#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024โ€“2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu ####################################### # Wrapper to write a new 'lb config' environment. # Globals: # VAR_HANDLER_ISO_COUNTER # VAR_ARCHITECTURE # VAR_HANDLER_BUILD_DIR # VAR_KERNEL # VAR_WORKDIR # VAR_VERSION # Arguments: # None ####################################### ####################################### # description # Globals: # Arguments: # None ####################################### lb_config_write() { printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ๐Ÿงช Writing new config ... \e[0m\n" lb config \ --apt apt \ --apt-indices true \ --apt-recommends true \ --apt-secure true \ --apt-source-archives true \ --architecture "${VAR_ARCHITECTURE}" \ --archive-areas main contrib non-free non-free-firmware \ --backports true \ --binary-filesystem fat32 \ --binary-image iso-hybrid \ --bootappend-install "auto=true priority=critical clock-setup/utc=true console-setup/ask_detect=false debian-installer/country=US debian-installer/language=en debian-installer/locale=en_US.UTF-8 keyboard-configuration/xkb-keymap=de keyboard-configuration/model=pc105 localechooser/supported-locales=en_US.UTF-8 time/zone=Europe/Lisbon splash audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ --bootappend-live "boot=live verify-checksums components nocomponents=cdi-starter locales=en_US.UTF-8 keyboard-layouts=de keyboard-model=pc105 keyboard-options= keyboard-variants= noeject nopersistence ramdisk-size=1024M splash swap=true timezone=Europe/Lisbon toram audit_backlog_limit=8192 audit=1 cfi=kcfi debugfs=off efi=disable_early_pci_dma efi_no_storage_paranoia hardened_usercopy=1 ia32_emulation=0 init_on_alloc=1 init_on_free=1 iommu=force kfence.sample_interval=100 kvm.nx_huge_pages=force l1d_flush=on lockdown=confidentiality loglevel=0 mce=0 mitigations=auto,nosmt mmio_stale_data=full,nosmt oops=panic page_alloc.shuffle=1 page_poison=1 panic=-1 pti=on random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on randomize_va_space=2 retbleed=auto,nosmt rodata=on tsx=off vdso32=0 vsyscall=none" \ --bootloaders grub-efi \ --cache true \ --checksums sha512 sha256 md5 \ --chroot-filesystem squashfs \ --chroot-squashfs-compression-level 22 \ --chroot-squashfs-compression-type zstd \ --color \ --compression bzip2 \ --debconf-frontend noninteractive \ --debconf-priority critical \ --debian-installer cdrom \ --debian-installer-distribution bookworm \ --debian-installer-gui true \ --debian-installer-preseedfile "preseed.cfg" \ --debug \ --distribution bookworm \ --distribution-binary bookworm \ --distribution-chroot bookworm \ --firmware-binary true \ --firmware-chroot true \ --hdd-label "CENTURIONLIVE" \ --image-name "ciss-debian-live-${VAR_HANDLER_ISO_COUNTER}" \ --initramfs "live-boot" \ --initramfs-compression gzip \ --initsystem systemd \ --iso-application "CISS.debian.live.builder: ${VAR_VERSION} - Debian-Live-Build: 20230502 - Debian-Installer: bookworm" \ --iso-preparer '(C) 2018-2025, Centurion Intelligence Consulting Agency (TM), Lisboa, Portugal' \ --iso-publisher '(P) 2018-2025, Centurion Press (TM) - powered by https://coresecret.eu/ - contact@coresecret.eu' \ --iso-volume 'CISS.debian.live' \ --linux-flavours "${VAR_KERNEL}" \ --linux-packages linux-image \ --loadlin true \ --memtest memtest86+ \ --mirror-binary 'https://deb/debian.org/debian/' \ --mirror-binary-security 'https://security.debian.org/' \ --mirror-bootstrap 'https://deb.debian.org/debian/' \ --mirror-chroot 'https://deb.debian.org/debian/' \ --mirror-chroot-security 'https://security.debian.org/' \ --mirror-debian-installer 'https://deb.debian.org/debian/' \ --mode debian \ --packages 'gpgv,ca-certificates' \ --parent-archive-areas main contrib non-free non-free-firmware \ --parent-debian-installer-distribution bookworm \ --parent-distribution bookworm \ --parent-distribution-binary bookworm \ --parent-distribution-chroot bookworm \ --parent-mirror-binary 'https://deb.debian.org/debian/' \ --parent-mirror-binary-security 'https://security.debian.org/' \ --parent-mirror-bootstrap 'https://deb.debian.org/debian/' \ --parent-mirror-chroot 'https://deb.debian.org/debian/' \ --parent-mirror-chroot-security 'https://security.debian.org/' \ --parent-mirror-debian-installer 'https://deb.debian.org/debian/' \ --security true \ --system live \ --source false \ --source-images tar \ --uefi-secure-boot auto \ --updates true \ --utc-time true \ --verbose sleep 1 sed -i 's/LB_CHECKSUMS="sha512 md5"/LB_CHECKSUMS="sha512 sha384 sha256"/1' ./config/binary sed -i 's/LB_DM_VERITY=""/LB_DM_VERITY="false"/1' ./config/binary mkdir -p "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/usr/lib/live/boot cp -a "${VAR_WORKDIR}/scripts/live-boot/0030-verify-checksums" "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" chmod 0755 "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" chown root:root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/usr/lib/live/boot/0030-verify-checksums" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ โœ… Writing new config done.\e[0m\n" } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh