.log # shellcheck disable=SC2312 if make -j"$(nproc)" bindeb-pkg 2>&1 | tee build.log; then printf '%bBuild successful%b\n' '\e[92m' '\e[0m' fi exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh