#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" ####################################### # Get all NIC drivers of the current Host machine. # Globals: # None # Arguments: # None # Returns: # 0: on success ####################################### grep_nic_driver_modules() { declare _mods ### Gather all Driver and sort unique. # shellcheck disable=SC2312 readarray -t _mods < <( lspci -k \ | grep -A2 -i ethernet \ | grep 'Kernel driver in use' \ | awk '{print $5}' \ | sort -u ) declare nic_module declare nic_modules if [[ "${#_mods[@]}" -eq 1 ]]; then nic_module="${_mods[0]}" echo "${nic_module}" else nic_modules="${_mods[*]}" echo "${nic_modules}" fi return 0 } [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh export DEBIAN_FRONTEND="noninteractive" apt-get install -y intel-microcode amd64-microcode # shellcheck disable=SC2155 declare nic_driver="$(grep_nic_driver_modules)" cat << EOF >| /etc/initramfs-tools/modules # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # List of modules that you want to include in your initramfs. # They will be loaded at boot time in the order below. # # Syntax: module_name [args ...] # # You must run update-initramfs(8) to effect this change. # # Examples: # # raid1 # sd_mod ### Load AppArmor early: apparmor ### Entropy source for '/dev/random': jitterentropy_rng rng_core ### Live-ISO-Stack: loop squashfs overlay ### Main btrfs-Stack: btrfs lzo xor xxhash zstd zstd_compress ### Main ext4-Stack: ext4 jbd2 libcrc32c ### Main VFAT/ESP/FAT/UEFI-Stack: exfat fat nls_ascii nls_cp437 nls_iso8859-1 nls_iso8859-15 nls_utf8 vfat ### Device mapper, encryption & integrity: dm_mod dm_crypt dm_integrity dm_verity ### Main cryptography-Stack: aes_generic blake2b_generic crc32c_generic cryptd libcrc32c sha256_generic sha512_generic xts ### QEMU Bochs-compatible virtual machine support: bochs ### RAID6 parity generation module: raid6_pq ### Combined RAID4/5/6 support module: raid456 ### SCSI/SATA-Stack: sd_mod sr_mod sg ahci libahci ata_generic libata scsi_mod scsi_dh_alua ### NVMe-Stack: nvme nvme_core ### USB-Stack: xhci_pci xhci_hcd ehci_pci ohci_pci uhci_hcd usb_storage uas ### Virtual-Machines-Stack: virtio_pci virtio_blk virtio_scsi virtio_rng virtio_console ### Network Driver Host-machine: "${nic_driver}" EOF cat << 'EOF' >| /etc/initramfs-tools/update-initramfs.conf # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # # The Configuration file for update-initramfs(8) # # # update_initramfs [ yes | all | no ] # # Default is yes # If set to all update-initramfs will update all initramfs # If set to no disables any update to initramfs besides kernel upgrade update_initramfs=yes # # backup_initramfs [ yes | no ] # # Default is no # If set to no leaves no .bak backup files. backup_initramfs=no EOF cat << 'EOF' >| /etc/initramfs-tools/initramfs.conf # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu # # initramfs.conf # Configuration file for mkinitramfs(8). See initramfs.conf(5). # # Note that configuration options from this file can be overridden # by config files in the /etc/initramfs-tools/conf.d directory. # # MODULES: [ most | netboot | dep | list ] # # most - Add most filesystem and all hard-drive drivers. # # dep - Try and guess that module to load. # # netboot - Add the base modules, network modules, but skip block devices. # # list - Only include modules from the 'additional modules' list # MODULES=most # # BUSYBOX: [ y | n | auto ] # # Use busybox shell and utilities. If set to n, klibc utilities will be used. # If set to auto (or unset), busybox will be used if installed and klibc will # be used otherwise. # BUSYBOX=auto # # KEYMAP: [ y | n ] # # Load a keymap during the initramfs stage. # KEYMAP=n # # COMPRESS: [ gzip | bzip2 | lz4 | lzma | lzop | xz | zstd ] # COMPRESS=zstd # # COMPRESSLEVEL: ... # # Set a compression level for the compressor. # Defaults vary by compressor. # # Valid values are: # 1-9 for gzip|bzip2|lzma|lzop # 0-9 for lz4|xz # 0-19 for zstd # COMPRESSLEVEL=3 # # DEVICE: ... # # Specify a specific network interface, like eth0 # Overridden by optional ip= or BOOTIF= bootarg # DEVICE= # # NFSROOT: [ auto | HOST:MOUNT ] # NFSROOT=auto # # RUNSIZE: ... # # The size of the /run tmpfs mount point, like 256M or 10% # Overridden by optional initramfs.runsize= bootarg # RUNSIZE=10% # # FSTYPE: ... # # The filesystem type(s) to support, or "auto" to use the current root # filesystem type # FSTYPE=auto EOF cat << 'EOF' >> /etc/initramfs-tools/hooks/ciss_debian_live_builder #!/bin/sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -e PREREQ="" prereqs() { echo "$PREREQ"; } case $1 in prereqs) prereqs; exit 0 ;; esac . /usr/share/initramfs-tools/hook-functions mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" # Include Bash copy_exec /usr/bin/bash /usr/bin # Include lsblk (block device information tool) copy_exec /usr/bin/lsblk /usr/bin # Include udevadm (udev management tool) copy_exec /usr/bin/udevadm /usr/bin EOF chmod 0755 /etc/initramfs-tools/hooks/ciss_debian_live_builder ### Regenerate the initramfs for the live system kernel update-initramfs -u -k all -v printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh