V8.13.294.2025.10.28

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -201,10 +201,11 @@ apt-get update -qq
 apt-get install -y --no-install-suggests libpam-systemd
 
 if [[ -f /root/.architecture ]]; then
-  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
-fi
 
-[[ -f /root/.architecture ]] && rm -f /root/.architecture
+  apt-get install -y --no-install-suggests amd64-microcode intel-microcode
+  rm -f /root/.architecture
+
+fi
 
 mkdir -p /root/.ciss/dlb/{backup,log}
 chmod 0700 /root/.ciss/dlb/{backup,log}

config/hooks/live/0001_initramfs_modules.chroot

@@ -300,10 +300,10 @@ COMPRESS=zstd
 # Defaults vary by compressor.
 #
 # Valid values are:
-# 1-9 for gzip|bzip2|lzma|lzop
-# 0-9 for  lz4|xz
-# 0-19 for zstd
-COMPRESSLEVEL=10
+# 1...9 for gzip|bzip2|lzma|lzop
+# 0...9 for  lz4|xz
+# 0...19 for zstd
+COMPRESSLEVEL=16
 
 #
 # DEVICE: ...

config/hooks/live/0002_verify_checksums.chroot

@@ -111,12 +111,12 @@ Verify_checksums() {
       if [ -e "${_CHECKSUM}" ]; then
 
         #echo "Found ${_CHECKSUM}..." > "${_TTY}"
-        log_begin_msg "Found ${_CHECKSUM}..."
+        printf "Found %s...\n" "${_CHECKSUM}"
 
         if [ -e "/bin/${_DIGEST}sum" ]; then
 
           #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-          log_begin_msg "Checking ${_CHECKSUM}..."
+          printf "Checking %s...\n" "${_CHECKSUM}"
 
           # Verify checksums
           # shellcheck disable=SC2312
@@ -129,7 +129,7 @@ Verify_checksums() {
         else
 
           #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-          log_begin_msg "Not found /bin/${_DIGEST}sum...."
+          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
 
         fi
 
@@ -144,7 +144,7 @@ Verify_checksums() {
   case "${_RETURN}" in
 
     0)
-      log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
       sleep 8
       return 0
       ;;

config/hooks/live/0003_cdi_autostart.chroot

@@ -0,0 +1,52 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+if [[ -f /root/.cdi ]]; then
+
+  cat << EOF >| /etc/systemd/system/cdi-starter.service
+[Unit]
+Description=CISS CDI post-boot starter
+Documentation=https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+ConditionPathExists=/usr/local/sbin/9999-cdi-starter.sh
+After=live-config.service systemd-user-sessions.service getty.target
+Wants=network-online.target
+After=network-online.target NetworkManager-wait-online.service systemd-networkd-wait-online.service
+
+[Service]
+Type=idle
+ExecStart=/usr/local/sbin/9999-cdi-starter.sh
+TimeoutStartSec=1min
+Nice=5
+IOSchedulingClass=best-effort
+Environment=LANG=C.UTF-8
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  chmod 0644 /etc/systemd/system/cdi-starter.service
+
+  systemctl enable cdi-starter.service
+
+  rm -f /root/.cdi
+
+fi
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

docs/CHANGELOG.md

@@ -21,7 +21,7 @@ include_toc: true
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + update_initramfs=all COMPRESSLEVEL=10
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot) = rotate 90; maxage 90
 * **Updated**: [9999_yyyy_logrotate.chroot](../config/hooks/live/9999_yyyy_logrotate.chroot) = rotate 90
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) = unified logging
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) = unified logging
 
 ## V8.13.292.2025.10.27
 * **Updated**: [alias](../config/includes.chroot/root/.ciss/alias) = modified trel()
@@ -29,7 +29,7 @@ include_toc: true
 ## V8.13.290.2025.10.26
 * **Updated**: [0001_initramfs_modules.chroot](../config/hooks/live/0001_initramfs_modules.chroot) + ESP/FAT/UEFI mods
 * **Updated**: [9950_hardening_fail2ban.chroot](../config/hooks/live/9950_hardening_fail2ban.chroot)
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) Preparations for CISS and PhysNet primordial-workflow™.
 
 ## V8.13.288.2025.10.24
 * **Added**: Preparations for CISS and PhysNet primordial-workflow™.
@@ -52,7 +52,7 @@ include_toc: true
 * **Updated**: [9996_auditd.chroot](../config/hooks/live/9996_auditd.chroot) unified auditd configuration, removed success rules
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot) + apt-get dist-upgrade -y
 * **Updated**: [login.defs](../config/includes.chroot/etc/login.defs) 
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter) 
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter) 
 
 ## V8.13.256.2025.10.21
 * **Updated**: [0007_update_logrotate.chroot](../config/hooks/live/0007_update_logrotate.chroot)
@@ -83,7 +83,7 @@ include_toc: true
 * **Changed**:  [0090_jitterentropy.chroot](../config/hooks/live/0090_jitterentropy.chroot)
 
 ## V8.13.142.2025.10.14
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 
 ## V8.13.132.2025.10.11
 * **Added**: [REPOSITORY.md](../REPOSITORY.md)
@@ -118,7 +118,7 @@ include_toc: true
 * **Added**: [lib_note_target.sh](../lib/lib_note_target.sh)
 * **Updated**: [lib_trap_on_err.sh](../lib/lib_trap_on_err.sh)
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
-* **Updated**: [9999-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
 * **Updated**: [9998_sources_list_bookworm.chroot](../config/hooks/live/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
@@ -130,7 +130,7 @@ include_toc: true
 ## V8.13.048.2025.10.06
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.16.3+deb13-amd64``
 * **Updated**: Debian 13 LIVE ISO workflows to use argument: ``--cdi``
-* **Updated**: [9000-cdi-starter](../scripts/usr/lib/live/config/9999-cdi-starter)
+* **Updated**: [9000-cdi-starter](../scripts/usr/local/sbin/9999-cdi-starter)
 
 ## V8.13.032.2025.10.03
 * **Added**: Internal Gitea Action Runner switch for static SSHFP records.

lib/lib_cdi.sh

@@ -30,21 +30,24 @@ cdi() {
 
   if [[ "${VAR_HANDLER_CDI}" == "true" ]]; then
 
-    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config" ]]; then
+    touch      "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
+    chmod 0600 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/.cdi"
 
-      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config"
+    if [[ ! -d "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin" ]]; then
+
+      mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin"
 
     fi
 
-    cp "${VAR_WORKDIR}/scripts/usr/lib/live/config/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
-    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
-    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/config/9999-cdi-starter"
+    cp "${VAR_WORKDIR}/scripts/usr/local/sbin/9999-cdi-starter" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
+    chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
+    chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/local/sbin/9999-cdi-starter.sh"
 
     declare tmp_entry
     tmp_entry="$(mktemp)"
     cat << EOF >| "${tmp_entry}"
 menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
-        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=8192 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
+        linux /live/vmlinuz-${VAR_KERNEL} boot=live verify-checksums components splash nopersistence toram ramdisk-size=1024M swap=true noautologin nottyautologin nox11autologin noeject locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= timezone=Etc/UTC apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
         initrd /live/initrd.img-${VAR_KERNEL}
 }
 EOF
@@ -59,9 +62,12 @@ EOF
 }" "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-pc/grub.cfg"
 
     rm -f "${tmp_entry}"
+
   else
+
     # shellcheck disable=SC1003
     sed -i '/#MUST_BE_REPLACED/c\\' "${VAR_HANDLER_BUILD_DIR}/config/bootloaders/grub-efi/grub.cfg"
+
   fi
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

lib/lib_ciss_upgrades.sh

@@ -31,8 +31,8 @@ ciss_upgrades() {
     chmod 0444 /usr/lib/live/build/binary_rootfs.original
   fi
 
-  #rm -f /usr/lib/live/build/binary_rootfs
-  #install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs
+  rm -f /usr/lib/live/build/binary_rootfs
+  install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/build/binary_rootfs.sh" /usr/lib/live/build/binary_rootfs
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
 

lib/lib_lb_config_write_trixie.sh

@@ -115,10 +115,25 @@ lb_config_write_trixie() {
   ### https://wiki.debian.org/ReproducibleInstalls/LiveImages
   ### https://reproducible-builds.org/docs/system-images/
   ### https://gitlab.tails.boum.org/tails/tails/-/blob/stable/config/chroot_local-includes/usr/share/tails/build/mksquashfs-excludes
-  #mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
-  #cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
-#EOF
-  #chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+  mkdir -p "${VAR_HANDLER_BUILD_DIR}/config/rootfs"
+  cat << 'EOF' >| "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
+boot/initrd.img-*
+boot/vmlinux-*
+boot/vmlinuz-*
+debootstrap
+debootstrap/*
+root/.wget-hsts
+tmp/*
+usr/lib/firmware/amd/*
+usr/lib/firmware/amd-ucode/*
+usr/lib/firmware/amdtee/*
+usr/lib/firmware/intel-ucode/*
+var/cache/apt/pkgcache.bin
+var/cache/apt/srcpkgcache.bin
+var/lib/apt/lists/*
+var/lib/initramfs-tools/*-amd64
+EOF
+  chmod 0644 "${VAR_HANDLER_BUILD_DIR}/config/rootfs/excludes"
 
   printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
 

scripts/0010_dhcp_supersede.sh

@@ -43,34 +43,34 @@ cat << 'EOF' >> "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcpcd.con
 # SPDX-Security-Contact: security@coresecret.eu
 
 ### No Global APIPA-Fallback.
-#noipv4ll
+noipv4ll
 
 ### A ServerID is required by RFC2131.
-#require dhcp_server_identifier
+require dhcp_server_identifier
 
 ### Respect the network MTU. This is applied to DHCP routes.
-#option interface_mtu
+option interface_mtu
 
 ### A list of options to request from the DHCP server.
-#option host_name
-#option domain_name
-#option domain_search
-#option rapid_commit
-
-### Most distributions have NTP support.
-#option ntp_servers
-
-### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
-#fqdn both
-
-###-----------------------------------------------------------------------------------------------------------------------------
-### Global defaults for all interfaces.
 option host_name
 option domain_name
 option domain_search
+option rapid_commit
+
+### Most distributions have NTP support.
+option ntp_servers
 
 ### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
 fqdn both
+
+###-----------------------------------------------------------------------------------------------------------------------------
+### Global defaults for all interfaces.
+#option host_name
+#option domain_name
+#option domain_search
+
+### Ask server to update both A and PTR via FQDN (RFC 4702 semantics).
+#fqdn both
 ###-----------------------------------------------------------------------------------------------------------------------------
 
 ### Enforce static DNS and prevent dhcpcd from writing 'resolv.conf'.

scripts/live-boot/0030-verify-checksums

@@ -88,12 +88,12 @@ Verify_checksums() {
       if [ -e "${_CHECKSUM}" ]; then
 
         #echo "Found ${_CHECKSUM}..." > "${_TTY}"
-        log_begin_msg "Found ${_CHECKSUM}..."
+        printf "Found %s...\n" "${_CHECKSUM}"
 
         if [ -e "/bin/${_DIGEST}sum" ]; then
 
           #echo "Checking ${_CHECKSUM}..." > "${_TTY}"
-          log_begin_msg "Checking ${_CHECKSUM}..."
+          printf "Checking %s...\n" "${_CHECKSUM}"
 
           # Verify checksums
           # shellcheck disable=SC2312
@@ -106,7 +106,7 @@ Verify_checksums() {
         else
 
           #echo "Not found /bin/${_DIGEST}sum..." > "${_TTY}"
-          log_begin_msg "Not found /bin/${_DIGEST}sum...."
+          printf "Not found /bin/%ssum....\n" "${_DIGEST}"
 
         fi
 
@@ -121,7 +121,7 @@ Verify_checksums() {
   case "${_RETURN}" in
 
     0)
-      log_success_msg "Verification of ${_CHECKSUMS[*]} successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of checksums successful; continuing booting in 8 seconds."
       sleep 8
       return 0
       ;;

scripts/usr/local/.keep

@@ -0,0 +1,10 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu