Marc S. Weidner
353568eb69
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m54s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
578 lines
21 KiB
Bash
578 lines
21 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
set -o errexit
|
|
set -o noclobber
|
|
set -o nounset
|
|
set -o pipefail
|
|
shopt -s failglob
|
|
shopt -s inherit_errexit
|
|
shopt -s lastpipe
|
|
shopt -u expand_aliases
|
|
shopt -u dotglob
|
|
shopt -u extglob
|
|
shopt -u nullglob
|
|
|
|
umask 0077
|
|
|
|
declare VAR_BRANCH="${1-}"
|
|
declare -grx VAR_BRANCH="${VAR_BRANCH,,}"
|
|
|
|
declare -gx IFS=$' \t\n'
|
|
declare -gx PATH="/usr/lib/llvm-18/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
declare -gx AR="llvm-ar-18"
|
|
declare -gx CC="clang-18 -target x86_64-linux-gnu"
|
|
declare -gx HOSTCC="clang-18"
|
|
declare -gx HOSTCXX="clang++-18"
|
|
declare -gx LD="ld.lld-18"
|
|
declare -gx LLVM="1"
|
|
declare -gx LLVM_IAS="1"
|
|
declare -gx NM="llvm-nm-18"
|
|
declare -gx OBJCOPY="llvm-objcopy-18"
|
|
# shellcheck disable=SC2155
|
|
declare -gx SOURCE_DATE_EPOCH=$(date -ud '2025-10-11 00:00:00Z' +%s)
|
|
declare -gx STRIP="llvm-strip-18"
|
|
unset LOCALVERSION || true
|
|
|
|
cd "${HOME}"
|
|
if [[ -d "${HOME}/src/kernel" ]]; then
|
|
rm -rf --one-file-system -- "${HOME}/src/kernel"
|
|
fi
|
|
|
|
declare -gx DEBIAN_FRONTEND="noninteractive"
|
|
apt-get update -qq
|
|
apt-get install -y \
|
|
bc \
|
|
bison \
|
|
build-essential \
|
|
clang-18 \
|
|
dpkg-dev \
|
|
fakeroot \
|
|
flex \
|
|
git \
|
|
libelf-dev \
|
|
libncurses-dev \
|
|
libssl-dev \
|
|
lld-18 \
|
|
llvm-18-dev \
|
|
rsync
|
|
|
|
#######################################
|
|
# Extract the kernel version from a freshly unpacked 'apt-get source linux' tree.
|
|
# Exports (declare -g):
|
|
# var_kver_debian = e.g., "6.16.3-1~deb13u1"
|
|
# var_kver = e.g., "6.16.3"
|
|
# var_srcdir = e.g., "linux-6.16.3"
|
|
# Globals:
|
|
# var_kver
|
|
# var_kver_debian
|
|
# var_srcdir
|
|
# Arguments:
|
|
# None
|
|
# Returns:
|
|
# 0: on success
|
|
# 1: on failure
|
|
#######################################
|
|
extract_kver_from_apt_source_linux() {
|
|
### Prefer debian/changelog in linux-* (more canonical), then fall back to .dsc.
|
|
shopt -s nullglob
|
|
|
|
### Try A: from debian/changelog in linux-*/
|
|
declare -a _srcdirs=(linux-*/)
|
|
|
|
if [[ ${#_srcdirs[@]} -ge 1 ]]; then
|
|
|
|
### Pick the first match; in a clean workdir there should be exactly one.
|
|
declare _dir="${_srcdirs[0]%/}"
|
|
declare _chg="${_dir}/debian/changelog"
|
|
|
|
if [[ -f "${_chg}" ]]; then
|
|
|
|
### Read the first line: "linux (6.x.y-... ) suite; urgency=...".
|
|
declare _line
|
|
IFS= read -r _line < "${_chg}" || _line=
|
|
### Extract between '(' and ')'
|
|
### 1) strip prefix up to '('
|
|
declare _ver="${_line#*\(}"
|
|
### 2) strip suffix after ')'
|
|
_ver="${_ver%%\)*}"
|
|
|
|
### Debian full version (may include epoch and Debian revision).
|
|
declare -gx var_kver_debian="${_ver}"
|
|
|
|
### Upstream version (strip optional epoch "N:" and Debian revision "-...").
|
|
declare _noepoch="${_ver#*:}" # Drop "1:" if present, else no change.
|
|
declare -gx var_kver="${_noepoch%%-*}" # Drop the "-deb" part.
|
|
declare -gx var_srcdir="${_dir}"
|
|
shopt -u nullglob
|
|
return 0
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
### Try B: from the .dsc file (fallback).
|
|
declare -a _dscs=(linux_*.dsc)
|
|
|
|
if [[ ${#_dscs[@]} -ge 1 ]]; then
|
|
|
|
### Pick the first .dsc (in a clean workdir there should be exactly one).
|
|
declare _dsc="${_dscs[0]}"
|
|
declare _verline _ver
|
|
|
|
### Read the 'Version: ...' line without grep/sed.
|
|
while IFS= read -r _verline; do
|
|
|
|
# shellcheck disable=SC2249
|
|
case "${_verline}" in
|
|
|
|
Version:*)
|
|
_ver="${_verline#Version: }"
|
|
break
|
|
;;
|
|
|
|
esac
|
|
|
|
done < "${_dsc}"
|
|
|
|
[[ -n "${_ver:-}" ]] || return 1
|
|
|
|
declare -gx var_kver_debian="${_ver}"
|
|
declare _noepoch="${_ver#*:}"
|
|
declare -gx var_kver="${_noepoch%%-*}"
|
|
|
|
### Best-effort srcdir guess from the upstream part (common unpacking layout).
|
|
declare _up="${var_kver}"
|
|
|
|
if [[ -d "linux-${_up}" ]]; then
|
|
|
|
declare -gx var_srcdir="linux-${_up}"
|
|
|
|
else
|
|
|
|
declare -gx var_srcdir=""
|
|
|
|
fi
|
|
|
|
shopt -u nullglob
|
|
return 0
|
|
|
|
fi
|
|
|
|
### Nothing found.
|
|
shopt -u nullglob
|
|
|
|
return 1
|
|
}
|
|
# --- Prevents accidental 'unset -f' ------------------------------------------
|
|
# shellcheck disable=SC2034
|
|
readonly -f extract_kver_from_apt_source_linux
|
|
|
|
# --- Generate skeleton and download sources ----------------------------------
|
|
case "${VAR_BRANCH}" in
|
|
|
|
bpo)
|
|
mkdir -p ~/src/kernel/bpo && cd ~/src/kernel/bpo
|
|
apt-get source -t trixie-backports linux
|
|
apt-get -y build-dep -t trixie-backports linux
|
|
;;
|
|
|
|
security)
|
|
mkdir -p ~/src/kernel/security && cd ~/src/kernel/security
|
|
apt-get source -t trixie-security linux
|
|
apt-get -y build-dep -t trixie-security linux
|
|
;;
|
|
|
|
*)
|
|
printf "No valid branch selected.\n"
|
|
exit 1
|
|
;;
|
|
|
|
esac
|
|
|
|
extract_kver_from_apt_source_linux
|
|
printf '%b var_srcdir=%s\n var_kver_debian=%s\n var_kver=%s%b\n' '\e[92m' "${var_srcdir:-<none>}" "${var_kver_debian:-<none>}" "${var_kver:-<none>}" '\e[0m'
|
|
|
|
case "${VAR_BRANCH}" in
|
|
|
|
bpo)
|
|
cd "${HOME}/src/kernel/bpo/${var_srcdir}"
|
|
;;
|
|
|
|
security)
|
|
cd "${HOME}/src/kernel/security/${var_srcdir}"
|
|
;;
|
|
|
|
*)
|
|
printf "No valid branch selected.\n"
|
|
exit 1
|
|
;;
|
|
|
|
esac
|
|
|
|
# --- Identify yourself for Maintainer and Changed-By -------------------------
|
|
declare -gx DEBFULLNAME="Marc S. Weidner"
|
|
declare -gx DEBEMAIL="msw@coresecret.dev"
|
|
|
|
# --- Embed build user/host in 'uname -v' string of the kernel ----------------
|
|
declare -gx KBUILD_BUILD_USER="msw"
|
|
declare -gx KBUILD_BUILD_HOST="coresecret.dev"
|
|
|
|
# --- Package/version labelling for Debian packages ---------------------------
|
|
declare -gx KDEB_PKGVERSION="${var_kver}-1ciss0"
|
|
declare -gx KDEB_CHANGELOG_DIST="trixie"
|
|
|
|
# --- Identity / naming -------------------------------------------------------
|
|
# Ensure unique artifact names in /boot to avoid collisions with Production.
|
|
scripts/config --set-str CONFIG_LOCALVERSION "-rescue"
|
|
scripts/config --disable CONFIG_LOCALVERSION_AUTO
|
|
|
|
# --- Control-Flow Integrity (Clang kCFI as strict default) -------------------
|
|
# Enable Clang CFI; keep strict (no permissive), keep kCFI as default,
|
|
# and do NOT normalize integer types (only needed for Rust interop).
|
|
scripts/config --enable CONFIG_CFI_CLANG
|
|
scripts/config --disable CONFIG_CFI_PERMISSIVE
|
|
scripts/config --disable CONFIG_CFI_AUTO_DEFAULT
|
|
scripts/config --disable CONFIG_CFI_ICALL_NORMALIZE_INTEGERS
|
|
|
|
# --- Rust support (if not using Rust drivers) --------------------------------
|
|
scripts/config --disable CONFIG_RUST
|
|
|
|
# --- Console / EFI plumbing --------------------------------------------------
|
|
scripts/config --enable CONFIG_EFI_VARS
|
|
scripts/config --enable CONFIG_EFIVAR_FS
|
|
scripts/config --enable CONFIG_SERIAL_8250
|
|
scripts/config --enable CONFIG_SERIAL_8250_CONSOLE
|
|
|
|
# --- Framebuffer legacy (keep console via VGA/serial, no fbdev needed) -------
|
|
# Keep VT/tty consoles unless you truly want serial-only:
|
|
scripts/config --enable CONFIG_VT
|
|
scripts/config --enable CONFIG_VT_CONSOLE
|
|
scripts/config --enable CONFIG_TTY
|
|
scripts/config --enable CONFIG_FB
|
|
scripts/config --enable CONFIG_FB_EFI
|
|
scripts/config --disable CONFIG_DUMMY_CONSOLE
|
|
|
|
# --- Keep minimal input/usb hid for emergency keyboard over IP-KVM -----------
|
|
scripts/config --enable CONFIG_HID
|
|
scripts/config --enable CONFIG_USB_HID
|
|
scripts/config --enable CONFIG_HID_GENERIC
|
|
|
|
# --- Filesystems typically encountered in rescue scenarios -------------------
|
|
scripts/config --enable CONFIG_BTRFS_FS
|
|
scripts/config --enable CONFIG_BTRFS_FS_POSIX_ACL
|
|
scripts/config --enable CONFIG_EXT4_FS
|
|
scripts/config --enable CONFIG_FAT_FS
|
|
scripts/config --enable CONFIG_ISO9660_FS
|
|
scripts/config --enable CONFIG_VFAT_FS
|
|
scripts/config --enable CONFIG_XFS
|
|
scripts/config --disable CONFIG_CEPH_FS
|
|
scripts/config --disable CONFIG_EXFAT_FS
|
|
scripts/config --disable CONFIG_EXT2
|
|
scripts/config --disable CONFIG_EXT3
|
|
scripts/config --disable CONFIG_HFSPLUS_FS
|
|
scripts/config --disable CONFIG_JFS_FS
|
|
scripts/config --disable CONFIG_MSDOS_FS
|
|
scripts/config --disable CONFIG_NILFS2_FS
|
|
scripts/config --disable CONFIG_NTFS3_FS
|
|
scripts/config --disable CONFIG_OVERLAY_FS
|
|
scripts/config --disable CONFIG_REISERFS_FS
|
|
scripts/config --disable CONFIG_SQUASHFS
|
|
scripts/config --disable CONFIG_UDF_FS
|
|
scripts/config --disable CONFIG_VXFS_FS
|
|
|
|
# --- Early-boot critical storage path ----------------------------------------
|
|
scripts/config --enable CONFIG_SATA_AHCI
|
|
scripts/config --enable CONFIG_BLK_DEV_NVME
|
|
scripts/config --enable CONFIG_SCSI
|
|
scripts/config --enable CONFIG_BLK_DEV_SD
|
|
scripts/config --enable CONFIG_USB_EHCI_HCD
|
|
scripts/config --enable CONFIG_USB_XHCI_HCD
|
|
scripts/config --enable CONFIG_USB_STORAGE
|
|
scripts/config --disable CONFIG_ATA_SFF
|
|
scripts/config --disable CONFIG_CHR_DEV_SG
|
|
|
|
# --- Device-mapper and software RAID (rescue on unknown hosts) ---------------
|
|
scripts/config --enable CONFIG_BLK_DEV_DM
|
|
scripts/config --enable CONFIG_DM_CRYPT
|
|
scripts/config --enable CONFIG_DM_MOD
|
|
scripts/config --enable CONFIG_MD_RAID1
|
|
scripts/config --enable CONFIG_MD_RAID10
|
|
scripts/config --enable CONFIG_MD_RAID456
|
|
scripts/config --enable CONFIG_BLK_DEV_MD
|
|
scripts/config --enable CONFIG_MD
|
|
scripts/config --disable CONFIG_MD_AUTODETECT
|
|
|
|
# --- Do not allow device-mapper table creation from the kernel command line --
|
|
scripts/config --disable CONFIG_DM_INIT
|
|
|
|
# --- Crypto primitives needed for LUKS (and general use) ---------------------
|
|
scripts/config --enable CONFIG_CRYPTO_AES
|
|
scripts/config --enable CONFIG_CRYPTO_AES_NI_INTEL
|
|
scripts/config --enable CONFIG_CRYPTO_CHACHA20_POLY1305
|
|
scripts/config --enable CONFIG_CRYPTO_CRC32C
|
|
scripts/config --enable CONFIG_CRYPTO_CURVE25519
|
|
scripts/config --enable CONFIG_CRYPTO_JITTERENTROPY
|
|
scripts/config --enable CONFIG_CRYPTO_SHA256
|
|
scripts/config --enable CONFIG_CRYPTO_SHA384
|
|
scripts/config --enable CONFIG_CRYPTO_SHA512
|
|
scripts/config --enable CONFIG_CRYPTO_XTS
|
|
|
|
# --- Networking for Dropbear/SSH and generic connectivity --------------------
|
|
scripts/config --enable CONFIG_IGB
|
|
scripts/config --enable CONFIG_INET
|
|
scripts/config --enable CONFIG_IPV6
|
|
scripts/config --enable CONFIG_VMXNET3
|
|
scripts/config --enable CONFIG_E1000E
|
|
scripts/config --enable CONFIG_IXGBE
|
|
scripts/config --enable CONFIG_I40E
|
|
scripts/config --enable CONFIG_ICE
|
|
scripts/config --enable CONFIG_VLAN_8021Q
|
|
scripts/config --disable CONFIG_BRIDGE
|
|
scripts/config --disable CONFIG_BONDING
|
|
scripts/config --disable CONFIG_BNX2X
|
|
scripts/config --enable CONFIG_IGC
|
|
scripts/config --enable CONFIG_R8169
|
|
|
|
# --- Virtualization ----------------------------------------------------------
|
|
scripts/config --enable CONFIG_HW_RANDOM_VIRTIO
|
|
scripts/config --enable CONFIG_KVM
|
|
scripts/config --enable CONFIG_VIRTIO_BALLOON
|
|
scripts/config --enable CONFIG_VIRTIO_BLK
|
|
scripts/config --enable CONFIG_VIRTIO_CONSOLE
|
|
scripts/config --enable CONFIG_VIRTIO_FS
|
|
scripts/config --enable CONFIG_VIRTIO_INPUT
|
|
scripts/config --enable CONFIG_VIRTIO_NET
|
|
scripts/config --enable CONFIG_VIRTIO_PCI
|
|
scripts/config --enable CONFIG_VIRTIO_SCSI
|
|
scripts/config --disable CONFIG_HYPERV
|
|
scripts/config --disable CONFIG_VIRTIO_GPU
|
|
scripts/config --disable CONFIG_XEN
|
|
|
|
# --- Media, Sound, Wireless --------------------------------------------------
|
|
scripts/config --disable CONFIG_BT
|
|
scripts/config --disable CONFIG_CFG80211
|
|
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
|
scripts/config --disable CONFIG_NFC
|
|
scripts/config --disable CONFIG_SND
|
|
|
|
# --- Disable entire DRM/GPU graphics stack -----------------------------------
|
|
scripts/config --enable CONFIG_DRM
|
|
scripts/config --enable CONFIG_DRM_SIMPLEDRM
|
|
scripts/config --disable CONFIG_DRM_AMDGPU
|
|
scripts/config --disable CONFIG_DRM_BRIDGE
|
|
scripts/config --disable CONFIG_DRM_FBDEV_EMULATION
|
|
scripts/config --disable CONFIG_DRM_I915
|
|
scripts/config --disable CONFIG_DRM_KMS_HELPER
|
|
scripts/config --disable CONFIG_DRM_NOUVEAU
|
|
scripts/config --disable CONFIG_DRM_PANEL
|
|
scripts/config --disable CONFIG_DRM_QXL
|
|
scripts/config --disable CONFIG_DRM_RADEON
|
|
scripts/config --disable CONFIG_DRM_VIRTIO_GPU
|
|
scripts/config --disable CONFIG_DRM_VMWGFX
|
|
|
|
# --- Thermal/HWMon - keep minimal safety -------------------------------------
|
|
scripts/config --enable CONFIG_HWMON
|
|
scripts/config --enable CONFIG_SENSORS_CORETEMP
|
|
scripts/config --enable CONFIG_SENSORS_K10TEMP
|
|
scripts/config --enable CONFIG_THERMAL
|
|
scripts/config --enable CONFIG_X86_PKG_TEMP_THERMAL
|
|
|
|
# --- BPF/Tracing/Debug - big size savers -------------------------------------
|
|
scripts/config --enable DEBUG_INFO_NONE
|
|
scripts/config --disable DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
|
|
scripts/config --disable DEBUG_INFO_DWARF4
|
|
scripts/config --disable DEBUG_INFO_DWARF5
|
|
scripts/config --enable CONFIG_KALLSYMS # keep symbols (panic decoding)
|
|
scripts/config --disable CONFIG_BPF_SYSCALL
|
|
scripts/config --disable CONFIG_DEBUG_INFO
|
|
scripts/config --disable CONFIG_DEBUG_KERNEL
|
|
scripts/config --disable CONFIG_FTRACE
|
|
scripts/config --disable CONFIG_GCOV_KERNEL
|
|
scripts/config --disable CONFIG_KALLSYMS_ALL
|
|
scripts/config --disable CONFIG_KPROBES
|
|
scripts/config --disable CONFIG_KUNIT
|
|
|
|
# --- Initrd / modules & (optional) compression -------------------------------
|
|
scripts/config --disable CONFIG_KERNEL_XZ # smaller than zstd; slower
|
|
scripts/config --enable CONFIG_KERNEL_ZSTD
|
|
scripts/config --enable CONFIG_BLK_DEV_INITRD
|
|
scripts/config --enable CONFIG_MODULES
|
|
scripts/config --enable CONFIG_MODULE_COMPRESS
|
|
scripts/config --enable CONFIG_MODULE_COMPRESS_ZSTD
|
|
scripts/config --disable CONFIG_MODULE_COMPRESS_GZIP
|
|
scripts/config --disable CONFIG_MODULE_COMPRESS_XZ # or ZSTD for faster load
|
|
|
|
# --- Decompression support in early userspace --------------------------------
|
|
scripts/config --set-val CONFIG_DECOMPRESS_ZSTD y
|
|
scripts/config --set-val CONFIG_RD_ZSTD y
|
|
|
|
# --- Secure Boot: accept MOK, sign all modules with SHA-512 ------------------
|
|
# Keep FORCE off unless the signing pipeline is 100% enforced end-to-end.
|
|
scripts/config --enable CONFIG_INTEGRITY_MACHINE_KEYRING
|
|
scripts/config --enable CONFIG_MODULE_SIG
|
|
scripts/config --enable CONFIG_MODULE_SIG_ALL
|
|
scripts/config --enable CONFIG_MODULE_SIG_SHA512
|
|
scripts/config --disable CONFIG_MODULE_SIG_FORCE
|
|
#scripts/config --set-str CONFIG_MODULE_SIG_KEY="certs/ciss-sb-db-leaf-production-2025-RSA-3072.private.key"
|
|
#scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS="certs/ciss-sb-db-leaf-production-2025-RSA-3072.crt"
|
|
|
|
# --- Apply intended core DM + crypto as builtins -----------------------------
|
|
scripts/config --set-val CONFIG_DM_CRYPT y
|
|
scripts/config --set-val CONFIG_DM_INTEGRITY n
|
|
|
|
# --- Crypto primitives required by dm-crypt(LUKS) ----------------------------
|
|
scripts/config --set-val CONFIG_CRYPTO_XTS y
|
|
scripts/config --set-val CONFIG_CRYPTO_AES y
|
|
scripts/config --set-val CONFIG_CRYPTO_AES_X86_64 y
|
|
scripts/config --set-val CONFIG_CRYPTO_AES_NI_INTEL y
|
|
scripts/config --set-val CONFIG_CRYPTO_SHA256 y
|
|
scripts/config --set-val CONFIG_CRYPTO_SHA384 y
|
|
scripts/config --set-val CONFIG_CRYPTO_SHA512 y
|
|
|
|
# --- If you use Argon2 for LUKS2 key-derivation inside initramfs: ------------
|
|
scripts/config --set-val CONFIG_CRYPTO_ARGON2 y
|
|
|
|
# --- Optional but prudent for integrity stacks: ------------------------------
|
|
scripts/config --set-val CONFIG_CRYPTO_POLY1305 y
|
|
scripts/config --set-val CONFIG_CRYPTO_CHACHA20 y
|
|
|
|
# --- Kill the full 802.11 wireless stack -------------------------------------
|
|
scripts/config --disable CONFIG_WIRELESS
|
|
scripts/config --disable CONFIG_CFG80211
|
|
scripts/config --disable CONFIG_MAC80211
|
|
scripts/config --disable CONFIG_WLAN
|
|
scripts/config --disable CONFIG_IWLWIFI
|
|
scripts/config --disable CONFIG_ATH_COMMON
|
|
scripts/config --disable CONFIG_ATH9K
|
|
scripts/config --disable CONFIG_ATH10K
|
|
scripts/config --disable CONFIG_MT76
|
|
scripts/config --disable CONFIG_RTW88
|
|
scripts/config --disable CONFIG_BRCMFMAC
|
|
|
|
# --- RFKill and Bluetooth off (server baseline) ------------------------------
|
|
scripts/config --disable CONFIG_RFKILL
|
|
scripts/config --disable CONFIG_BT
|
|
scripts/config --disable CONFIG_BT_HCIUART
|
|
scripts/config --disable CONFIG_BT_INTEL
|
|
scripts/config --disable CONFIG_BT_BREDR
|
|
|
|
# --- Multimedia (V4L2/DVB/camera/sdr) off ------------------------------------
|
|
scripts/config --disable CONFIG_MEDIA_SUPPORT
|
|
scripts/config --disable CONFIG_VIDEO_DEV
|
|
scripts/config --disable CONFIG_DVB_CORE
|
|
scripts/config --disable CONFIG_MEDIA_USB_SUPPORT
|
|
scripts/config --disable CONFIG_MEDIA_PCI_SUPPORT
|
|
scripts/config --disable CONFIG_MEDIA_PLATFORM_SUPPORT
|
|
|
|
# --- Optional footprint cuts -------------------------------------------------
|
|
# Sound off (ALSA/OSS); safe for server:
|
|
scripts/config --disable CONFIG_SOUND
|
|
scripts/config --disable CONFIG_SND
|
|
scripts/config --disable CONFIG_SND_HDA_INTEL
|
|
|
|
# --- NFC and IEEE 802.15.4 (rare on servers) ---------------------------------
|
|
scripts/config --disable CONFIG_NFC
|
|
scripts/config --disable CONFIG_IEEE802154
|
|
|
|
# --- Disable entire GPIO subsystem (prevents PCI GPIO expanders etc.) --------
|
|
scripts/config --disable CONFIG_GPIOLIB
|
|
scripts/config --disable CONFIG_GPIO_CDEV
|
|
scripts/config --disable CONFIG_GPIO_SYSFS
|
|
scripts/config --disable CONFIG_GPIO_ACPI
|
|
scripts/config --disable CONFIG_GPIO_PCI
|
|
scripts/config --disable CONFIG_PINCTRL
|
|
|
|
# --- Disable any other features ----------------------------------------------
|
|
scripts/config --disable CONFIG_TEGRA_HOST1X
|
|
|
|
# --- Harden memory permissions and control-flow ------------------------------
|
|
scripts/config --enable CONFIG_STRICT_KERNEL_RWX
|
|
scripts/config --enable CONFIG_DEBUG_WX
|
|
scripts/config --enable CONFIG_VMAP_STACK
|
|
scripts/config --enable CONFIG_FORTIFY_SOURCE
|
|
scripts/config --enable CONFIG_REFCOUNT_FULL
|
|
scripts/config --enable CONFIG_STACKPROTECTOR
|
|
scripts/config --enable CONFIG_STACKPROTECTOR_STRONG
|
|
scripts/config --enable CONFIG_INIT_STACK_ALL_ZERO
|
|
scripts/config --enable CONFIG_RANDOMIZE_BASE
|
|
scripts/config --enable CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT
|
|
|
|
# --- Allocator hardening -----------------------------------------------------
|
|
scripts/config --enable CONFIG_SLAB_FREELIST_RANDOM
|
|
scripts/config --enable CONFIG_SLAB_FREELIST_HARDENED
|
|
scripts/config --disable CONFIG_SLAB_MERGE_DEFAULT
|
|
scripts/config --enable CONFIG_SHUFFLE_PAGE_ALLOCATOR
|
|
|
|
# --- LSM / Lockdown ----------------------------------------------------------
|
|
scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM
|
|
scripts/config --enable CONFIG_SECURITY_LOCKDOWN_LSM_EARLY
|
|
scripts/config --enable CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY
|
|
scripts/config --enable CONFIG_SECURITY_YAMA
|
|
scripts/config --enable CONFIG_SECURITY_LANDLOCK
|
|
|
|
# --- IOMMU / DMA -------------------------------------------------------------
|
|
scripts/config --enable CONFIG_EFI_DISABLE_PCI_DMA
|
|
scripts/config --enable CONFIG_IOMMU_SUPPORT
|
|
scripts/config --enable CONFIG_IOMMU_DEFAULT_DMA_STRICT
|
|
scripts/config --enable CONFIG_INTEL_IOMMU
|
|
scripts/config --enable CONFIG_INTEL_IOMMU_DEFAULT_ON
|
|
scripts/config --enable CONFIG_AMD_IOMMU
|
|
scripts/config --enable CONFIG_AMD_IOMMU_V2
|
|
|
|
# --- Page table isolation and checks -----------------------------------------
|
|
scripts/config --enable CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
|
|
scripts/config --enable CONFIG_PAGE_TABLE_CHECK
|
|
scripts/config --enable CONFIG_PAGE_TABLE_CHECK_ENFORCED
|
|
|
|
# --- UBSAN / KFENCE (low overhead) -------------------------------------------
|
|
scripts/config --enable CONFIG_UBSAN
|
|
scripts/config --enable CONFIG_UBSAN_TRAP
|
|
scripts/config --enable CONFIG_UBSAN_BOUNDS
|
|
scripts/config --enable CONFIG_UBSAN_LOCAL_BOUNDS
|
|
scripts/config --enable CONFIG_KFENCE
|
|
|
|
# --- x86 specifics -----------------------------------------------------------
|
|
scripts/config --enable CONFIG_X86_KERNEL_IBT
|
|
scripts/config --enable CONFIG_CFI_CLANG
|
|
scripts/config --disable CONFIG_X86_VSYSCALL_EMULATION
|
|
scripts/config --enable CONFIG_LEGACY_VSYSCALL_NONE
|
|
|
|
# --- Remove legacy debug / attack surfaces -----------------------------------
|
|
scripts/config --disable CONFIG_DEVMEM
|
|
scripts/config --enable CONFIG_STRICT_DEVMEM
|
|
scripts/config --enable CONFIG_IO_STRICT_DEVMEM
|
|
scripts/config --disable CONFIG_DEVKMEM
|
|
scripts/config --disable CONFIG_DEBUG_FS
|
|
scripts/config --disable CONFIG_PROC_KCORE
|
|
|
|
# --- Optional, stricter ------------------------------------------------------
|
|
scripts/config --enable CONFIG_PANIC_ON_OOPS
|
|
scripts/config --set-val CONFIG_PANIC_TIMEOUT -1
|
|
|
|
make olddefconfig
|
|
|
|
make -s kernelrelease
|
|
grep -E '^(CONFIG_LOCALVERSION|CONFIG_LOCALVERSION_AUTO)=' .config || true
|
|
env | grep -E '^LOCALVERSION=' || true
|
|
|
|
touch build.log
|
|
|
|
# shellcheck disable=SC2312
|
|
if make -j"$(nproc)" bindeb-pkg 2>&1 | tee build.log; then
|
|
printf '%bBuild successful%b\n' '\e[92m' '\e[0m'
|
|
fi
|
|
|
|
exit 0
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|