From 0f41a67b016a865939cd7db4d987f467f81bd5bbdec8fbbee13dd3c5ecec2bf1 Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 28 Oct 2025 11:40:33 +0100 Subject: [PATCH] V8.13.294.2025.10.28 Signed-off-by: Marc S. Weidner --- .gitignore | 1 - ciss_live_builder.sh | 2 + docs/CHANGELOG.md | 2 + lib/lib_lb_build_start.sh | 10 +- lib/lib_lb_ciss_upgrades.sh | 44 ++ lib/lib_lb_config_write_trixie.sh | 2 - scripts/usr/lib/live/build/binary_rootfs.sh | 456 ++++++++++++++++++++ 7 files changed, 513 insertions(+), 4 deletions(-) create mode 100644 lib/lib_lb_ciss_upgrades.sh create mode 100644 scripts/usr/lib/live/build/binary_rootfs.sh diff --git a/.gitignore b/.gitignore index 80f0895..86b957e 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu .checklist/ .idea/ -build/ out/ target/ *.DS_Store diff --git a/ciss_live_builder.sh b/ciss_live_builder.sh index 5322cff..f740720 100644 --- a/ciss_live_builder.sh +++ b/ciss_live_builder.sh @@ -140,6 +140,7 @@ declare -gx VAR_SETUP="true" source_guard "./lib/lib_hardening_ultra.sh" source_guard "./lib/lib_helper_ip.sh" source_guard "./lib/lib_lb_build_start.sh" + source_guard "./lib/lib_lb_ciss_upgrades.sh" source_guard "./lib/lib_lb_config_start.sh" source_guard "./lib/lib_lb_config_write.sh" source_guard "./lib/lib_lb_config_write_trixie.sh" @@ -218,6 +219,7 @@ fi check_hooks hardening_ssh +lb_ciss_upgrade lb_config_start if [[ "${VAR_SUITE}" == "bookworm" ]]; then diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 8a31562..d582dd6 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -14,6 +14,8 @@ include_toc: true ## V8.13.294.2025.10.28 * **Added**: [lib_lb_config_write_trixie.sh](../lib/lib_lb_config_write_trixie.sh) + mksquashfs-excludes +* **Added**: [lib_lb_ciss_upgrades.sh](../lib/lib_lb_ciss_upgrades.sh) + modifies '/usr/lib/live/build/...' scripts +* **Added**: [binary_rootfs.sh](../scripts/usr/lib/live/build/binary_rootfs.sh) + modifies binary_rootfs script * **Updated**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + --sshfp * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90 diff --git a/lib/lib_lb_build_start.sh b/lib/lib_lb_build_start.sh index a889544..c38a606 100644 --- a/lib/lib_lb_build_start.sh +++ b/lib/lib_lb_build_start.sh @@ -15,11 +15,14 @@ guard_sourcing ####################################### # Wrapper to write a new 'lb config' environment. # Globals: -# ERR_UNCRITICAL +# SCRIPT_BASEPATH # VAR_BUILD_LOG # VAR_HANDLER_BUILD_DIR # Arguments: # None +# Returns: +# 0: on success +# ERR_UNCRITICAL: on failure ####################################### lb_build_start() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿ”จ Start Build... Log file: %s \e[0m\n" "${VAR_BUILD_LOG}" @@ -51,5 +54,10 @@ lb_build_start() { exit "${ERR_UNCRITICAL}" fi + + return 0 } +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f lb_build_start # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_ciss_upgrades.sh b/lib/lib_lb_ciss_upgrades.sh new file mode 100644 index 0000000..7c70514 --- /dev/null +++ b/lib/lib_lb_ciss_upgrades.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +guard_sourcing + +####################################### +# Wrapper to update '/usr/lib/live/build/...' scripts. +# Globals: +# SCRIPT_BASEPATH +# VAR_BUILD_LOG +# VAR_HANDLER_BUILD_DIR +# Arguments: +# None +# Returns: +# 0: on success +####################################### +lb_ciss_upgrade() { + printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช %s starting ... \e[0m\n" "${BASH_SOURCE[0]}" + + if [[ ! -e /usr/lib/live/build/binary_rootfs.original ]]; then + cp /usr/lib/live/build/binary_rootfs /usr/lib/live/build/binary_rootfs.original + chmod 0444 /usr/lib/live/build/binary_rootfs.original + fi + + rm -f /usr/lib/live/build/binary_rootfs + install -m 0755 -o root -g root "${VAR_WORKDIR}/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs + + printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" + + return 0 +} +### Prevents accidental 'unset -f'. +# shellcheck disable=SC2034 +readonly -f lb_ciss_upgrade +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index 1fe4583..4174448 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -124,9 +124,7 @@ debootstrap debootstrap/* root/.wget-hsts tmp/* -usr/lib/firmware/amd/* usr/lib/firmware/amd-ucode/* -usr/lib/firmware/amdtee/* usr/lib/firmware/intel-ucode/* var/cache/apt/pkgcache.bin var/cache/apt/srcpkgcache.bin diff --git a/scripts/usr/lib/live/build/binary_rootfs.sh b/scripts/usr/lib/live/build/binary_rootfs.sh new file mode 100644 index 0000000..81c8e7d --- /dev/null +++ b/scripts/usr/lib/live/build/binary_rootfs.sh @@ -0,0 +1,456 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: GPL-3.0-or-later +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +## Modified Version of the original file: + +## live-build(7) - System Build Scripts +## Copyright (C) 2016-2020 The Debian Live team +## Copyright (C) 2006-2015 Daniel Baumann +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + +set -e + +# Including common functions +if [[ -e "${LIVE_BUILD}/scripts/build.sh" ]]; then + . "${LIVE_BUILD}/scripts/build.sh" +else + . /usr/lib/live/build.sh +fi + +# Setting static variables +# shellcheck disable=SC2034 +DESCRIPTION="Build rootfs image" +# shellcheck disable=SC2034 +USAGE="${PROGRAM} [--force]" + +# Processing arguments and configuration files +Init_config_data "${@}" + +Echo_message "Begin building root filesystem image..." + +# Requiring a stage file +Require_stagefiles config bootstrap binary_chroot + +# Checking stage file +Check_stagefile + +# Acquire a lock file +Acquire_lockfile + +case "${LB_ARCHITECTURE}" in + amd64|i386) + # shellcheck disable=SC2034 + LINUX="vmlinuz" + ;; + + powerpc|ppc64el|riscv64) + # shellcheck disable=SC2034 + LINUX="vmlinux" + ;; +esac + +case "${LB_INITRAMFS}" in + live-boot|dracut-live) + INITFS="live" + ;; + + *) + INITFS="boot" + ;; +esac + +# Creating directory +mkdir -p "binary/${INITFS}" + +if In_list "rootfs" "${LB_CACHE_STAGES}" && [[ -d cache/binary_rootfs ]] +then + # Removing old chroot + rm -rf binary/"${INITFS}"/filesystem.* + + # Restoring old cache + mkdir -p binary/"${INITFS}" + cp -a cache/binary_rootfs/filesystem.* binary/"${INITFS}" + + # Creating a stage file + Create_stagefile + exit 0 +fi + +case "${LB_CHROOT_FILESYSTEM}" in + ext2|ext3|ext4) + # Checking depends + Check_package chroot "/sbin/mkfs.${LB_CHROOT_FILESYSTEM}" e2fsprogs + + # Restoring cache + Restore_package_cache binary + + # Installing depends + Install_packages + + # Remove old image + if [[ -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" ]] + then + rm -f "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" + fi + + case "${LB_BUILD_WITH_CHROOT}" in + true) + # shellcheck disable=SC2312 + DU_DIM="$(du -ms chroot/chroot | cut -f1)" + # shellcheck disable=SC2312 + INODES="$(find chroot/chroot | wc -l)" + ;; + + false) + # shellcheck disable=SC2312 + DU_DIM="$(du -ms chroot | cut -f1)" + # shellcheck disable=SC2312 + INODES="$(find chroot | wc -l)" + ;; + esac + + REAL_DIM="$(Calculate_partition_size "${DU_DIM}" "${LB_CHROOT_FILESYSTEM}")" + REAL_INODES="$(Calculate_partition_size "${INODES}" "${LB_CHROOT_FILESYSTEM}")" + + case "${LB_BUILD_WITH_CHROOT}" in + true) + dd if="/dev/zero of=chroot/filesystem.${LB_CHROOT_FILESYSTEM}" bs=1024k count=0 seek="${REAL_DIM}" + + FAKE_MTAB=false + if ! Chroot chroot "test -e /etc/mtab" + then + Chroot chroot "ln -s /proc/mounts/mtab /etc/mtab" + FAKE_MTAB=true + fi + BLOCK_SIZE=1024 + if [[ "${LB_DM_VERITY}" = "true" ]] + then + # Module dm-verity needs a block size of at least 4k + BLOCK_SIZE=4096 + fi + Chroot chroot "mkfs.${LB_CHROOT_FILESYSTEM} -F -b ${BLOCK_SIZE} -N ${REAL_INODES} -m 0 filesystem.${LB_CHROOT_FILESYSTEM}" + + mkdir -p filesystem.tmp + mount -o loop "chroot/filesystem.${LB_CHROOT_FILESYSTEM}" filesystem.tmp + cp -a chroot/chroot/* filesystem.tmp + + if "${FAKE_MTAB}"; then + Chroot chroot "rm -f /etc/mtab" + fi + + umount filesystem.tmp + rmdir filesystem.tmp + + # Move image + mv "chroot/filesystem.${LB_CHROOT_FILESYSTEM}" "binary/${INITFS}" + + # shellcheck disable=SC2312 + du -B 1 -s chroot/chroot | cut -f1 > "binary/${INITFS}/filesystem.size" + + # Removing depends + Remove_packages + + if [[ -e chroot/chroot.cache ]] + then + Remove_lockfile + mv chroot/chroot chroot.tmp + + lb chroot_prep remove all mode-archives-binary "${@}" + + rm -rf chroot + mv chroot.tmp chroot + + lb chroot_prep install all mode-archives-binary "${@}" + + touch .lock + else + rm -rf chroot/chroot + fi + ;; + + false) + dd if="/dev/zero of=binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" bs=1024k count=0 seek="${REAL_DIM}" + "mkfs.${LB_CHROOT_FILESYSTEM}" -F -b 1024 -N "${REAL_INODES}" -m 0 "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" + + mkdir -p filesystem.tmp + mount -o loop "binary/${INITFS}/filesystem.${LB_CHROOT_FILESYSTEM}" filesystem.tmp + cp -a chroot/* filesystem.tmp + + umount filesystem.tmp + rmdir filesystem.tmp + ;; + esac + + # Saving cache + Save_package_cache binary + ;; + + jffs2) + # Checking depends + Check_package chroot /usr/sbin/mkfs.jffs2 mtd-tools + + # Restoring cache + Restore_package_cache binary + + # Installing depends + Install_packages + + # Remove old jffs2 image + if [[ -f "binary/${INITFS}/filesystem.jffs2" ]] + then + rm -f "binary/${INITFS}/filesystem.jffs2" + fi + + if [[ -n "${LB_JFFS2_ERASEBLOCK}" ]] + then + JFFS2_OPTIONS="--eraseblock=${LB_JFFS2_ERASEBLOCK}" + fi + + case "${LB_BUILD_WITH_CHROOT}" in + true) + Chroot chroot "mkfs.jffs2 ${JFFS2_OPTIONS} --root=chroot --output filesystem.jffs2" + + # Move image + mv chroot/filesystem.jffs2 "binary/${INITFS}" + + # Removing depends + Remove_packages + + if [[ -e chroot/chroot.cache ]] + then + Remove_lockfile + mv chroot/chroot chroot.tmp + + lb chroot_prep remove all mode-archives-binary "${@}" + + rm -rf chroot + mv chroot.tmp chroot + + lb chroot_prep install all mode-archives-binary "${@}" + + touch .lock + else + rm -rf chroot/chroot + fi + ;; + + false) + mkfs.jffs2 "${JFFS2_OPTIONS}" --root=chroot --output "binary/${INITFS}/filesystem.jffs2" + ;; + esac + + # Saving cache + Save_package_cache binary + ;; + + plain) + if [[ -d "binary/${INITFS}/filesystem.dir" ]] + then + rm -rf "binary/${INITFS}/filesystem.dir" + fi + + case "${LB_BUILD_WITH_CHROOT}" in + true) + if [[ -e chroot/chroot.cache ]] + then + # Different from the other LB_CHROOT_FILESYSTEM values: + # continue working in the bootstrap chroot, not the generated chroot. + # This saves the time to create a full copy of the generated chroot. + cp -a chroot/chroot/boot chroot + mv chroot/chroot "binary/${INITFS}/filesystem.dir" + else + rm -fr chroot/chroot + + # Removing depends + Remove_packages + fi + ;; + + false) + cp -a chroot "binary/${INITFS}/filesystem.dir" + ;; + esac + ;; + + squashfs) + # Checking depends + Check_package chroot /usr/share/doc/squashfs-tools squashfs-tools + + # Restoring cache + Restore_package_cache binary + + # Installing depends + Install_packages + + Echo_message "Preparing squashfs image..." + Echo_message "This may take a while." + + # Remove old squashfs image + if [[ -f "binary/${INITFS}/filesystem.squashfs" ]] + then + rm -f "binary/${INITFS}/filesystem.squashfs" + fi + + # Remove stale squashfs image + rm -f chroot/filesystem.squashfs + + # Do not display the progress bar if: + # - Run with --quiet, or + # - stdin is not a terminal (e.g., in CI, cron, etc.) + if [[ "${_QUIET}" = "true" ]] || [[ ! -t 0 ]] + then + MKSQUASHFS_OPTIONS="-no-progress ${MKSQUASHFS_OPTIONS}" + fi + + if [[ "${_VERBOSE}" = "true" ]] + then + MKSQUASHFS_OPTIONS="-info ${MKSQUASHFS_OPTIONS}" + fi + + if [[ -f config/rootfs/squashfs.sort ]] + then + MKSQUASHFS_OPTIONS="-sort squashfs.sort ${MKSQUASHFS_OPTIONS}" + + case "${LB_BUILD_WITH_CHROOT}" in + true) + cp -a config/rootfs/squashfs.sort chroot + ;; + + false) + cp -a config/rootfs/squashfs.sort . + ;; + esac + fi + + # Set squashfs compression type or default to xz + if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE}" ]] + then + MKSQUASHFS_OPTIONS="-comp ${LB_CHROOT_SQUASHFS_COMPRESSION_TYPE} ${MKSQUASHFS_OPTIONS}" + else + MKSQUASHFS_OPTIONS="-comp xz ${MKSQUASHFS_OPTIONS}" + fi + + if [[ -n "${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL}" ]] + then + MKSQUASHFS_OPTIONS="-Xcompression-level ${LB_CHROOT_SQUASHFS_COMPRESSION_LEVEL} ${MKSQUASHFS_OPTIONS}" + fi + + case "${LB_BUILD_WITH_CHROOT}" in + true) + if [[ -e config/rootfs/excludes ]] + then + + printf "\e[95m[INFO] Found: [config/rootfs/excludes] \n\e[0m" + + cp -a config/rootfs/excludes chroot/excludes + + if [[ -e chroot/excludes ]] + then + + printf "\e[95m[INFO] Found: [chroot/excludes] \n\e[0m" + cat chroot/excludes + + fi + + printf "\e[95m[INFO] MKSQUASHFS_OPTIONS='%s' \n\e[0m" "${MKSQUASHFS_OPTIONS}" + + MKSQUASHFS_OPTIONS="-wildcards -ef /excludes ${MKSQUASHFS_OPTIONS}" + + printf "\e[95m[INFO] MKSQUASHFS_OPTIONS='%s' \n\e[0m" "${MKSQUASHFS_OPTIONS}" + + fi + + # Create image + Chroot chroot "nice -n 17 mksquashfs chroot filesystem.squashfs ${MKSQUASHFS_OPTIONS}" + + rm -f chroot/excludes + + # Move image + mv chroot/filesystem.squashfs "binary/${INITFS}" + rm -f chroot/squashfs.sort + + # Removing depends + Remove_packages + + if [[ -e chroot/chroot.cache ]] + then + Remove_lockfile + mv chroot/chroot chroot.tmp + + lb chroot_prep remove all mode-archives-binary "${@}" + + rm -rf chroot + mv chroot.tmp chroot + + lb chroot_prep install all mode-archives-binary "${@}" + + touch .lock + else + rm -rf chroot/chroot + fi + ;; + + false) + if [[ -e config/rootfs/excludes ]] + then + MKSQUASHFS_OPTIONS="-wildcards -ef config/rootfs/excludes ${MKSQUASHFS_OPTIONS}" + fi + + nice -n 19 mksquashfs chroot "binary/${INITFS}/filesystem.squashfs" "${MKSQUASHFS_OPTIONS}" + ;; + esac + + chmod 0644 "binary/${INITFS}/filesystem.squashfs" + + # Saving cache + Save_package_cache binary + ;; + + none) + if [[ -d binary ]] + then + rm -rf binary + fi + + case "${LB_BUILD_WITH_CHROOT}" in + true) + mv chroot/chroot binary + ;; + + false) + Echo_message "This may take a while." + cp -a chroot binary + ;; + esac + ;; + +esac + +if In_list "rootfs" "${LB_CACHE_STAGES}" +then + rm -rf cache/binary_rootfs + + mkdir -p cache/binary_rootfs + + if [[ "${LB_CHROOT_FILESYSTEM}" != "none" ]] + then + cp -a binary/"${INITFS}"/filesystem.* cache/binary_rootfs + fi +fi + +# Creating a stage file +Create_stagefile + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh