V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-28 19:14:45 +01:00
parent 5cdf9f93a1
commit 311074c1d3
12 changed files with 133 additions and 49 deletions
--- a/config/hooks/live/0000_basic_chroot_setup.chroot
+++ b/config/hooks/live/0000_basic_chroot_setup.chroot
@@ -201,10 +201,11 @@ apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 if [[ -f /root/.architecture ]]; then
  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
 fi
-[[ -f /root/.architecture ]] && rm -f /root/.architecture
+  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
  rm -f /root/.architecture
 fi
 mkdir -p /root/.ciss/dlb/{backup,log}
 chmod 0700 /root/.ciss/dlb/{backup,log}
--- a/config/hooks/live/0001_initramfs_modules.chroot
+++ b/config/hooks/live/0001_initramfs_modules.chroot
@@ -300,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
+# 1...9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
+# 0...9 for  lz4|xz
-# 0-19 for zstd
+# 0...19 for zstd
-COMPRESSLEVEL=10
+COMPRESSLEVEL=16
 #
 # DEVICE: ...
--- a/config/hooks/live/0002_verify_checksums.chroot
+++ b/config/hooks/live/0002_verify_checksums.chroot
@@ -111,12 +111,12 @@ Verify_checksums() {
      if [ -e "${_CHECKSUM}" ]; then
        #echo "Found ${_CHECKSUM}..." > "${_TTY}"
-        log_begin_msg "Found ${_CHECKSUM}..."
+        printf "Found %s...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-          log_begin_msg "Checking ${_CHECKSUM}..."
+          printf "Checking %s...\n" "${_CHECKSUM}"
          # Verify checksums
          # shellcheck disable=SC2312
@@ -129,7 +129,7 @@ Verify_checksums() {
        else
          #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-          log_begin_msg "Not found /bin/${_DIGEST}sum...."
+          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
        fi
@@ -144,7 +144,7 @@ Verify_checksums() {
  case "${_RETURN}" in
    0)
-      log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
--- a/config/hooks/live/0003_cdi_autostart.chroot
+++ b/config/hooks/live/0003_cdi_autostart.chroot
@@ -0,0 +1,52 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
  cat << EOF >| /etc/systemd/system/cdi-starter.service
 [Unit]
 Description=CISS CDI post-boot starter
 Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 ConditionPathExists=/usr/local/sbin/9999-cdi-starter.sh
 After=live-config.service systemd-user-sessions.service getty.target
 Wants=network-online.target
 After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service
 [Service]
 Type=idle
 ExecStart=/usr/local/sbin/9999-cdi-starter.sh
 TimeoutStartSec=1min
 Nice=5
 IOSchedulingClass=best-effort
 Environment=LANG=C.UTF-8
 StandardOutput=journal
 StandardError=journal
 [Install]
 WantedBy=multi-user.target
 EOF
  chmod 0644 /etc/systemd/system/cdi-starter.service
  systemctl enable cdi-starter.service
  rm -f /root/.cdi
 fi
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -21,7 +21,7 @@ include_toc: true
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) = unified logging
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) = unified logging
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
@@ -29,7 +29,7 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
 ## V8.13.288.2025.10.24
 * **Added**: Preparations for CISS and PhysNet primordial-workflow™.
@@ -52,7 +52,7 @@ include_toc: true
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) 
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -83,7 +83,7 @@ include_toc: true
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 ## V8.13.142.2025.10.14
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 ## V8.13.132.2025.10.11
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
@@ -118,7 +118,7 @@ include_toc: true
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
@@ -130,7 +130,7 @@ include_toc: true
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
-* **Updated**: [9000-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.
--- a/lib/lib_cdi.sh
+++ b/lib/lib_cdi.sh
@@ -30,21 +30,24 @@ cdi() {
  if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
-    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
+    touch      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
-      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
+    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
    fi
-    cp "${VAR_WORKDIR}/scripts/usr/lib/live/config/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
-    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
-    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
    declare tmp_entry
    tmp_entry="$(mktemp)"
    cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
        initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
@@ -59,9 +62,12 @@ EOF
 }" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
    rm -f "${tmp_entry}"
  else
    # shellcheck disable=SC1003
    sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
  fi
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
--- a/lib/lib_ciss_upgrades.sh
+++ b/lib/lib_ciss_upgrades.sh
@@ -31,8 +31,8 @@ ciss_upgrades() {
    chmod 0444 /usr/lib/live/build/binary_rootfs.original
  fi
-  #rm -f /usr/lib/live/build/binary_rootfs
+  rm -f /usr/lib/live/build/binary_rootfs
-  #install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs
+  install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
--- a/lib/lib_lb_config_write_trixie.sh
+++ b/lib/lib_lb_config_write_trixie.sh
@@ -115,10 +115,25 @@ lb_config_write_trixie() {
  ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
  ### https://reproducible-builds.org/docs/system-images/
  ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
-  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
-  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
-#EOF
+boot/initrd.img-*
-  #chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+boot/vmlinux-*
 boot/vmlinuz-*
 debootstrap
 debootstrap/*
 root/.wget-hsts
 tmp/*
 usr/lib/firmware/amd/*
 usr/lib/firmware/amd-ucode/*
 usr/lib/firmware/amdtee/*
 usr/lib/firmware/intel-ucode/*
 var/cache/apt/pkgcache.bin
 var/cache/apt/srcpkgcache.bin
 var/lib/apt/lists/*
 var/lib/initramfs-tools/*-amd64
 EOF
  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
--- a/scripts/0010_dhcp_supersede.sh
+++ b/scripts/0010_dhcp_supersede.sh
@@ -43,34 +43,34 @@ cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.con
 # SPDX-Security-Contact: security@coresecret.eu
 ### No Global APIPA-Fallback.
-#noipv4ll
+noipv4ll
 ### A ServerID is required by RFC2131.
-#require dhcp_server_identifier
+require dhcp_server_identifier
 ### Respect the network MTU. This is applied to DHCP routes.
-#option interface_mtu
+option interface_mtu
 ### A list of options to request from the DHCP server.
 #option host_name
 #option domain_name
 #option domain_search
 #option rapid_commit
 ### Most distributions have NTP support.
 #option ntp_servers
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 #fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Global defaults for all interfaces.
 option host_name
 option domain_name
 option domain_search
 option rapid_commit
 ### Most distributions have NTP support.
 option ntp_servers
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Global defaults for all interfaces.
 #option host_name
 #option domain_name
 #option domain_search
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 #fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.
--- a/scripts/live-boot/0030-verify-checksums
+++ b/scripts/live-boot/0030-verify-checksums
@@ -88,12 +88,12 @@ Verify_checksums() {
      if [ -e "${_CHECKSUM}" ]; then
        #echo "Found ${_CHECKSUM}..." > "${_TTY}"
-        log_begin_msg "Found ${_CHECKSUM}..."
+        printf "Found %s...\n" "${_CHECKSUM}"
        if [ -e "/bin/${_DIGEST}sum" ]; then
          #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-          log_begin_msg "Checking ${_CHECKSUM}..."
+          printf "Checking %s...\n" "${_CHECKSUM}"
          # Verify checksums
          # shellcheck disable=SC2312
@@ -106,7 +106,7 @@ Verify_checksums() {
        else
          #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-          log_begin_msg "Not found /bin/${_DIGEST}sum...."
+          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
        fi
@@ -121,7 +121,7 @@ Verify_checksums() {
  case "${_RETURN}" in
    0)
-      log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
      sleep 8
      return 0
      ;;
--- a/scripts/usr/local/.keep
+++ b/scripts/usr/local/.keep
@@ -0,0 +1,10 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
--- a/scripts/usr/lib/live/config/9999-cdi-starter
+++ b/scripts/usr/lib/live/config/9999-cdi-starter