Marc S. Weidner
d3b1086361
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Failing after 2s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
302 lines
12 KiB
Bash
302 lines
12 KiB
Bash
#!/bin/bash
|
||
# SPDX-Version: 3.0
|
||
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||
# SPDX-FileType: SOURCE
|
||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||
# SPDX-PackageName: CISS.debian.installer
|
||
# SPDX-Security-Contact: security@coresecret.eu
|
||
|
||
set -o errexit
|
||
set -o ignoreeof
|
||
set -o noclobber
|
||
set -o nounset
|
||
set -o pipefail
|
||
shopt -s failglob
|
||
shopt -s inherit_errexit
|
||
shopt -s lastpipe
|
||
shopt -u expand_aliases
|
||
shopt -u dotglob
|
||
shopt -u extglob
|
||
shopt -u nullglob
|
||
|
||
declare -gx PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||
declare -gx IFS=$' \t\n'
|
||
declare -gx PATH="/usr/lib/llvm-18/bin:${PATH}"
|
||
declare -gx LLVM="1"
|
||
declare -gx CC="clang-18 -target x86_64-linux-gnu"
|
||
declare -gx LD="ld.lld-18"
|
||
declare -gx HOSTCC="clang-18"
|
||
declare -gx HOSTCXX="clang++-18"
|
||
declare -gx AR="llvm-ar-18" NM="llvm-nm-18" OBJCOPY="llvm-objcopy-18" STRIP="llvm-strip-18"
|
||
umask 0022
|
||
|
||
# --- Identity / naming -------------------------------------------------------
|
||
# Ensure unique artifact names in /boot to avoid collisions with Production.
|
||
scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
|
||
|
||
# --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
|
||
# Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
|
||
# and do NOT normalize integer types (only needed for Rust interop).
|
||
scripts/config --enable CONFIG_CFI_CLANG
|
||
scripts/config --disable CONFIG_CFI_PERMISSIVE
|
||
scripts/config --disable CONFIG_CFI_AUTO_DEFAULT
|
||
scripts/config --disable CONFIG_CFI_ICALL_NORMALIZE_INTEGERS
|
||
|
||
# --- Rust support (if not using Rust drivers) --------------------------------
|
||
scripts/config --disable CONFIG_RUST
|
||
|
||
# --- Console / EFI plumbing --------------------------------------------------
|
||
scripts/config --enable CONFIG_EFI_VARS
|
||
scripts/config --enable CONFIG_EFIVAR_FS
|
||
scripts/config --enable CONFIG_SERIAL_8250
|
||
scripts/config --enable CONFIG_SERIAL_8250_CONSOLE
|
||
|
||
# --- Framebuffer legacy (keep console via VGA/serial, no fbdev needed) -------
|
||
# Keep VT/tty consoles unless you truly want serial-only:
|
||
scripts/config --enable CONFIG_VT
|
||
scripts/config --enable CONFIG_VT_CONSOLE
|
||
scripts/config --enable CONFIG_TTY
|
||
scripts/config --enable CONFIG_FB
|
||
scripts/config --enable CONFIG_FB_EFI
|
||
scripts/config --disable CONFIG_DUMMY_CONSOLE
|
||
|
||
# --- Keep minimal input/usb hid for emergency keyboard over IP-KVM -----------
|
||
scripts/config --enable CONFIG_HID
|
||
scripts/config --enable CONFIG_USB_HID
|
||
scripts/config --enable CONFIG_HID_GENERIC
|
||
|
||
# --- Filesystems typically encountered in rescue scenarios -------------------
|
||
scripts/config --enable CONFIG_BTRFS_FS
|
||
scripts/config --enable CONFIG_BTRFS_FS_POSIX_ACL
|
||
scripts/config --enable CONFIG_EXT4_FS
|
||
scripts/config --enable CONFIG_FAT_FS
|
||
scripts/config --enable CONFIG_ISO9660_FS
|
||
scripts/config --enable CONFIG_VFAT_FS
|
||
scripts/config --enable CONFIG_XFS
|
||
scripts/config --disable CONFIG_CEPH_FS
|
||
scripts/config --disable CONFIG_EXFAT_FS
|
||
scripts/config --disable CONFIG_EXT2
|
||
scripts/config --disable CONFIG_EXT3
|
||
scripts/config --disable CONFIG_HFSPLUS_FS
|
||
scripts/config --disable CONFIG_JFS_FS
|
||
scripts/config --disable CONFIG_MSDOS_FS
|
||
scripts/config --disable CONFIG_NILFS2_FS
|
||
scripts/config --disable CONFIG_NTFS3_FS
|
||
scripts/config --disable CONFIG_OVERLAY_FS
|
||
scripts/config --disable CONFIG_REISERFS_FS
|
||
scripts/config --disable CONFIG_SQUASHFS
|
||
scripts/config --disable CONFIG_UDF_FS
|
||
scripts/config --disable CONFIG_VXFS_FS
|
||
|
||
# --- Early-boot critical storage path ----------------------------------------
|
||
scripts/config --enable CONFIG_SATA_AHCI
|
||
scripts/config --enable CONFIG_BLK_DEV_NVME
|
||
scripts/config --enable CONFIG_SCSI
|
||
scripts/config --enable CONFIG_BLK_DEV_SD
|
||
scripts/config --enable CONFIG_USB_XHCI_HCD
|
||
scripts/config --enable CONFIG_USB_STORAGE
|
||
scripts/config --disable CONFIG_ATA_SFF
|
||
scripts/config --disable CONFIG_CHR_DEV_SG
|
||
scripts/config --disable CONFIG_USB_EHCI_HCD
|
||
|
||
# --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
|
||
scripts/config --enable CONFIG_BLK_DEV_DM
|
||
scripts/config --enable CONFIG_DM_CRYPT
|
||
scripts/config --enable CONFIG_DM_MOD
|
||
scripts/config --disable CONFIG_MD_RAID1
|
||
scripts/config --disable CONFIG_MD_RAID10
|
||
scripts/config --disable CONFIG_MD_RAID456
|
||
scripts/config --disable CONFIG_BLK_DEV_MD
|
||
scripts/config --disable CONFIG_MD
|
||
scripts/config --disable CONFIG_MD_AUTODETECT
|
||
|
||
# --- Do not allow device-mapper table creation from the kernel command line --
|
||
scripts/config --disable CONFIG_DM_INIT
|
||
|
||
# --- Crypto primitives needed for LUKS (and general use) ---------------------
|
||
scripts/config --enable CONFIG_CRYPTO_AES
|
||
scripts/config --enable CONFIG_CRYPTO_AES_NI_INTEL # x86_64 AES-NI (harmless if absent)
|
||
scripts/config --enable CONFIG_CRYPTO_CHACHA20_POLY1305
|
||
scripts/config --enable CONFIG_CRYPTO_CRC32C
|
||
scripts/config --enable CONFIG_CRYPTO_CURVE25519
|
||
scripts/config --enable CONFIG_CRYPTO_JITTERENTROPY
|
||
scripts/config --enable CONFIG_CRYPTO_SHA256
|
||
scripts/config --enable CONFIG_CRYPTO_SHA384
|
||
scripts/config --enable CONFIG_CRYPTO_SHA512
|
||
scripts/config --enable CONFIG_CRYPTO_XTS
|
||
|
||
# --- Networking for Dropbear/SSH and generic connectivity --------------------
|
||
scripts/config --enable CONFIG_IGB
|
||
scripts/config --enable CONFIG_INET
|
||
scripts/config --enable CONFIG_IPV6
|
||
scripts/config --enable CONFIG_VMXNET3
|
||
scripts/config --enable CONFIG_E1000E
|
||
scripts/config --enable CONFIG_IXGBE
|
||
scripts/config --enable CONFIG_I40E
|
||
scripts/config --enable CONFIG_ICE
|
||
scripts/config --enable CONFIG_VLAN_8021Q
|
||
scripts/config --disable CONFIG_BRIDGE
|
||
scripts/config --disable CONFIG_BONDING
|
||
scripts/config --disable CONFIG_BNX2X
|
||
scripts/config --disable CONFIG_IGC
|
||
scripts/config --disable CONFIG_R8169
|
||
|
||
# --- Virtualization ----------------------------------------------------------
|
||
scripts/config --enable CONFIG_HW_RANDOM_VIRTIO
|
||
scripts/config --enable CONFIG_KVM
|
||
scripts/config --enable CONFIG_VIRTIO_BALLOON
|
||
scripts/config --enable CONFIG_VIRTIO_BLK
|
||
scripts/config --enable CONFIG_VIRTIO_CONSOLE
|
||
scripts/config --enable CONFIG_VIRTIO_FS
|
||
scripts/config --enable CONFIG_VIRTIO_INPUT
|
||
scripts/config --enable CONFIG_VIRTIO_NET
|
||
scripts/config --enable CONFIG_VIRTIO_PCI
|
||
scripts/config --enable CONFIG_VIRTIO_SCSI
|
||
scripts/config --disable CONFIG_HYPERV
|
||
scripts/config --disable CONFIG_VIRTIO_GPU
|
||
scripts/config --disable CONFIG_VMXNET3
|
||
scripts/config --disable CONFIG_XEN
|
||
|
||
# --- Media, Sound, Wireless --------------------------------------------------
|
||
scripts/config --disable CONFIG_BT
|
||
scripts/config --disable CONFIG_CFG80211
|
||
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
||
scripts/config --disable CONFIG_NFC
|
||
scripts/config --disable CONFIG_SND
|
||
|
||
# --- Disable entire DRM/GPU graphics stack -----------------------------------
|
||
scripts/config --disable CONFIG_DRM
|
||
scripts/config --disable CONFIG_DRM_AMDGPU
|
||
scripts/config --disable CONFIG_DRM_BRIDGE
|
||
scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
|
||
scripts/config --disable CONFIG_DRM_I915
|
||
scripts/config --disable CONFIG_DRM_KMS_HELPER
|
||
scripts/config --disable CONFIG_DRM_NOUVEAU
|
||
scripts/config --disable CONFIG_DRM_PANEL
|
||
scripts/config --disable CONFIG_DRM_QXL
|
||
scripts/config --disable CONFIG_DRM_RADEON
|
||
scripts/config --disable CONFIG_DRM_SIMPLEDRM
|
||
scripts/config --disable CONFIG_DRM_VIRTIO_GPU
|
||
scripts/config --disable CONFIG_DRM_VMWGFX
|
||
|
||
# --- Thermal/HWMon – keep minimal safety -------------------------------------
|
||
scripts/config --enable CONFIG_HWMON
|
||
scripts/config --enable CONFIG_SENSORS_CORETEMP
|
||
scripts/config --enable CONFIG_SENSORS_K10TEMP
|
||
scripts/config --enable CONFIG_THERMAL
|
||
scripts/config --enable CONFIG_X86_PKG_TEMP_THERMAL
|
||
|
||
# --- BPF/Tracing/Debug – big size savers -------------------------------------
|
||
scripts/config --enable DEBUG_INFO_NONE
|
||
scripts/config --disable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
|
||
scripts/config --disable DEBUG_INFO_DWARF4
|
||
scripts/config --disable DEBUG_INFO_DWARF5
|
||
scripts/config --enable CONFIG_KALLSYMS # keep symbols (panic decoding)
|
||
scripts/config --disable CONFIG_BPF_SYSCALL
|
||
scripts/config --disable CONFIG_DEBUG_INFO
|
||
scripts/config --disable CONFIG_DEBUG_KERNEL
|
||
scripts/config --disable CONFIG_FTRACE
|
||
scripts/config --disable CONFIG_GCOV_KERNEL
|
||
scripts/config --disable CONFIG_KALLSYMS_ALL
|
||
scripts/config --disable CONFIG_KPROBES
|
||
scripts/config --disable CONFIG_KUNIT
|
||
|
||
# --- Initrd / modules & (optional) compression -------------------------------
|
||
scripts/config --disable CONFIG_KERNEL_XZ # smaller than zstd; slower
|
||
scripts/config --enable CONFIG_KERNEL_ZSTD
|
||
scripts/config --enable CONFIG_BLK_DEV_INITRD
|
||
scripts/config --enable CONFIG_MODULES
|
||
scripts/config --enable CONFIG_MODULE_COMPRESS
|
||
scripts/config --enable CONFIG_MODULE_COMPRESS_ZSTD
|
||
scripts/config --disable CONFIG_MODULE_COMPRESS_GZIP
|
||
scripts/config --disable CONFIG_MODULE_COMPRESS_XZ # or ZSTD for faster load
|
||
|
||
# --- Decompression support in early userspace --------------------------------
|
||
scripts/config --set-val CONFIG_DECOMPRESS_ZSTD y
|
||
scripts/config --set-val CONFIG_RD_ZSTD y
|
||
|
||
# --- Secure Boot: accept MOK, sign all modules with SHA-512 ------------------
|
||
# Keep FORCE off unless the signing pipeline is 100% enforced end-to-end.
|
||
scripts/config --enable CONFIG_INTEGRITY_MACHINE_KEYRING
|
||
scripts/config --enable CONFIG_MODULE_SIG
|
||
scripts/config --enable CONFIG_MODULE_SIG_ALL
|
||
scripts/config --enable CONFIG_MODULE_SIG_SHA512
|
||
scripts/config --disable CONFIG_MODULE_SIG_FORCE
|
||
|
||
# --- Apply intended core DM + crypto as builtins -----------------------------
|
||
scripts/config --set-val CONFIG_DM_CRYPT y
|
||
scripts/config --set-val CONFIG_DM_INTEGRITY n
|
||
|
||
# --- Crypto primitives required by dm-crypt(LUKS) ----------------------------
|
||
scripts/config --set-val CONFIG_CRYPTO_XTS y
|
||
scripts/config --set-val CONFIG_CRYPTO_AES y
|
||
scripts/config --set-val CONFIG_CRYPTO_AES_X86_64 y
|
||
scripts/config --set-val CONFIG_CRYPTO_AES_NI_INTEL y
|
||
scripts/config --set-val CONFIG_CRYPTO_SHA256 y
|
||
scripts/config --set-val CONFIG_CRYPTO_SHA384 y
|
||
scripts/config --set-val CONFIG_CRYPTO_SHA512 y
|
||
|
||
# --- If you use Argon2 for LUKS2 key-derivation inside initramfs: ------------
|
||
scripts/config --set-val CONFIG_CRYPTO_ARGON2 y
|
||
|
||
# --- Optional but prudent for integrity stacks: ------------------------------
|
||
scripts/config --set-val CONFIG_CRYPTO_POLY1305 y
|
||
scripts/config --set-val CONFIG_CRYPTO_CHACHA20 y
|
||
|
||
# --- Kill the full 802.11 wireless stack -------------------------------------
|
||
scripts/config --disable CONFIG_WIRELESS
|
||
scripts/config --disable CONFIG_CFG80211
|
||
scripts/config --disable CONFIG_MAC80211
|
||
scripts/config --disable CONFIG_WLAN
|
||
scripts/config --disable CONFIG_IWLWIFI
|
||
scripts/config --disable CONFIG_ATH_COMMON
|
||
scripts/config --disable CONFIG_ATH9K
|
||
scripts/config --disable CONFIG_ATH10K
|
||
scripts/config --disable CONFIG_MT76
|
||
scripts/config --disable CONFIG_RTW88
|
||
scripts/config --disable CONFIG_BRCMFMAC
|
||
|
||
# --- RFKill and Bluetooth off (server baseline) ------------------------------
|
||
scripts/config --disable CONFIG_RFKILL
|
||
scripts/config --disable CONFIG_BT
|
||
scripts/config --disable CONFIG_BT_HCIUART
|
||
scripts/config --disable CONFIG_BT_INTEL
|
||
scripts/config --disable CONFIG_BT_BREDR
|
||
|
||
# --- Multimedia (V4L2/DVB/camera/sdr) off ------------------------------------
|
||
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
||
scripts/config --disable CONFIG_VIDEO_DEV
|
||
scripts/config --disable CONFIG_DVB_CORE
|
||
scripts/config --disable CONFIG_MEDIA_USB_SUPPORT
|
||
scripts/config --disable CONFIG_MEDIA_PCI_SUPPORT
|
||
scripts/config --disable CONFIG_MEDIA_PLATFORM_SUPPORT
|
||
|
||
# --- Optional footprint cuts -------------------------------------------------
|
||
# Sound off (ALSA/OSS); safe for server:
|
||
scripts/config --disable CONFIG_SOUND
|
||
scripts/config --disable CONFIG_SND
|
||
scripts/config --disable CONFIG_SND_HDA_INTEL
|
||
|
||
# --- NFC and IEEE 802.15.4 (rare on servers) ---------------------------------
|
||
scripts/config --disable CONFIG_NFC
|
||
scripts/config --disable CONFIG_IEEE802154
|
||
|
||
# --- Disable entire GPIO subsystem (prevents PCI GPIO expanders etc.) --------
|
||
scripts/config --disable CONFIG_GPIOLIB
|
||
scripts/config --disable CONFIG_GPIO_CDEV
|
||
scripts/config --disable CONFIG_GPIO_SYSFS
|
||
scripts/config --disable CONFIG_GPIO_ACPI
|
||
scripts/config --disable CONFIG_GPIO_PCI
|
||
scripts/config --disable CONFIG_PINCTRL
|
||
|
||
# --- Disable any other features ----------------------------------------------
|
||
scripts/config --disable CONFIG_TEGRA_HOST1X
|
||
|
||
exit 0
|
||
|
||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|