From 311074c1d39652c5b6d8d53fb93aa553172096c3a64193b02d24bf1fb0997ced Mon Sep 17 00:00:00 2001 From: "Marc S. Weidner" Date: Tue, 28 Oct 2025 19:14:45 +0100 Subject: [PATCH] V8.13.294.2025.10.28 Signed-off-by: Marc S. Weidner --- .../hooks/live/0000_basic_chroot_setup.chroot | 7 +-- .../hooks/live/0001_initramfs_modules.chroot | 8 +-- .../hooks/live/0002_verify_checksums.chroot | 8 +-- config/hooks/live/0003_cdi_autostart.chroot | 52 +++++++++++++++++++ docs/CHANGELOG.md | 12 ++--- lib/lib_cdi.sh | 18 ++++--- lib/lib_ciss_upgrades.sh | 4 +- lib/lib_lb_config_write_trixie.sh | 23 ++++++-- scripts/0010_dhcp_supersede.sh | 32 ++++++------ scripts/live-boot/0030-verify-checksums | 8 +-- scripts/usr/local/.keep | 10 ++++ .../config => local/sbin}/9999-cdi-starter | 0 12 files changed, 133 insertions(+), 49 deletions(-) create mode 100644 config/hooks/live/0003_cdi_autostart.chroot create mode 100644 scripts/usr/local/.keep rename scripts/usr/{lib/live/config => local/sbin}/9999-cdi-starter (100%) diff --git a/config/hooks/live/0000_basic_chroot_setup.chroot b/config/hooks/live/0000_basic_chroot_setup.chroot index 1d7e990..b749211 100644 --- a/config/hooks/live/0000_basic_chroot_setup.chroot +++ b/config/hooks/live/0000_basic_chroot_setup.chroot @@ -201,10 +201,11 @@ apt-get update -qq apt-get install -y --no-install-suggests libpam-systemd if [[ -f /root/.architecture ]]; then - apt-get install -y --no-install-suggests amd64-microcode intel-microcode -fi -[[ -f /root/.architecture ]] && rm -f /root/.architecture + apt-get install -y --no-install-suggests amd64-microcode intel-microcode + rm -f /root/.architecture + +fi mkdir -p /root/.ciss/dlb/{backup,log} chmod 0700 /root/.ciss/dlb/{backup,log} diff --git a/config/hooks/live/0001_initramfs_modules.chroot b/config/hooks/live/0001_initramfs_modules.chroot index d4dea52..e2ca7b9 100644 --- a/config/hooks/live/0001_initramfs_modules.chroot +++ b/config/hooks/live/0001_initramfs_modules.chroot @@ -300,10 +300,10 @@ COMPRESS=zstd # Defaults vary by compressor. # # Valid values are: -# 1-9 for gzip|bzip2|lzma|lzop -# 0-9 for lz4|xz -# 0-19 for zstd -COMPRESSLEVEL=10 +# 1...9 for gzip|bzip2|lzma|lzop +# 0...9 for lz4|xz +# 0...19 for zstd +COMPRESSLEVEL=16 # # DEVICE: ... diff --git a/config/hooks/live/0002_verify_checksums.chroot b/config/hooks/live/0002_verify_checksums.chroot index 26c5d83..6cca940 100644 --- a/config/hooks/live/0002_verify_checksums.chroot +++ b/config/hooks/live/0002_verify_checksums.chroot @@ -111,12 +111,12 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then #echo "Found ${_CHECKSUM}..." > "${_TTY}" - log_begin_msg "Found ${_CHECKSUM}..." + printf "Found %s...\n" "${_CHECKSUM}" if [ -e "/bin/${_DIGEST}sum" ]; then #echo "Checking ${_CHECKSUM}..." > "${_TTY}" - log_begin_msg "Checking ${_CHECKSUM}..." + printf "Checking %s...\n" "${_CHECKSUM}" # Verify checksums # shellcheck disable=SC2312 @@ -129,7 +129,7 @@ Verify_checksums() { else #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" - log_begin_msg "Not found /bin/${_DIGEST}sum...." + printf "Not found /bin/%ssum....\n" "${_DIGEST}" fi @@ -144,7 +144,7 @@ Verify_checksums() { case "${_RETURN}" in 0) - log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds." + log_success_msg "Verification of checksums successful; continuing booting in 8 seconds." sleep 8 return 0 ;; diff --git a/config/hooks/live/0003_cdi_autostart.chroot b/config/hooks/live/0003_cdi_autostart.chroot new file mode 100644 index 0000000..0d74efd --- /dev/null +++ b/config/hooks/live/0003_cdi_autostart.chroot @@ -0,0 +1,52 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" + +if [[ -f /root/.cdi ]]; then + + cat << EOF >| /etc/systemd/system/cdi-starter.service +[Unit] +Description=CISS CDI post-boot starter +Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git +ConditionPathExists=/usr/local/sbin/9999-cdi-starter.sh +After=live-config.service systemd-user-sessions.service getty.target +Wants=network-online.target +After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service + +[Service] +Type=idle +ExecStart=/usr/local/sbin/9999-cdi-starter.sh +TimeoutStartSec=1min +Nice=5 +IOSchedulingClass=best-effort +Environment=LANG=C.UTF-8 +StandardOutput=journal +StandardError=journal + +[Install] +WantedBy=multi-user.target +EOF + + chmod 0644 /etc/systemd/system/cdi-starter.service + + systemctl enable cdi-starter.service + + rm -f /root/.cdi + +fi + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 79c8a1b..9ab6b89 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -21,7 +21,7 @@ include_toc: true * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90 -* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) = unified logging +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) = unified logging ## V8.13.292.2025.10.27 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel() @@ -29,7 +29,7 @@ include_toc: true ## V8.13.290.2025.10.26 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot) -* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™. +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™. ## V8.13.288.2025.10.24 * **Added**: Preparations for CISS and PhysNet primordial-workflow™. @@ -52,7 +52,7 @@ include_toc: true * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) -* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) ## V8.13.256.2025.10.21 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) @@ -83,7 +83,7 @@ include_toc: true * **Changed**: [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot) ## V8.13.142.2025.10.14 -* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) ## V8.13.132.2025.10.11 * **Added**: [REPOSITORY.md](../REPOSITORY.md) @@ -118,7 +118,7 @@ include_toc: true * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh) * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh) * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh) -* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) +* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot) * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot) * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) @@ -130,7 +130,7 @@ include_toc: true ## V8.13.048.2025.10.06 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64`` * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi`` -* **Updated**: [9000-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) +* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) ## V8.13.032.2025.10.03 * **Added**: Internal Gitea Action Runner switch for static SSHFP records. diff --git a/lib/lib_cdi.sh b/lib/lib_cdi.sh index 9d5d46c..5a8b94f 100644 --- a/lib/lib_cdi.sh +++ b/lib/lib_cdi.sh @@ -30,21 +30,24 @@ cdi() { if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then - if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then + touch "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi" + chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi" - mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" + if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then + + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" fi - cp "${VAR_WORKDIR}/scripts/usr/lib/live/config/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter" - chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter" - chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter" + cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" + chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" + chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh" declare tmp_entry tmp_entry="$(mktemp)" cat << EOF >| "${tmp_entry}" menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i { - linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} + linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path} initrd /live/initrd.img-${VAR_KERNEL} } EOF @@ -59,9 +62,12 @@ EOF }" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg" rm -f "${tmp_entry}" + else + # shellcheck disable=SC1003 sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg" + fi printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" diff --git a/lib/lib_ciss_upgrades.sh b/lib/lib_ciss_upgrades.sh index 1d45e97..221e4f8 100644 --- a/lib/lib_ciss_upgrades.sh +++ b/lib/lib_ciss_upgrades.sh @@ -31,8 +31,8 @@ ciss_upgrades() { chmod 0444 /usr/lib/live/build/binary_rootfs.original fi - #rm -f /usr/lib/live/build/binary_rootfs - #install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs + rm -f /usr/lib/live/build/binary_rootfs + install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}" diff --git a/lib/lib_lb_config_write_trixie.sh b/lib/lib_lb_config_write_trixie.sh index 015e909..1fe4583 100644 --- a/lib/lib_lb_config_write_trixie.sh +++ b/lib/lib_lb_config_write_trixie.sh @@ -115,10 +115,25 @@ lb_config_write_trixie() { ### https://wiki.debian.org/ReproducibleInstalls/LiveImages ### https://reproducible-builds.org/docs/system-images/ ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes - #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs" - #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes" -#EOF - #chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes" + mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs" + cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes" +boot/initrd.img-* +boot/vmlinux-* +boot/vmlinuz-* +debootstrap +debootstrap/* +root/.wget-hsts +tmp/* +usr/lib/firmware/amd/* +usr/lib/firmware/amd-ucode/* +usr/lib/firmware/amdtee/* +usr/lib/firmware/intel-ucode/* +var/cache/apt/pkgcache.bin +var/cache/apt/srcpkgcache.bin +var/lib/apt/lists/* +var/lib/initramfs-tools/*-amd64 +EOF + chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n" diff --git a/scripts/0010_dhcp_supersede.sh b/scripts/0010_dhcp_supersede.sh index 7f80c67..90474f3 100644 --- a/scripts/0010_dhcp_supersede.sh +++ b/scripts/0010_dhcp_supersede.sh @@ -43,34 +43,34 @@ cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.con # SPDX-Security-Contact: security@coresecret.eu ### No Global APIPA-Fallback. -#noipv4ll +noipv4ll ### A ServerID is required by RFC2131. -#require dhcp_server_identifier +require dhcp_server_identifier ### Respect the network MTU. This is applied to DHCP routes. -#option interface_mtu +option interface_mtu ### A list of options to request from the DHCP server. -#option host_name -#option domain_name -#option domain_search -#option rapid_commit - -### Most distributions have NTP support. -#option ntp_servers - -### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). -#fqdn both - -###----------------------------------------------------------------------------------------------------------------------------- -### Global defaults for all interfaces. option host_name option domain_name option domain_search +option rapid_commit + +### Most distributions have NTP support. +option ntp_servers ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). fqdn both + +###----------------------------------------------------------------------------------------------------------------------------- +### Global defaults for all interfaces. +#option host_name +#option domain_name +#option domain_search + +### Ask server to update both A and PTR via FQDN (RFC 4702 semantics). +#fqdn both ###----------------------------------------------------------------------------------------------------------------------------- ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'. diff --git a/scripts/live-boot/0030-verify-checksums b/scripts/live-boot/0030-verify-checksums index 2084518..b0d492d 100644 --- a/scripts/live-boot/0030-verify-checksums +++ b/scripts/live-boot/0030-verify-checksums @@ -88,12 +88,12 @@ Verify_checksums() { if [ -e "${_CHECKSUM}" ]; then #echo "Found ${_CHECKSUM}..." > "${_TTY}" - log_begin_msg "Found ${_CHECKSUM}..." + printf "Found %s...\n" "${_CHECKSUM}" if [ -e "/bin/${_DIGEST}sum" ]; then #echo "Checking ${_CHECKSUM}..." > "${_TTY}" - log_begin_msg "Checking ${_CHECKSUM}..." + printf "Checking %s...\n" "${_CHECKSUM}" # Verify checksums # shellcheck disable=SC2312 @@ -106,7 +106,7 @@ Verify_checksums() { else #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}" - log_begin_msg "Not found /bin/${_DIGEST}sum...." + printf "Not found /bin/%ssum....\n" "${_DIGEST}" fi @@ -121,7 +121,7 @@ Verify_checksums() { case "${_RETURN}" in 0) - log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds." + log_success_msg "Verification of checksums successful; continuing booting in 8 seconds." sleep 8 return 0 ;; diff --git a/scripts/usr/local/.keep b/scripts/usr/local/.keep new file mode 100644 index 0000000..b4349f3 --- /dev/null +++ b/scripts/usr/local/.keep @@ -0,0 +1,10 @@ +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu diff --git a/scripts/usr/lib/live/config/9999-cdi-starter b/scripts/usr/local/sbin/9999-cdi-starter similarity index 100% rename from scripts/usr/lib/live/config/9999-cdi-starter rename to scripts/usr/local/sbin/9999-cdi-starter