msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
.archive/.0000_lib_usage.sh
View File

@@ -1,142 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#######################################
# Usage Wrapper CISS.debian.live.builder
# Globals:
# none
# Arguments:
# $0: Script name
#######################################
usage() {
clear
cat << EOF
$(echo -e "\e[92mCISS.debian.live.builder\e[0m")
$(echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m")
$(echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m")
$(echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025\e[0m")
$(echo -e "\e[97m(p) Centurion Press, 2024 - 2025\e[0m")
"${0} <option>", where <option> is one or more of:
$(echo -e "\e[97m --help, -h\e[0m")
What you're looking at.
$(echo -e "\e[97m --autobuild=*, -a=*\e[0m")
Headless mode. Skip the dialog wrapper, provider note screen and interactive kernel
selector dialog. Change '*' to your desired Linux kernel and trim the
'linux-image-' string to select a specific kernel, e.g. '--autobuild=6.12.30+bpo-amd64'.
$(echo -e "\e[97m --architecture <STRING> one of <amd64 | arm64>\e[0m")
A string reflecting the architecture of the Live System.
MUST be provided.
$(echo -e "\e[97m --build-directory </path/to/build_directory>\e[0m")
Where the Debian Live Build Image should be generated.
MUST be provided.
$(echo -e "\e[97m --change-splash <STRING> one of <club | hexagon>\e[0m")
A string reflecting the Grub Boot Screen Splash you want to use.
If omitted defaults to "./.archive/background/club.png".
$(echo -e "\e[97m --cdi (Experimental Feature)\e[0m")
This option generates a boot menu entry to start the forthcoming
'CISS.debian.installer', which will be executed after
the system has successfully booted up.
$(echo -e "\e[97m --contact, -c\e[0m")
Displays contact information of the author.
$(echo -e "\e[97m --control <INTEGER>\e[0m")
An integer that reflects the version of your Live ISO Image.
MUST be provided.
$(echo -e "\e[97m --debug\e[0m")
Enables debug logging for the main program routine. Detailed logging
information are written to "/tmp/ciss_live_builder_$$.log"
$(echo -e "\e[97m --dhcp-centurion\e[0m")
If a DHCP lease is provided, the provider's nameserver will be overridden,
and only the hardened, privacy-focused Centurion DNS servers will be used:
- https://dns01.eddns.eu/
- https://dns02.eddns.de/
- https://dns03.eddns.eu/
$(echo -e "\e[97m --jump-host <IP | IP | ... >\e[0m")
Provide up to 10 IPs for /etc/host.allow whitelisting of SSH access.
Could be either IPv4 and / or IPv6 addresses and / or CCDIR notation.
If provided, than it MUST be a <SPACE> separated list.
IPv6 addresses MUST be encapsulated with [], e.g., [1234::abcd]/64.
$(echo -e "\e[97m --log-statistics-only\e[0m")
Provides statistic only after successful building a
CISS.debian.live-ISO. While enabling "--log-statistics-only"
the argument "--build-directory" MUST be provided while
all further options MUST be omitted.
$(echo -e "\e[97m --provider-netcup-ipv6\e[0m")
Activates IPv6 support for Netcup Root Server. One unique
IPv6 address MUST be provided in this case and MUST be encapsulated
with [], e.g., [1234::abcd].
$(echo -e "\e[97m --renice-priority <PRIORITY>\e[0m")
Reset the nice priority value of the script and all its children
to the desired <PRIORITY>. MUST be an integer (between "-19" and 19).
Negative (higher) values MUST be enclosed in double quotes '"'.
$(echo -e "\e[97m --reionice-priority <CLASS> <PRIORITY>\e[0m")
Reset the ionice priority value of the script and all its children
to the desired <CLASS>. MUST be an integer:
1: realtime
2: best-effort
3: idle
Defaults to '2'.
Whereas <PRIORITY> MUST be an integer as well between:
0: highest priority and
7: lowest priority.
Defaults to '4'.
A real-time I/O process can significantly slow down other processes
or even cause them to starve if it continuously requests I/O.
$(echo -e "\e[97m --root-password-file </path/to/password.txt>\e[0m")
Password file for 'root', if given, MUST be a string of 20 to 64 characters,
and MUST NOT contain the special character '"'.
If the argument is omitted, no further login authentication is required for
the local console. The root password is hashed with an 16 Byte '/dev/random'
generated SALT and SHA512 Hashing function and 8,388,608 rounds. Immediately
after Hash generation all Variables containing plain password fragments are
deleted. Password file SHOULD be '0400' and 'root:root' and is deleted without
further prompt after password hash has been successfully generated via:
'shred -vfzu 5 -f'.
No tracing of any plain text password fragment in any debug log.
$(echo -e "\e[97m --ssh-port <INTEGER>\e[0m")
The desired Port SSH should listen to.
If not provided defaults to Port 22.
$(echo -e "\e[97m --ssh-pubkey </path/to/.ssh/>\e[0m")
Imports the SSH Public Key(s) from the FILE 'authorized_keys' of the
specified PATH into the Live ISO. MUST be provided.
$(echo -e "\e[97m --version, -v\e[0m")
Displays version of ${0}.
$(echo -e "\e[93m💡 Notes:\e[0m")
🔵 You MUST be 'root' to run this script.
$(echo -e "\e[95m💷 Please consider donating to my work at:\e[0m")
$(echo -e "\e[95m🌐 https://coresecret.eu/spenden/ \e[0m")
EOF
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

248
.archive/0002_verify_checksums.chroot
View File

@@ -1,248 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
target="/usr/lib/live/boot/0030-verify-checksums"
src="$(mktemp)"
if [[ ! -d /usr/lib/live/boot ]]; then
mkdir -p /usr/lib/live/boot
fi
cat << 'EOF' >| "${src}"
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: GPL-3.0-or-later
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
# Arguments:
# 1: _MOUNTPOINT
# Returns:
# 0 : Successful verification
#######################################
Verify_checksums() {
_MOUNTPOINT="${1}"
_TTY="/dev/tty8"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
live-boot.verify-checksums=* | verify-checksums=*)
LIVE_VERIFY_CHECKSUMS="true"
LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
;;
live-boot.verify-checksums | verify-checksums)
LIVE_VERIFY_CHECKSUMS="true"
;;
live-boot.verify-checksums-signatures | verify-checksums-signatures)
LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
;;
esac
done
case "${LIVE_VERIFY_CHECKSUMS}" in
true)
:
;;
*)
return 0
;;
esac
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of '0030-verify-checksums' ..."
printf "\n"
CDLB_SCRIPT="$(basename "${0}")"
CDLB_SHA="sha512"
CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_ITEM="" CDLB_SIG_FILE=""
for CDLB_ITEM in ${CDLB_SHA}; do
CDLB_HASHFILE="${CDLB_SCRIPT}.${CDLB_ITEM}"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
CDLB_CMD="${CDLB_ITEM}sum"
printf "Verifying signature of: [%s]\n" "${CDLB_HASHFILE}"
if ! gpgv --keyring 0030-verify-checksums_public.gpg "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "Signature verification failed for: [%s]\n" "${CDLB_HASHFILE}"
sleep 8
# TODO: Remove debug mode
# return 0
else
printf "Signature verification successful for: [%s]\n" "${CDLB_HASHFILE}"
fi
printf "Recomputing hash for: [%s]\n" "${CDLB_ITEM}"
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT}" | { read -r first rest || exit 1; printf '%s\n' "${first}"; })
read -r CDLB_EXPECTED < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "Recomputed hash mismatch for: [%s]\n" "${CDLB_ITEM}"
sleep 8
# TODO: Remove debug mode
# return 0
fi
printf "Hash verification successful for: [%s]\n" "${CDLB_ITEM}"
done
printf "Verifying integrity of '0030-verify-checksums' successfully completed. Proceeding."
log_end_msg
printf "\n"
fi
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
# shellcheck disable=SC2060
_CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
for _CHECKSUM in ${_CHECKSUMS}; do
if [ -e "${_CHECKSUM}" ]; then
printf "Found [%s] ...\n" "${_CHECKSUM}"
if [ -e "/bin/${_DIGEST}sum" ]; then
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "Checking Signature of [%s] ...\n" "${_CHECKSUM}"
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
gpgv --keyring 0030-verify-checksums_public.gpg "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"
_RETURN_PGP="${?}"
else
_RETURN_PGP="na"
fi
printf "Checking Hashes of [%s] ...\n" "${_CHECKSUM}"
# shellcheck disable=SC2312
grep -v '^#' "${_CHECKSUM}" | /bin/"${_DIGEST}"sum -c > "${_TTY}"
_RETURN_SHA="${?}"
# Stop after the first verification.
break 2
else
printf "Not found [%s] ...\n" "/bin/${_DIGEST}sum"
fi
fi
done
done
log_end_msg
case "${_RETURN_PGP},${_RETURN_SHA}" in
0,0)
log_success_msg "Verification of signature AND checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
na,0)
log_success_msg "Verification of checksum file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
*,0)
panic "Verification of signature file failed while verification of checksum file successful."
;;
na,*)
panic "Verification of checksum file failed."
;;
esac
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
# Copy and make executable
install -m 0755 "${src}" "${target}"
rm -f "${src}"
unset target src
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

37
.archive/0003_install_backports.chroot
View File

@@ -1,37 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
DEBIAN_FRONTEND=noninteractive \
apt-get update && \
DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
-o Dpkg::Options::="--force-confdef" \
-o Dpkg::Options::="--force-confold" \
-t bookworm-backports \
btrfs-progs \
curl \
debootstrap \
iproute2 \
ncat \
nmap \
ssh \
systemd \
systemd-sysv \
whois
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

72
.archive/0005_tmpfile_dublette.chroot
View File

@@ -1,72 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# Purpose: Copy vendor 'legacy.conf' to '/etc/tmpfiles.d' and drop duplicate '/run/lock' lines.
#######################################
# Simple error terminal logger.
# Arguments:
# None
#######################################
log() { printf '[tmpfiles-fix] %s\n' "$*" >&2; }
### Locate vendor 'legacy.conf' (The path can vary).
declare vendor=""
for p in /usr/lib/tmpfiles.d/legacy.conf /lib/tmpfiles.d/legacy.conf; do
if [[ -f "${p}" ]]; then vendor="${p}"; break; fi
done
if [[ -z "${vendor}" ]]; then
log "WARN: vendor legacy.conf not found; creating a minimal override"
install -D -m 0644 /dev/null /etc/tmpfiles.d/legacy.conf
else
install -D -m 0644 "${vendor}" /etc/tmpfiles.d/legacy.conf
fi
### Deduplicate: keep only the FIRST 'd /run/lock ' definition, drop subsequent ones.
# shellcheck disable=SC2155
declare tmpdir="$(mktemp -d)"
declare out="${tmpdir}/legacy.conf"
awk '
BEGIN{seen=0}
{
# Preserve everything by default
keep=1
# Match tmpfiles "d /run/lock ..." (allowing variable spacing and case of directive)
if ($1 ~ /^[dD]$/ && $2 == "/run/lock") {
if (seen==1) { keep=0 } else { seen=1 }
}
if (keep) print
}' /etc/tmpfiles.d/legacy.conf >| "${out}"
### Install the sanitized file atomically.
install -m 0644 -o root -g root "${out}" /etc/tmpfiles.d/legacy.conf
rm -rf -- "${tmpdir}"
log "Deduplicated /etc/tmpfiles.d/legacy.conf (kept only first /run/lock entry)."
command -v systemd-tmpfiles >/dev/null 2>&1 && systemd-tmpfiles --create --prefix /run/lock || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

60
.archive/9998_sources_list_bookworm.chroot
View File

@@ -1,60 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
# shellcheck disable=SC2155
declare -r VAR_DATE="$(date +%F)"
cd /root
if [[ -f /etc/apt/sources.list ]]; then
mv /etc/apt/sources.list /root/.ciss/cdlb/backup/sources.list.bak
fi
cat << 'EOF' >| /etc/apt/sources.list
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
#-----------------------------------------------------------------------------------------#
# OFFICIAL DEBIAN REPOS
#-----------------------------------------------------------------------------------------#
### Debian Main Repos Bookworm
deb https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb-src https://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
.archive/generate_PRIVATE_trixie_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.archive/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.archive/generate_PUBLIC_iso.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 💙 Generating a PUBLIC Live ISO.

115
.archive/lib_lb_config_write.sh
View File

@@ -1,115 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Wrapper to write a new 'lb config' environment.
# Globals:
# VAR_ARCHITECTURE
# VAR_HANDLER_BUILD_DIR
# VAR_HANDLER_ISO_COUNTER
# VAR_KERNEL
# VAR_VERSION
# VAR_WORKDIR
# Arguments:
# None
#######################################
lb_config_write() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Writing new config ... \e[0m\n"
lb config \
--apt apt \
--apt-indices true \
--apt-recommends true \
--apt-secure true \
--apt-source-archives true \
--architecture "${VAR_ARCHITECTURE}" \
--archive-areas main contrib non-free non-free-firmware \
--backports true \
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 nocomponents=cdi-starter noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force,nosmt nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha256 md5 \
--chroot-filesystem squashfs \
--chroot-squashfs-compression-level 22 \
--chroot-squashfs-compression-type zstd \
--color \
--compression bzip2 \
--debconf-frontend noninteractive \
--debconf-priority critical \
--debian-installer cdrom \
--debian-installer-distribution bookworm \
--debian-installer-gui true \
--debian-installer-preseedfile "preseed.cfg" \
--debug \
--distribution bookworm \
--distribution-binary bookworm \
--distribution-chroot bookworm \
--firmware-binary true \
--firmware-chroot true \
--hdd-label "CENTURIONLIVE" \
--image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \
--initramfs "live-boot" \
--initramfs-compression gzip \
--initsystem systemd \
--iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \
--iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \
--iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \
--iso-volume 'CISS.debian.live' \
--linux-flavours "${VAR_KERNEL}" \
--linux-packages linux-image \
--loadlin true \
--memtest memtest86+ \
--mirror-binary 'https://deb/debian.org/debian/' \
--mirror-binary-security 'https://security.debian.org/' \
--mirror-bootstrap 'https://deb.debian.org/debian/' \
--mirror-chroot 'https://deb.debian.org/debian/' \
--mirror-chroot-security 'https://security.debian.org/' \
--mirror-debian-installer 'https://deb.debian.org/debian/' \
--mode debian \
--parent-archive-areas main contrib non-free non-free-firmware \
--parent-debian-installer-distribution bookworm \
--parent-distribution bookworm \
--parent-distribution-binary bookworm \
--parent-distribution-chroot bookworm \
--parent-mirror-binary 'https://deb.debian.org/debian/' \
--parent-mirror-binary-security 'https://security.debian.org/' \
--parent-mirror-bootstrap 'https://deb.debian.org/debian/' \
--parent-mirror-chroot 'https://deb.debian.org/debian/' \
--parent-mirror-chroot-security 'https://security.debian.org/' \
--parent-mirror-debian-installer 'https://deb.debian.org/debian/' \
--security true \
--system live \
--source false \
--source-images tar \
--uefi-secure-boot auto \
--updates true \
--utc-time true \
--verbose
sleep 1
sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary
sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary
mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot
cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Writing new config done.\e[0m\n"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml
View File

@@ -25,7 +25,7 @@ body:
attributes:
label: "Version"
description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
placeholder: "e.g., Master V8.13.404.2025.11.10"
placeholder: "e.g., Master V8.13.408.2025.11.13"
validations:
required: true

2
.gitea/TODO/dockerfile
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
FROM debian:bookworm

2
.gitea/TODO/render-md-to-html.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔁 Render README.md to README.html.

2
.gitea/trigger/t_generate_dns.yaml
View File

@@ -11,5 +11,5 @@
build:
counter: 1023
version: V8.13.404.2025.11.10
version: V8.13.408.2025.11.13
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

2
.gitea/workflows/generate_PRIVATE_trixie_0.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.gitea/workflows/generate_PRIVATE_trixie_1.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔐 Generating a Private Live ISO TRIXIE.

2
.gitea/workflows/generate_PUBLIC_iso.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 💙 Generating a PUBLIC Live ISO.

2
.gitea/workflows/linter_char_scripts.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
# Gitea Workflow: Shell-Script Linting
#

2
.gitea/workflows/render-dnssec-status.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

2
.gitea/workflows/render-dot-to-png.yaml
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
name: 🔁 Render Graphviz Diagrams.

2
.version.properties
View File

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="EUPL-1.2 OR LicenseRef-CCLA-1.0"
properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
properties_SPDX-PackageName="CISS.debian.live.builder"
properties_SPDX-Security-Contact="security@coresecret.eu"
properties_version="V8.13.404.2025.11.10"
properties_version="V8.13.408.2025.11.13"
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

2
CISS.debian.live.builder.spdx
View File

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
Created: 2025-05-07T12:00:00Z
Package: CISS.debian.live.builder
PackageName: CISS.debian.live.builder
PackageVersion: Master V8.13.404.2025.11.10
PackageVersion: Master V8.13.408.2025.11.13
PackageSupplier: Organization: Centurion Intelligence Consulting Agency
PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

6
README.md
View File

@@ -2,7 +2,7 @@
gitea: none
include_toc: true
---
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.404.2025.11.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.408.2025.11.13-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
&nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
[![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
@@ -152,7 +152,7 @@ This means function status of the **CISS.2025.debian.live.builder** ISO after d-
This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
Example: `V8.13.404.2025.11.10`
Example: `V8.13.408.2025.11.13`
`x.y.z` represents major (x), minor (y), and patch (z) version increments.

4
REPOSITORY.md
View File

@@ -8,13 +8,13 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2.1. Repository Structure
**Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder
**Branch:** `master`
**Repository State:** Master Version **8.13**, Build **V8.13.404.2025.11.10** (as of 2025-10-11)
**Repository State:** Master Version **8.13**, Build **V8.13.408.2025.11.13** (as of 2025-10-11)
## 2.2. Top-Level Layout

5
ciss_live_builder.sh
View File

@@ -139,6 +139,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
source_guard "./lib/lib_check_secrets.sh"
source_guard "./lib/lib_check_stats.sh"
source_guard "./lib/lib_check_var.sh"
source_guard "./lib/lib_ciss_signatures.sh"
source_guard "./lib/lib_ciss_upgrades_boot.sh"
source_guard "./lib/lib_ciss_upgrades_build.sh"
source_guard "./lib/lib_clean_screen.sh"
@@ -235,7 +236,8 @@ init_gnupg
### Integrate primordial SSH identity files.
init_primordial
### Integrate CISS.debian.live.builder repository into the build dir.
### Integrate the CISS.debian.live.builder repository into the build directory.
### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
hardening_ultra
### CISS.debian.installer 'GRUB' and 'autostart' generator.
@@ -244,6 +246,7 @@ cdi
### Final CISS.debian.live.builder integrations.
change_splash
check_dhcp
ciss_signatures
ciss_upgrades_boot
hardening_root_pw
note_target

1
config/hooks/live/0001_initramfs_modules.chroot
View File

@@ -58,6 +58,7 @@ readonly -f grep_nic_driver_modules
# shellcheck disable=SC2155
declare nic_driver="$(grep_nic_driver_modules)" VAR_DATE="$(date +%F)"
cat << EOF >| /etc/initramfs-tools/modules
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>

63
config/hooks/live/0002_hardening_overlay_tmpfs.chroot Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
VAR_DATE="$(date +%F)"
cat << EOF >| /etc/systemd/system/ciss-remount-root.service
# SPDX-Version: 3.0
# SPDX-CreationInfo: ${VAR_DATE}; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
[Unit]
Description=Remount overlay root with nosuid,nodev
DefaultDependencies=no
After=local-fs.target
Before=basic.target
[Service]
Type=oneshot
ExecStart=/bin/mount -o remount,nosuid,nodev /
[Install]
WantedBy=sysinit.target
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
EOF
mkdir -p /etc/systemd/system/tmp.mount.d
cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
[Mount]
Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
EOF
mkdir -p /etc/systemd/system/dev-shm.mount.d
cat << EOF >| /etc/systemd/system/dev-shm.mount.d/override.conf
[Mount]
Options=mode=1777,nosuid,nodev,noexec,size=25%
EOF
systemctl enable ciss-remount-root.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

9
config/hooks/live/0021_dropbear_initramfs.chroot
View File

@@ -19,21 +19,22 @@ declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a "${var_logfile}"
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
mkdir -p /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount
mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /root/.ciss/cdlb/backup/usr/share/initramfs-tools/scripts/init-premount/dropbear.trixie
install -m 0755 -o root -g root /root/dropbear.file /usr/share/initramfs-tools/scripts/init-premount/dropbear
rm -f /root/dropbear.file
mv /usr/sbin/dropbear /usr/sbin/dropbear.trixie
mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
for var_file in dbclient dropbearconvert dropbearkey; do
mv "/usr/bin/${var_file}" "/usr/bin/${var_file}.trixie"
mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
done

209
config/hooks/live/0100_ciss_mem_wipe.chroot Normal file
View File

@@ -0,0 +1,209 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive" INITRD="No"
apt-get install -y --no-install-recommends kexec-tools busybox-static
install -d -m 0755 /boot/ciss-memwipe
install -d -m 0755 /usr/local/sbin
install -d -m 0755 /etc/systemd/system
install -d -m 0755 /etc/default
### Pick a kernel to kexec into: use the latest installed vmlinuz. -------------------------------------------------------------
# shellcheck disable=SC2012,SC2155
declare _kernel="$(cd /boot && ls -1 vmlinuz-* | sed 's|vmlinuz-||' | sort -V | tail -n1)"
cp -f "/boot/vmlinuz-${_kernel}" /boot/ciss-memwipe/vmlinuz
### Build minimal initramfs with a busybox and a tiny '/init'. -----------------------------------------------------------------
declare TMPDIR; TMPDIR="$(mktemp -d)"
trap 'rm -rf "${TMPDIR}"' EXIT
mkdir -p "${TMPDIR}"/{bin,dev,proc,sys,wipe}
cp -f /bin/busybox.static "${TMPDIR}/bin/busybox"
cat << 'EOF' >| "${TMPDIR}/init"
#!/bin/busybox sh
### Minimal init to wipe RAM, then power off.
### Parses cmdline: ciss_wipe_passes=2 ciss_wipe_mode=zero+random ciss_dd_bs=64M ciss_tmpfs_pct=95
set -eu
get_arg() { # $1=key ; echoes value or empty
for tok in $(cat /proc/cmdline); do
case "${tok}" in
$1=*) echo "${tok#*=}"; return 0;;
esac
done
echo ""
}
mount -t devtmpfs devtmpfs /dev 2>/dev/null || true
[ -e /dev/console ] || mknod -m 600 /dev/console c 5 1
[ -e /dev/null ] || mknod -m 666 /dev/null c 1 3
[ -e /dev/urandom ] || mknod -m 444 /dev/urandom c 1 9
mount -t proc proc /proc
mount -t sysfs sysfs /sys
PASSES="$(get_arg ciss_wipe_passes)"; [ -n "${PASSES}" ] || PASSES=2
MODE="$(get_arg ciss_wipe_mode)"; [ -n "${MODE}" ] || MODE="zero+random"
BS="$(get_arg ciss_dd_bs)"; [ -n "${BS}" ] || BS=64M
PCT="$(get_arg ciss_tmpfs_pct)"; [ -n "${PCT}" ] || PCT=95
echo 1 > /proc/sys/kernel/printk 2>/dev/null || true
MEM_KB="$(awk '/MemTotal:/ {print $2}' /proc/meminfo)"
SIZE_KB=$(( MEM_KB * PCT / 100 ))
mount -t tmpfs -o "size=${SIZE_KB}k,nodev,nosuid,noexec,mode=0700" tmpfs /wipe
wipe_pass() {
pattern="$1"
if [ "${pattern}" = "zero" ]; then
src="/dev/zero"
else
src="/dev/urandom"
fi
i=0
while :; do
busybox dd if="${src}" of="/wipe/block_${i}" bs="${BS}" status=none || break
i=$((i+1))
done
sync
echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
rm -f /wipe/block_* 2>/dev/null || true
sync
}
DO_ZERO=0; DO_RANDOM=0
case "${MODE}" in
zero) DO_ZERO=1 ;;
random) DO_RANDOM=1 ;;
zero+random|random+zero) DO_ZERO=1; DO_RANDOM=1 ;;
*) DO_ZERO=1 ;;
esac
p=1
while [ ${p} -le "${PASSES}" ]; do
[ ${DO_ZERO} -eq 1 ] && wipe_pass zero
[ ${DO_RANDOM} -eq 1 ] && wipe_pass random
p=$((p+1))
done
sync
busybox poweroff -f || echo o >| /proc/sysrq-trigger
EOF
chmod +x "${TMPDIR}/init"
( cd "${TMPDIR}" && find . -print0 | cpio --null -ov --format=newc ) | gzip -9 > /boot/ciss-memwipe/initrd.img
cat << 'EOF' >| /etc/default/ciss-memwipe
### CISS Memory Wipe defaults
CISS_WIPE_PASSES=2 # number of passes
CISS_WIPE_MODE="zero+random" # zero | random | zero+random
CISS_WIPE_DD_BS="64M" # dd block size
CISS_WIPE_TMPFS_PCT=95 # percentage of MemTotal to allocate
EOF
cat << 'EOF' >| /usr/local/sbin/ciss-memwipe
#!/bin/bash
# Prepare and execute kexec-based memory wipe.
set -euo pipefail
. /etc/default/ciss-memwipe || true
KERNEL="/boot/ciss-memwipe/vmlinuz"
INITRD="/boot/ciss-memwipe/initrd.img"
append_common="quiet loglevel=1 ciss_wipe_passes=${CISS_WIPE_PASSES:-2} ciss_wipe_mode=${CISS_WIPE_MODE:-zero+random} ciss_dd_bs=${CISS_WIPE_DD_BS:-64M} ciss_tmpfs_pct=${CISS_WIPE_TMPFS_PCT:-95}"
prepare() {
# Try to allow kexec if not locked down
if [ -w /proc/sys/kernel/kexec_load_disabled ] && [ "$(cat /proc/sys/kernel/kexec_load_disabled)" = "1" ]; then
echo 0 > /proc/sys/kernel/kexec_load_disabled || true
fi
# Load wipe kernel
if command -v kexec >/dev/null 2>&1 && [ -s "${KERNEL}" ] && [ -s "${INITRD}" ]; then
kexec -l "${KERNEL}" --initrd="${INITRD}" --append="${append_common}" || true
fi
}
fallback_inplace() {
# Last-resort: wipe in-place via tmpfs and then power off
mount -t tmpfs -o "size=95%,nodev,nosuid,noexec,mode=0700" tmpfs /run/wipe 2>/dev/null || mkdir -p /run/wipe
i=0
while :; do
dd if=/dev/zero of="/run/wipe/blk_${i}" bs="${CISS_WIPE_DD_BS:-64M}" status=none || break
i=$((i+1))
done
sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
rm -f /run/wipe/blk_* 2>/dev/null || true
sync
systemctl poweroff -f || poweroff -f || echo o > /proc/sysrq-trigger
}
execute() {
sync; echo 3 > /proc/sys/vm/drop_caches 2>/dev/null || true
# Prefer systemd's path if possible
if command -v systemctl >/dev/null 2>&1 && systemctl --quiet is-system-running; then
# If kexec image was loaded, systemctl kexec will use it
systemctl kexec || kexec -e || fallback_inplace
else
kexec -e || fallback_inplace
fi
}
case "${1:-}" in
prepare) prepare ;;
execute) execute ;;
*) echo "Usage: $0 {prepare|execute}" >&2; exit 2 ;;
esac
EOF
chmod 0755 /usr/local/sbin/ciss-memwipe
### Systemd service: load at boot, execute on shutdown
cat << 'EOF' >| /etc/systemd/system/ciss-memwipe.service
[Unit]
Description=CISS: preload and execute kexec-based RAM wipe on shutdown
DefaultDependencies=no
# Ensure we run late enough on shutdown, but early enough to take over
Before=shutdown.target
After=local-fs.target network.target multi-user.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ciss-memwipe prepare
# ExecStop runs during shutdown: jump into wipe kernel
ExecStop=/usr/local/sbin/ciss-memwipe execute
TimeoutStartSec=20s
TimeoutStopSec=infinity
[Install]
WantedBy=multi-user.target
EOF
systemctl enable ciss-memwipe.service
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
config/hooks/live/9999_zzzz.chroot
View File

@@ -18,9 +18,14 @@ declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
### Remove CDLB artifacts ------------------------------------------------------------------------------------------------------
rm -f /root/ciss_xdg_tmp.sh
rm -fr /root/build
find / -xdev \( -path /proc -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -name '.keep' -exec rm -f -- {} +
### Securing '/.ciss' ----------------------------------------------------------------------------------------------------------
find /.ciss -type d -exec chmod 0700 {} +
find /.ciss -type f -exec chmod 0440 {} +
### Securing '/etc/ciss/keys' --------------------------------------------------------------------------------------------------
find /etc/ciss/keys -type f -exec chmod 0444 {} +
find /etc/ciss/keys -type f -exec chmod 0440 {} +
### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
update-initramfs -u -k all -v

2
config/hooks/live/zzzz_luks_squash.hook.binary → config/hooks/live/zzzz_ciss_crypt_squash.hook.binary
View File

@@ -60,7 +60,7 @@ readonly -f preallocate
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/rootfs.crypt"
declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
declare KEYFD=""
# shellcheck disable=SC2155

10
config/includes.chroot/.ciss/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/.ciss/attestation/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/ciss/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/initramfs-tools/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

15
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -1,22 +1,27 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
# shellcheck disable=SC2034
set -Ceu -o pipefail -o ignoreeof
shopt -s failglob
shopt -s lastpipe
shopt -u nullglob
umask 0077
export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
declare -g PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
### Will be replaced at build time:
declare -gr CDLB_DB_EXP_FPR="@EXP_FPR@"
declare -gr CDLB_DB_EXP_CA_FPR="@EXP_CA_FPR@"
#######################################
# Variable declaration
@@ -383,7 +388,7 @@ verify_script() {
color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
if ! gpgv --keyring /etc/ciss/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
if ! gpgv --keyring /etc/ciss/keys/"${sigfile}".gpg "${sigfile}" "${hashfile}"; then
color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
color_echo "${RED}" "✘ System Power Off in 3 seconds."

6
config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh
View File

@@ -1,13 +1,13 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh

2
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

11
config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -47,8 +47,13 @@ printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid]
### Include 'busybox' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/bin/busybox /usr/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
copy_exec /usr/bin/busybox /usr/bin/busybox
printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/bin/busybox] \n\e[0m"
### Include 'dmsetup' ----------------------------------------------------------------------------------------------------------
copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup
printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/dmsetup /usr/sbin/dmsetup] \n\e[0m"
### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------

2
config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
View File

@@ -3,7 +3,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>

2
config/includes.chroot/etc/ssh/ssh_known_hosts
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
[git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
[git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

2
config/includes.chroot/etc/ssh/sshd_config
View File

@@ -9,7 +9,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
### https://www.ssh-audit.com/
### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

6
config/includes.chroot/etc/sysctl.d/99_local.hardened
View File

@@ -11,7 +11,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Version Master V8.13.404.2025.11.10
# Version Master V8.13.408.2025.11.13
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -184,13 +184,13 @@ vm.mmap_rnd_compat_bits=16
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false
kernel.core_pattern=|/bin/false
### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0
###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (From v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################

10
config/includes.chroot/etc/systemd/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

10
config/includes.chroot/etc/systemd/system/.keep Normal file
View File

@@ -0,0 +1,10 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

2
config/includes.chroot/preseed/.iso/preseed_hash_generator.sh
View File

@@ -10,7 +10,7 @@
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
declare -gr VERSION="Master V8.13.404.2025.11.10"
declare -gr VERSION="Master V8.13.408.2025.11.13"
### VERY EARLY CHECK FOR DEBUGGING
if [[ $* == *" --debug "* ]]; then

2
config/includes.chroot/preseed/preseed.cfg
View File

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
# Please consider donating to my work at: https://coresecret.eu/spenden/
###########################################################################################
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542
# Written by: ./preseed_hash_generator.sh Version: Master V8.13.408.2025.11.13 at: 10:18:37.9542

60
config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh Normal file
View File

@@ -0,0 +1,60 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
# Phase : premount (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] ... \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
OVERLAY_BASE="/run/live/overlay"
UPPER="${OVERLAY_BASE}/upper"
WORK="${OVERLAY_BASE}/work"
### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile.
: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
### Create a base dir with restrictive perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${OVERLAY_BASE}"
### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path.
mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
# Prepare upper/work with tight perms.
# shellcheck disable=SC2174
mkdir -p -m 0700 "${UPPER}" "${WORK}"
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

170
config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash Normal file
View File

@@ -0,0 +1,170 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Open /live/ciss_rootfs.crypt (LUKS) and present its SquashFS as /run/live/rootfs
# Phase : premount (executed by live-boot inside the initramfs)
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0024-ciss-crypt-squash] ... \n\e[0m"
#######################################
# Premount logging helper.
# Globals:
# None
# Arguments:
# *: String to log.
#######################################
log() {
msg="$*"
if [ -w /dev/kmsg ]; then
printf '<6>%s: %s\n' '0024-ciss-crypt-squash' "${msg}" > /dev/kmsg
else
printf '%s: %s\n' '0024-ciss-crypt-squash' "${msg}"
fi
}
### Declare variables ----------------------------------------------------------------------------------------------------------
CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
CDLB_ISO_LABEL="CISS.debian.live"
MNT_MEDIUM="/run/live/medium"
MNT_ROOTFS="/run/live/rootfs"
_PARAMETER=""
_dev=""
for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
case "${_PARAMETER}" in
ciss_crypt_path=*) CDLB_LUKS_FS="${_PARAMETER#ciss_crypt_path=}";;
ciss_iso_label=* ) CDLB_ISO_LABEL="${_PARAMETER#ciss_iso_label=}";;
esac
done
mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
### Mount the live medium (ISO) read-only, unless already mounted --------------------------------------------------------------
if ! mountpoint -q "${MNT_MEDIUM}"; then
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|| log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
fi
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
### Skip non-block entries early.
[ -b "${_dev}" ] || continue
### Try ISO9660 first, then UDF; only unmount on failure
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null \
|| mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null
then
mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
else
umount "${MNT_MEDIUM}" 2>/dev/null || true
fi
done
fi
if ! mountpoint -q "${MNT_MEDIUM}"; then
log "no live medium mounted defer to default live-boot path"
exit 0
fi
### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
if [ ! -f "${MNT_MEDIUM}/${CDLB_LUKS_FS}" ]; then
log "encrypted root not found at ${MNT_MEDIUM}/${CDLB_LUKS_FS}"
exit 0
fi
### Create/read FIFO compatible with cryptsetup-initramfs (if present). This allows 'cryptroot-unlock' to feed the passphrase
### over SSH (dropbear).
mkdir -p /lib/cryptsetup
[ -p /lib/cryptsetup/passfifo ] || mkfifo /lib/cryptsetup/passfifo
### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}/${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
### Try to open the LUKS container, first via FIFO (SSH unlock), then interactively. -------------------------------------------
attempts=0
while true; do
attempts=$((attempts+1))
echo "Unlock '${CDLB_LUKS_FS}' (try ${attempts}): use 'cryptroot-unlock' over SSH or enter on console" >/dev/console 2>/dev/null || true
## Non-blocking read from FIFO (Dropbear and cryptroot-unlock path).
if timeout 5 cat /lib/cryptsetup/passfifo | cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso --key-file - 2>/dev/null; then
break
fi
### Interactive fallback on the console.
if cryptsetup open --type luks --readonly "${LOOP}" crypt_liveiso; then
break
fi
done
### Mount the decrypted payload as SquashFS under '/run/live/rootfs'. ----------------------------------------------------------
mount -r -t squashfs /dev/mapper/crypt_liveiso "${MNT_ROOTFS}" || { log "mount squashfs failed"; exit 1; }
### Ensure live-boot keeps using our medium (bind-mount for consistency). ------------------------------------------------------
mount --bind "${MNT_MEDIUM}" "${MNT_MEDIUM}" 2>/dev/null || true
log "encrypted squashfs is mounted at ${MNT_ROOTFS} (device=/dev/mapper/crypt_liveiso)"
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

50
config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh Normal file
View File

@@ -0,0 +1,50 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Enforce early sysctls before services start.
# Phase : premount (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
premount)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] ... \n\e[0m"
echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

166
config/includes.chroot/usr/lib/live/boot/0030-verify-checksums → config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -4,7 +4,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,11 +15,11 @@
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
# Modified checksum-integrity and authenticity-verification-script for continuing the boot process.
# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
# Globals:
# LIVE_BOOT_CMDLINE
# _TTY
@@ -29,9 +29,43 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
### Declare variables --------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare functions --------------------------------------------------------------------------------------------------------
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
_MOUNTPOINT="${1}"
_PARAMETER=""
@@ -71,19 +105,6 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
@@ -97,13 +118,33 @@ Verify_checksums() {
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
@@ -112,7 +153,7 @@ Verify_checksums() {
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
@@ -124,38 +165,54 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
printf "\e[91m[FATAL] Verifying signature of: [%s] failed. \n\e[0m" "${CDLB_SIG_FILE}"
sleep 16
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
printf "\e[92m[INFO] Verifying signature of: [%s] successful. \n\e[0m" "${CDLB_SIG_FILE}"
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
printf "\e[95m[INFO] Recomputing hash for: [%s] ... \n\e[0m" "${CDLB_SHA}"
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
sleep 8
panic "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
else
log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
fi
log_in "Recomputing hash for: [${CDLB_SHA}] ..."
CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
printf "\e[91m[FATAL] Recomputing hash for: [%s] failed. \n\e[0m" "${CDLB_SHA}"
sleep 16
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
log_er "Recomputing hash for: [${CDLB_SHA}] failed."
sleep 8
panic "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
fi
printf "\e[92m[INFO] Recomputing hash for: [%s] successful. \n\e[0m" "${CDLB_SHA}"
printf "\e[92m[INFO] Verification of authenticity and integrity of [%s] successfully completed. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
log_end_msg
printf "\n"
@@ -164,7 +221,7 @@ Verify_checksums() {
### Checksum and checksum signature verification -----------------------------------------------------------------------------
log_begin_msg "Verifying checksums"
printf "\n"
printf "\e[95m[INFO] Verifying checksums ... \n\e[0m"
log_in "Verifying checksums ..."
# shellcheck disable=SC2001
for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
@@ -176,27 +233,27 @@ Verify_checksums() {
if [ -e "${_CHECKSUM}" ]; then
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"
log_in "Found: [${_CHECKSUM}] ..."
if [ -e "/usr/bin/${_DIGEST}sum" ]; then
printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"
log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
printf "\e[95m[INFO] Checking signature of: [%s] ... \n\e[0m" "${_CHECKSUM}"
log_in "Checking signature of: [${_CHECKSUM}] ..."
_CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
_RETURN_PGP="${?}"
printf "\e[92m[INFO] Checking signature of: [%s] successful. \n\e[0m" "${_CHECKSUM}"
log_in "Checking signature of: [${_CHECKSUM}] successful."
else
_RETURN_PGP="${?}"
printf "\e[91m[FATAL] Checking signature of: [%s] failed. \n\e[0m" "${_CHECKSUM}"
log_er "Checking signature of: [${_CHECKSUM}] failed."
fi
@@ -210,12 +267,12 @@ Verify_checksums() {
if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
_RETURN_SHA="${?}"
printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
else
_RETURN_SHA="${?}"
printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
fi
@@ -225,7 +282,7 @@ Verify_checksums() {
else
_RETURN_SHA="255"
printf "\e[93m[WARN] NOT Found [%s]. \n\e[0m" "/usr/bin/${_DIGEST}sum"
log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
fi
@@ -241,40 +298,35 @@ Verify_checksums() {
case "${_RETURN_PGP},${_RETURN_SHA}" in
"0,0")
printf "\e[92m[INFO] Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"na,0")
printf "\e[92m[INFO] Verification of [sha checksum] file successful; continuing booting in 8 seconds. \n\e[0m"
printf "\e[92m[INFO] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
sleep 8
log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
sleep 8
return 0
;;
"0,"*)
printf "\e[91m[FATAL] Verification of [GPG signature] file successful, while verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
sleep 8
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
panic "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
;;
*",0")
printf "\e[91m[FATAL] Verification of [GPG signature] file failed, while verification of [sha checksum] file successful. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
sleep 8
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
panic "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
;;
"na,"*)
printf "\e[91m[FATAL] Verification of [sha checksum] file failed. \n\e[0m"
printf "\e[91m[FATAL] CDLB modified: [%s] done. \n\e[0m" "${CDLB_SCRIPT_FULL}"
log_er "Verification of [sha checksum] file failed."
sleep 8
panic "Verification of checksum file failed."
panic "Verification of [sha checksum] file failed."
;;
esac

194
config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest Normal file
View File

@@ -0,0 +1,194 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
# Purpose: Late rootfs attestation and dmsetup health checking.
# Phase : bottom (executed by live-boot inside the initramfs).
set -eu
### Phase gate: run only in the intended live-boot phase -----------------------------------------------------------------------
PHASE="${1:-}"
case "${PHASE}" in
bottom)
;; ### Continue.
*)
exit 0 ### Do nothing in other phases.
;;
esac
printf "\e[95m[INFO] Starting: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest] ... \n\e[0m"
### Declare variables ----------------------------------------------------------------------------------------------------------
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-ciss_rootfs.crypt}"
### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
### Declare functions ----------------------------------------------------------------------------------------------------------
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_in() { printf '\e[95m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
#######################################
# Helper for colored text output on stdout.
# Globals:
# None
# Arguments:
# *: String to print
#######################################
log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
_mp=""
ROOTMP=""
for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
done
if [ -z "${ROOTMP}" ]; then
log_er "No decrypted rootfs mount found."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] No decrypted rootfs mount found."
fi
log_ok "Decrypted rootfs at: [${ROOTMP}]"
HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
[ -n "${KEYFILE}" ] || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
_STATUS="$(${GPGV} --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
else
log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
if [ -e "${MAP_DEV}" ]; then
log_in "Checking dmsetup table for ${MAP_DEV}"
TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
log_ok "Top layer is 'crypt'."
else
log_er "Top layer is NOT 'crypt'."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Top layer is NOT 'crypt'."
fi
if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
log_ok "Cipher looks like AES-XTS."
else
log_er "Cipher does not look like AES-XTS."
sleep 8
# TODO: Remove debug mode
# panic "[FATAL] Cipher does not look like AES-XTS."
fi
### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
CHILD_NAME="${CHILD_TOK}"
case "${CHILD_TOK}" in
*:* )
if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
[ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
fi
;;
/dev/* )
CHILD_NAME="$(basename -- "${CHILD_TOK}")"
;;
esac
#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
log_in "Checking underlying integrity target: ${CHILD_NAME}"
CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac' || { log_er "Integrity target not using keyed MAC (hmac)"; }
printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512' || { log_er "Integrity algo not sha512"; }
printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b' || { log_er "Expected 4096-byte sector size not found"; }
log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
fi
printf "\e[92m[INFO] Successfully applied: [/usr/lib/live/boot/0042-ciss-post-decrypt-attest]\n\e[0m"
exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
docs/AUDIT_DNSSEC.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. DNSSEC Status

2
docs/AUDIT_HAVEGED.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Haveged Audit on Netcup RS 2000 G11

2
docs/AUDIT_LYNIS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Lynis Audit:

16
docs/AUDIT_SSH.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. SSH Audit by ssh-audit.com
@@ -18,18 +18,22 @@ include_toc: true
````text
# general
(gen) banner: SSH-2.0-OpenSSH_9.2p1
(gen) software: OpenSSH 9.2p1
(gen) banner: SSH-2.0-OpenSSH_10.0p2
(gen) software: OpenSSH 10.0p2
(gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
(gen) compression: disabled
# key exchange algorithms
(kex) mlkem768x25519-sha256 -- [info] available since OpenSSH 9.9
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
`- [info] default key exchange from OpenSSH 9.0 to 9.8
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) sntrup761x25519-sha512 -- [info] available since OpenSSH 9.9
`- [info] default key exchange since OpenSSH 9.9
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) ext-info-s -- [info] available since OpenSSH 9.6
`- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
(kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms
@@ -39,16 +43,10 @@ include_toc: true
# encryption algorithms (ciphers)
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
# message authentication code algorithms
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
# algorithm recommendations (for OpenSSH 9.2)
(rec) +aes128-ctr -- enc algorithm to append
(rec) +aes128-gcm@openssh.com -- enc algorithm to append
(rec) +aes192-ctr -- enc algorithm to append
````
---

2
docs/AUDIT_TLS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. TLS Audit:
````text

2
docs/BOOTPARAMS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Hardened Kernel Boot Parameters

42
docs/CHANGELOG.md
View File

@@ -8,10 +8,33 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Changelog
## V8.13.408.2025.11.13
* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + securing ``/.ciss``, removing ``.keep``.
* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + integrated dynamic GPG FPR injection.
* **Changed**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) + ``dmsetup``.
* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) + integrated dynamic GPG FPR injection.
* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) + ``--signing_ca=*``.
* **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
## V8.13.404.2025.11.10
* **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
* **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
@@ -22,14 +45,14 @@ include_toc: true
* **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
* **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
* **Added**: [MAN_SSH_Host_Key_Policy.md](MAN_SSH_Host_Key_Policy.md)
* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_luks_squash.hook.binary) + Preparing squashfs LUKS encryption
* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Preparing squashfs LUKS encryption
* **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
* **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
* **Changed**: [.shellcheckrc](../.shellcheckrc)
* **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
@@ -38,7 +61,7 @@ include_toc: true
* **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6
## V8.13.400.2025.11.08
* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
@@ -55,16 +78,17 @@ include_toc: true
* **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling
## V8.13.384.2025.11.06
* **Global**: Debian bookworm support deprecated.
* **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
* **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
* **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
* **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
* **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
* **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
* **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
* **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
@@ -100,9 +124,6 @@ include_toc: true
* **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
* **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
* **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
* **Updated**: [icon.lib](../.archive/icon.lib) + Emojis
## V8.13.298.2025.10.30
@@ -222,7 +243,6 @@ include_toc: true
* **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
* **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
* **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
* **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
* **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
* **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
@@ -241,7 +261,7 @@ include_toc: true
* **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``
## V8.13.008.2025.08.22
* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
* **Removed**: [0003_install_backports.chroot]
## V8.13.004.2025.08.21
* **Added**: [makefile](../makefile)

2
docs/CNET.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Centurion Net - Developer Branch Overview

2
docs/CODING_CONVENTION.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Coding Style

2
docs/CONTRIBUTING.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Contributing / participating

2
docs/CREDITS.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Credits

2
docs/DL_PUB_ISO.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Download the latest PUBLIC CISS.debian.live.ISO

9
docs/DOCUMENTATION.md
View File

@@ -8,14 +8,14 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2.1. Usage
````text
CDLB(1) CISS.debian.live.builder CDLB(1)
CISS.debian.live.builder from https://git.coresecret.dev/msw
Master V8.13.404.2025.11.10
Master V8.13.408.2025.11.13
A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
(c) Marc S. Weidner, 2018 - 2025
@@ -111,10 +111,11 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
MUST be placed in:
</dev/shm/cdlb_secrets/password.txt>
--signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=*
--signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
Optionally import an offline GPG CA signing public key via: '--signing_ca=*'.
Change '*' to your desired files / fingerprint. Files MUST be placed in:
</dev/shm/cdlb_secrets>
@@ -145,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
💷 Please consider donating to my work at:
🌐 https://coresecret.eu/spenden/
V8.13.404.2025.11.10 2025-11-06 CDLB(1)
V8.13.408.2025.11.13 2025-11-06 CDLB(1)
````
# 3. Booting

185
docs/MAN_CISS_ISO_BOOT_CHAIN.md Normal file
View File

@@ -0,0 +1,185 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. CISS.debian.live.builder Boot & Trust Chain (Technical Documentation)
**Status:** 2025-11-12
**Audience:** CICA CISO, CISS staff, technically proficient administrators
**Summary:** The CISS.debian Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
# 3. Overview
* **Trust anchor:** Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
* **Integrity & authenticity verification:**
1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
# 4. Primitives & Parameters (concise)
| Component | Primitive / Parameter | Purpose |
|--------------|-----------------------------------------------------------|-------------------------------------------------------|
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity/authenticity |
| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic |
| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
| Hash lists | `sha512sum` format | Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock |
# 5. End-to-End Boot Flow
```mermaid
sequenceDiagram
autonumber
participant FW as UEFI/BIOS
participant GRUB as GRUB
participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C25 as CISS 0025 (live-premount)
participant C30 as CISS 0030 (live-bottom, early)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
participant C45 as CISS 0045 (live-bottom, late)
FW->>GRUB: Load kernel + initramfs
GRUB->>K: Boot kernel
K->>I: Pivot to initramfs (live-boot phases)
I->>D: (optional) Start Dropbear (remote unlock)
I->>C25: Run 0025: LUKS open (dm-crypt+integrity), mount SquashFS
C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
C30-->>I: OK → continue; FAIL → abort
I->>RS: Assemble overlay, switch_root
I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
C45-->>I: OK → handoff to userspace; FAIL → abort
```
# 6. LUKS/dm-integrity Layering
```mermaid
graph TD
A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
B --> C[dm-crypt<br/>AES-XTS-512]
C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs]
```
**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
# 7. Build-Time Core Step (LUKS)
```sh
cryptsetup luksFormat \
--batch-mode \
--cipher aes-xts-plain64 \
--integrity hmac-sha512 \
--iter-time 1000 \
--key-file "/proc/$$/fd/${KEYFD}" \
--key-size 512 \
--label crypt_liveiso \
--luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \
--pbkdf argon2id \
--sector-size 4096 \
--type luks2 \
--use-random \
--verbose \
"${LUKSFS}"
```
**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
**Goal:** Before consuming any medium content, verify:
1. **Detached signature of `sha512sum.txt`** using `gpgv` against the embedded public key.
2. **FPR pinning:** Parse `VALIDSIG` and require exact match with the build-time pinned FPR.
3. **Optional:** *Script self-IA* hash the executed hook and compare against the signed list (drift/bitrot detector).
**Core call (initramfs):**
```sh
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt
# parse [GNUPG:] VALIDSIG ... <FPR> ...
```
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
* **Attestation files:** `/.ciss/attest/rootfs.sha512[.sig]`
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
**Core calls (initramfs):**
```sh
# 1) Signature and FPR pin (no agent)
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA"
# 2) Optional: Content hash verification
( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
# 3) dmsetup health
dmsetup table --showkeys /dev/mapper/crypt_liveiso
dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
```
# 9. Failure Policy (fail-closed, deterministic)
* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
# 10. Dropbear (Hardened Remotely Unlock)
```text
• Public-key auth only, no passwords
• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
• No agent/X11/TCP forwarding, no SFTP
• Strict timeouts/keep-alives, restricted cipher/KEX set
• Port 42137 (per CISS convention)
```
*Concrete selection compiled via your `localoptions.h` at ISO build time.*
# 11. Integration Points & Paths
* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
* **Key files:**
* ISO edge (for 0030): embedded public key blob (project-specific name)
* Root FS (for 0045): `/etc/ciss/keys/*.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
# 12. Diagram: Trust Chain & Verification Paths
```mermaid
flowchart TD
A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS]
E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
C -- FAIL --> X[Abort]
F -- FAIL --> X
G -- FAIL --> X
```
# 13. Closing Remark
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

2
docs/MAN_SSH_Host_Key_Policy.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. SSH Host Key Policy CISS.debian.live.builder / CISS.debian.installer

2
docs/REFERENCES.md
View File

@@ -8,7 +8,7 @@ include_toc: true
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.404.2025.11.10<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. Resources

6
lib/lib_arg_parser.sh
View File

@@ -433,6 +433,12 @@ arg_parser() {
shift 2
;;
--signing_ca=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNING_CA="${1#*=}"
shift 1
;;
--signing_key=*)
# shellcheck disable=SC2034
declare -gx VAR_SIGNER="true"

2
lib/lib_cdi.sh
View File

@@ -44,7 +44,7 @@ cdi() {
tmp_entry="$(mktemp)"
cat << EOF >| "${tmp_entry}"
menuentry "CISS Hardened DI (${VAR_KERNEL})" --hotkey=i {
linux /live/vmlinuz-${VAR_KERNEL} boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
linux /live/vmlinuz-${VAR_KERNEL} boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none findiso=\${iso_path}
initrd /live/initrd.img-${VAR_KERNEL}
}
EOF

9
lib/lib_check_secrets.sh
View File

@@ -25,6 +25,12 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
x_remove() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare _old_nullglob="" _old_dotglob=""
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)"
_old_dotglob="$( shopt -p dotglob || true)"
shopt -s nullglob dotglob
if [[ "${VAR_SIGNER}" == "true" ]]; then
@@ -45,7 +51,8 @@ x_remove() {
fi
shopt -u nullglob dotglob
eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_dotglob}" 2>/dev/null || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

68
lib/lib_ciss_signatures.sh Normal file
View File

@@ -0,0 +1,68 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# MUST be executed before 'ciss_upgrades_boot()'.
# Module to export GPG FPRs into scripts:
# - /etc/initramfs-tools/files/unlock_wrapper.sh
# - /usr/lib/live/boot/0030-ciss-verify-checksums
# - /usr/lib/live/boot/0042-ciss-post-decrypt-attest
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
# VAR_SIGNING_CA
# VAR_SIGNING_CA_FPR
# VAR_SIGNING_KEY_FPR
# Arguments:
# None
# Returns:
# 0: on success
#######################################
ciss_signatures() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
declare -ar _ary_target=(
"/etc/initramfs-tools/files/unlock_wrapper.sh"
"/usr/lib/live/boot/0030-ciss-verify-checksums"
"/usr/lib/live/boot/0042-ciss-post-decrypt-attest"
)
declare _target="" target=""
for _target in "${_ary_target[@]}"; do
declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
sed -i -e "s|@EXP_FPR@|${VAR_SIGNING_KEY_FPR}|g" "${target}"
if [[ -n "${VAR_SIGNING_CA}" ]]; then
sed -i -e "s|@EXP_CA_FPR@|${VAR_SIGNING_CA_FPR}|g" "${target}"
else
sed -i -e '/@EXP_CA_FPR@/d' "${target}"
fi
done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f ciss_signatures
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

38
lib/lib_ciss_upgrades_boot.sh
View File

@@ -1,6 +1,6 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -13,7 +13,10 @@
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Integrates primordial SSH identity- and / or ssh_host-files.
# Integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts:
# - /.ciss/attestation/VAR_SIGNING_KEY_FPR.*
# - /etc/initramfs-tools/files/unlock_wrapper.sh
# - /usr/lib/live/boot/0030-ciss-verify-checksums
# Globals:
# BASH_SOURCE
# VAR_HANDLER_BUILD_DIR
@@ -28,25 +31,30 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
ciss_upgrades_boot() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Updates '/usr/lib/live/boot/0030-verify-checksums'.
if [[ ! -f "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" ]]; then
declare -ar _ary_target=(
"/.ciss/attestation/${VAR_SIGNING_KEY_FPR}.gpg"
"/etc/initramfs-tools/files/unlock_wrapper.sh"
"/usr/lib/live/boot/0030-ciss-verify-checksums"
)
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot"
declare _target="" target=""
install -m 0755 -o root -g root "${VAR_WORKDIR}/scripts/usr/lib/live/boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
for _target in "${_ary_target[@]}"; do
fi
declare target="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/${_target}"
declare var_sha="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt"
declare var_sig="${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.sha512sum.txt.sig"
declare var_fil="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums"
declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
declare var_sha="${target}sha512sum.txt"
declare var_sig="${var_sig}.sig"
declare var_fil="${target}"
declare var_prefix="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
# shellcheck disable=SC2312
sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
# shellcheck disable=SC2312
sha512sum "${var_fil}" | sed "s|${var_prefix}||" >| "${var_sha}"
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${var_sig}" "${var_sha}"
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${var_sig}" "${var_sha}"
done
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"

28
lib/lib_gnupg.sh
View File

@@ -21,6 +21,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_SIGNER
# VAR_SIGNING_CA
# VAR_SIGNING_CA_FPR
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
@@ -43,7 +45,7 @@ init_gnupg() {
umask 0077
### Avoid collision with Gitea runner workflows.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then
printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"
@@ -92,14 +94,34 @@ EOF
fi
### Optionally, import offline GPG CA public keys.
if [[ -n "${VAR_SIGNING_CA}" ]]; then
# shellcheck disable=SC2155
declare -gx VAR_SIGNING_CA_FPR="$(
gpg --batch --with-colons --import-options show-only --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}" \
| awk -F: '$1=="pub"{seen_pub=1; next} seen_pub && $1=="fpr"{print $10; exit}'
)"
if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then
printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
return "${ERR_GPG__AGENT}"
fi
fi
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"
### Export public key for verification inside ISO / chroot.
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg"
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_KEY_FPR}.gpg"
[[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_CA_FPR}.gpg"
[[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_CA_FPR}.gpg"
umask "${__umask}"
__umask=""

2
lib/lib_lb_config_write_trixie.sh
View File

@@ -45,7 +45,7 @@ lb_config_write_trixie() {
--binary-filesystem fat32 \
--binary-image iso-hybrid \
--bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Etc/UTC splash audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \
--bootappend-live "boot=live components keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootappend-live "boot=live ciss_iso_label=CISS.debian.live ciss_crypt_path=/live/ciss_rootfs.crypt components ip=dhcp keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= locales=en_US.UTF-8 noautologin nottyautologin nox11autologin noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Etc/UTC toram verify-checksums=sha512,sha384 verify-checksums-signatures apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu.passthrough=0 iommu.strict=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=integrity loglevel=0 mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none" \
--bootloaders grub-efi \
--cache true \
--checksums sha512 sha384 sha256 \

13
lib/lib_primordial.sh
View File

@@ -13,7 +13,7 @@
guard_sourcing || return "${ERR_GUARD_SRCE}"
#######################################
# Integrate primordial SSH identity files.
# Integrates CISS dropbear and SOPS Age Key and CISS and PhysNet primordial SSH identity files.
# Globals:
# BASH_SOURCE
# VAR_AGE
@@ -30,8 +30,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
init_primordial() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
### Prepare CISS dropbear integration ----------------------------------------------------------------------------------------
declare var_dropbear_version="2025.88"
declare var_unlock_wrapper="${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/initramfs-tools/files"
install -d -m 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/build"
@@ -44,15 +44,6 @@ init_primordial() {
install -m 0444 "${VAR_WORKDIR}/config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/root/dropbear.file"
# shellcheck disable=SC2312
sha512sum "${VAR_WORKDIR}/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh" | awk '{print $1}' \
>| "${var_unlock_wrapper}.sha512sum.txt"
gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
--detach-sign --output "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
gpgv --keyring "${VAR_VERIFY_KEYRING}" "${var_unlock_wrapper}.sha512sum.txt.sig" "${var_unlock_wrapper}.sha512sum.txt"
### Check for SOPS AGE key integration ---------------------------------------------------------------------------------------
if [[ "${VAR_AGE,,}" == "true" ]]; then

7
lib/lib_usage.sh
View File

@@ -39,13 +39,13 @@ usage() {
# shellcheck disable=SC2155
declare var_header=$(center "CDLB(1) CISS.debian.live.builder CDLB(1)" "${var_cols}")
# shellcheck disable=SC2155
declare var_footer=$(center "V8.13.404.2025.11.10 2025-11-06 CDLB(1)" "${var_cols}")
declare var_footer=$(center "V8.13.408.2025.11.13 2025-11-06 CDLB(1)" "${var_cols}")
{
echo -e "\e[1;97m${var_header}\e[0m"
echo
echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
echo -e "\e[92mMaster V8.13.404.2025.11.10\e[0m"
echo -e "\e[92mMaster V8.13.408.2025.11.13\e[0m"
echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
echo
echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2025 \e[0m"
@@ -141,10 +141,11 @@ usage() {
echo " MUST be placed in:"
echo " </dev/shm/cdlb_secrets/password.txt>"
echo
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=* \e[0m"
echo -e "\e[97m --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=* \e[0m"
echo " The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is"
echo " specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file."
echo " Specify the fingerprint of the key to use via '--signing_key_fpr=*'."
echo " Optionally import an offline GPG CA signing public key via: '--signing_ca=*'."
echo " Change '*' to your desired files / fingerprint. Files MUST be placed in:"
echo " </dev/shm/cdlb_secrets>"
echo

65
scripts/usr/lib/live/boot/0030-verify-checksums → scripts/usr/lib/live/boot/0030-ciss-verify-checksums
View File

@@ -4,7 +4,7 @@
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-28; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -15,7 +15,7 @@
# SPDX-Security-Contact: security@coresecret.eu
### Modified Version of the original file:
### https://salsa.debian.org/live-team/live-boot 'components/0030-verify-checksums'
### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
#######################################
@@ -29,7 +29,11 @@
# 0 : Successful verification
#######################################
Verify_checksums() {
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-verify-checksums] ... \n\e[0m"
printf "\e[95m[INFO] CDLB modified: [/usr/lib/live/boot/0030-ciss-verify-checksums] ... \n\e[0m"
### Will be replaced at build time:
export CDLB_EXP_FPR="@EXP_FPR@"
export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
### Declare variables --------------------------------------------------------------------------------------------------------
_MOUNTPOINT="${1}"
@@ -71,19 +75,6 @@ Verify_checksums() {
done
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/0030-verify-checksums.gpg" ]; then
_KEYFILE="${_MP}/0030-verify-checksums.gpg"
break
fi
done
### Check if the function should be skipped ----------------------------------------------------------------------------------
case "${LIVE_VERIFY_CHECKSUMS}" in
@@ -97,13 +88,33 @@ Verify_checksums() {
esac
### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
_CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
fi
break
fi
done
# shellcheck disable=SC2164
cd "${_MOUNTPOINT}"
### CDLB verification of script integrity itself -----------------------------------------------------------------------------
if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
log_begin_msg "Verifying integrity of: [0030-verify-checksums]"
log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
printf "\n"
_CAND=""
@@ -112,7 +123,7 @@ Verify_checksums() {
CDLB_CMD="/usr/bin/sha512sum"
CDLB_SHA="sha512"
for _CAND in /scripts/live-bottom/0030-verify-checksums /usr/lib/live/boot/0030-verify-checksums; do
for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums; do
[ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
@@ -124,9 +135,25 @@ Verify_checksums() {
CDLB_HASHFILE="${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
_STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
printf "\e[95m[INFO] Verifying integrity of: [%s] ... \n\e[0m" "${CDLB_SCRIPT_FULL}"
_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
### Compare against pinned and expected fingerprint.
if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
printf "\e[92m[INFO] Signer fingerprint match: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
else
printf "\e[91m[FATAL] Signer fingerprint mismatch: got [%s] expected: [%s] \n\e[0m" "${_CDLB_SIG_FILE_FPR}" "${CDLB_EXP_FPR}"
sleep 16
panic "[FATAL] Signer fingerprint mismatch: got [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
fi
### Script self-integrity and authenticity checks --------------------------------------------------------------------------
### Assumption: initramfs itself is not altered.
printf "\e[95m[INFO] Verifying signature of: [%s] ... \n\e[0m" "${CDLB_SIG_FILE}"
if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then

4
scripts/usr/lib/live/build/binary_checksums.sh
View File

@@ -1,9 +1,10 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-26; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2006-2015 Daniel Baumann <mail@daniel-baumann.ch>
@@ -85,6 +86,7 @@ for CHECKSUM in ${LB_CHECKSUMS}; do
\! -path './isolinux/isolinux.bin' \
\! -path './boot/boot.bin' \
\! -path './boot/grub/stage2_eltorito' \
\! -path './live/filesystem.squashfs' \
\! -path './*SUMS' \
\! -path './*sum.txt' \
\! -path './*sum.README' \

1
scripts/usr/lib/live/build/binary_rootfs.sh
View File

@@ -1,5 +1,6 @@
#!/bin/sh
# bashsupport disable=BP5007
# shellcheck disable=SC2249
# shellcheck shell=sh
# SPDX-Version: 3.0

14
scripts/usr/local/sbin/9999_cdi_starter.sh
View File

@@ -17,8 +17,8 @@ declare -grx VAR_SEMAPHORE="/root/cdi.ciss" # Semaphore to appear.
declare -girx VAR_TIMEOUT=3600 # Semaphore timer in seconds.
install -d -m 0755 /run/lock
exec 9> /run/lock/9999-cdi-starter.lock
flock -n 9 || { echo "9999-cdi-starter already running. Exiting."; exit 0; }
exec 9> /run/lock/9999_cdi_starter.lock
flock -n 9 || { echo "9999_cdi_starter already running. Exiting."; exit 0; }
#######################################
# Call into the CISS.debian.installer once the semaphore file is present.
@@ -44,6 +44,7 @@ cdi() {
if [[ "${rc}" -eq 0 ]]; then
### In autoinstall mode this command should never be reached due to the reboot command inside ciss_debian_installer.sh.
logger -t cdi-watcher "cdi(): ciss_debian_installer.sh completed SUCCESSFULLY [${rc}]."
exit 0
@@ -71,7 +72,7 @@ net_wait() {
### Declare Arrays, HashMaps, and Variables.
declare -i i=1
for i in {1..30}; do
for i in {1..60}; do
getent hosts git.coresecret.dev >/dev/null && break
sleep 1
@@ -126,16 +127,18 @@ main() {
# shellcheck disable=SC2312
exec > >(tee -a "${var_log}") 2>&1
printf "CISS.debian.installer Master V8.13.404.2025.11.10 is up! \n" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.408.2025.11.13 is up! \n" >> "${var_log}"
### Sleep a moment to settle boot artifacts.
sleep 8
### Harden Kernel parameters.
printf "Command: [sysp] to be executed ... \n" >> "${var_log}"
sysp
printf "Command: [sysp] executed.\n" >> "${var_log}"
### Wait for network connectivity.
printf "Command: [net_wait] to be executed ... \n" >> "${var_log}"
net_wait
printf "Command: [net_wait] executed.\n" >> "${var_log}"
@@ -148,7 +151,6 @@ main() {
git clone "${var_repo_url}" "${var_repo_dir}"
chmod 0700 "${var_repo_dir}/ciss_debian_installer.sh"
cd "${var_repo_dir}"
printf "Command: [git clone %s %s] executed.\n" "${var_repo_url}" "${var_repo_dir}" >> "${var_log}"
### Poll up to VAR_TIMEOUT seconds for the semaphore to appear and be mode 0600.
@@ -181,7 +183,7 @@ main() {
### Timeout reached without acceptable semaphore.
logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
printf "CISS.debian.installer Master V8.13.404.2025.11.10: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
printf "CISS.debian.installer Master V8.13.408.2025.11.13: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
exit 0
}

2
var/early.var.sh
View File

@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
declare -grx VAR_HOST="$(uname -n)"
declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
declare -grx VAR_SYSTEM="$(uname -mnosv)"
declare -grx VAR_VERSION="Master V8.13.404.2025.11.10"
declare -grx VAR_VERSION="Master V8.13.408.2025.11.13"
declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
# Print $4 and $5; include $6 only if it exists
out = $4

2
var/global.var.sh
View File

@@ -54,6 +54,8 @@ declare -gx VAR_AGE_KEY=""
declare -gx VAR_LUKS="false"
declare -gx VAR_LUKS_KEY=""
declare -gx VAR_SIGNER="false"
declare -gx VAR_SIGNING_CA=""
declare -gx VAR_SIGNING_CA_FPR=""
declare -gx VAR_SIGNING_KEY_FPR=""
declare -gx VAR_SIGNING_KEY_PASS=""
declare -gx VAR_SIGNING_KEY_PASSFILE=""