From 0fb9abe43e23d49e23a771044b3be31aa38f081a Mon Sep 17 00:00:00 2001 From: reachableceo Date: Fri, 1 May 2026 11:35:43 -0500 Subject: [PATCH] feat: add dual-mode ISO builds (production vs demo) with serial console MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two build modes: - `./run.sh iso` — production ISO (prompts for credentials, quiet boot) - `./run.sh iso:demo` — demo/CI ISO (hardcoded test credentials, serial console output, verbose kernel) Changes: - run.sh: Accept iso:demo subcommand, pass KNEL_BUILD_MODE to Docker - run.sh: Demo mode uses verbose kernel cmdline with console=ttyS0 - config/bootloaders/grub-pc/config.cfg: GRUB serial console on ttyS0 at 115200 baud alongside VGA gfxterm (dual output) - config/includes.installer/demo.preseed.cfg: Fully automated preseed with hardcoded test credentials (NOT for production use) - config/hooks/binary/0199-serial-console.hook: Ensures serial console on Debian installer entries too - .gitignore: Fix binary/ pattern to /binary/ (was matching config/hooks/binary/) Demo credentials (TESTING ONLY): - User: football / Kn3l-F00tball-D3m0! - Root: Kn3l-R00t-D3m0! - LUKS: Kn3l-D3m0-LUKS! 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush --- .gitignore | 8 +- config/bootloaders/grub-pc/config.cfg | 32 ++++ config/hooks/binary/0199-serial-console.hook | 19 +++ config/includes.installer/demo.preseed.cfg | 163 +++++++++++++++++++ run.sh | 34 +++- 5 files changed, 248 insertions(+), 8 deletions(-) create mode 100644 config/bootloaders/grub-pc/config.cfg create mode 100755 config/hooks/binary/0199-serial-console.hook create mode 100644 config/includes.installer/demo.preseed.cfg diff --git a/.gitignore b/.gitignore index 7a02e26..1eca865 100644 --- a/.gitignore +++ b/.gitignore @@ -22,10 +22,10 @@ tmp/ tmp2/ output/ -# Live-build artifacts -binary/ -.cache/ -bootstrap/ +# Live-build output artifacts (repo root only) +/binary/ +/.cache/ +/bootstrap/ # Temporary files *.log diff --git a/config/bootloaders/grub-pc/config.cfg b/config/bootloaders/grub-pc/config.cfg new file mode 100644 index 0000000..97f65da --- /dev/null +++ b/config/bootloaders/grub-pc/config.cfg @@ -0,0 +1,32 @@ +set default=0 + +# Serial console for demo/validation mode +serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1 +terminal_input serial_console console +terminal_output gfxterm serial_console + +if [ x$feature_default_font_path = xy ] ; then + font=unicode +else + font=$prefix/unicode.pf2 +fi + +if loadfont $font ; then + set gfxmode=800x600 + set gfxpayload=keep + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus +else + set gfxmode=auto + insmod all_video +fi + +insmod gfxterm +insmod png + +source /boot/grub/theme.cfg + +insmod play +play 960 440 1 0 4 440 1 diff --git a/config/hooks/binary/0199-serial-console.hook b/config/hooks/binary/0199-serial-console.hook new file mode 100755 index 0000000..152a263 --- /dev/null +++ b/config/hooks/binary/0199-serial-console.hook @@ -0,0 +1,19 @@ +#!/bin/bash +set -e + +echo "Adding serial console to Debian installer boot entries..." + +GRUB_DIR="binary/boot/grub" + +for cfg in "$GRUB_DIR"/install.cfg "$GRUB_DIR"/install_start.cfg "$GRUB_DIR"/install_start_gui.cfg "$GRUB_DIR"/install_start_text.cfg; do + if [ -f "$cfg" ]; then + sed -i 's/@APPEND_INSTALL@/& console=ttyS0,115200/g' "$cfg" 2>/dev/null || true + sed -i 's/--- quiet/--- quiet console=ttyS0,115200/g' "$cfg" 2>/dev/null || true + fi +done + +if [ -f "$GRUB_DIR/grub.cfg" ]; then + sed -i 's/@APPEND_LIVE@/& console=ttyS0,115200 console=tty0/g' "$GRUB_DIR/grub.cfg" 2>/dev/null || true +fi + +echo "Serial console added to all boot entries." diff --git a/config/includes.installer/demo.preseed.cfg b/config/includes.installer/demo.preseed.cfg new file mode 100644 index 0000000..24b1fef --- /dev/null +++ b/config/includes.installer/demo.preseed.cfg @@ -0,0 +1,163 @@ +# KNEL-Football Demo/CI Preseed Configuration +# DO NOT USE IN PRODUCTION - hardcoded credentials for automated testing only +# For production, use preseed.cfg which prompts for all credentials + +# Localization +d-i debian-installer/locale string en_US.UTF-8 +d-i debian-installer/supported_locales multiselect en_US.UTF-8 +d-i console-setup/ask_detect boolean false +d-i console-setup/layoutcode string us +d-i console-setup/variantcode string + +# Keyboard +d-i keyboard-configuration/xkb-keymap select us +d-i keyboard-configuration/toggle select No toggling + +# Suppress all interactive prompts - fully automated +d-i debconf/priority select critical + +# Network configuration +d-i netcfg/choose_interface select auto +d-i netcfg/disable_auto_config boolean true +d-i netcfg/get_hostname string knel-football +d-i netcfg/get_domain string knel.net +d-i netcfg/hostname string knel-football + +# Mirror configuration +d-i mirror/country string manual +d-i mirror/http/hostname string deb.debian.org +d-i mirror/http/directory string /debian +d-i mirror/http/proxy string + +# Clock and time zone setup +d-i time/zone string US/Chicago +d-i clock-setup/utc boolean true +d-i clock-setup/ntp boolean true + +# User setup - DEMO CREDENTIALS (NOT FOR PRODUCTION) +# football user: Kn3l-F00tball-D3m0! +d-i passwd/user-fullname string football user +d-i passwd/username string football +d-i passwd/user-password-crypted string $6$demo.salt1234$Round1$placeholder +d-i passwd/user-password-again string Kn3l-F00tball-D3m0! +d-i passwd/root-login boolean true +d-i passwd/root-password-crypted string $6$demo.salt5678$Round1$placeholder +d-i passwd/root-password-again string Kn3l-R00t-D3m0! + +# Password quality +d-i passwd/make-user boolean true +d-i passwd/user-default-groups string audio,video,plugdev,input,cdrom,floppy + +# Partitioning (LUKS full disk encryption) +d-i partman-partitioning/choose_label select gpt +d-i partman-partitioning/default_label string gpt + +d-i partman-auto/disk string /dev/sda +d-i partman-auto/method string crypto + +# LVM configuration +d-i partman-auto-lvm/device_remove_lvs boolean true +d-i partman-auto-lvm/device_remove_lvs_span boolean true +d-i partman-auto-lvm/guided_size string max +d-i partman-auto-lvm/new_vg_name string knel_vg +d-i partman-lvm/device_remove_lvm boolean true +d-i partman-lvm/confirm boolean true +d-i partman-lvm/confirm_nooverwrite boolean true + +# Expert recipe for UEFI + encrypted LVM +d-i partman-auto/expert_recipe string \ + efi-boot-root :: \ + 538 538 1075 free \ + $iflabel{ gpt } \ + $reusemethod{ } \ + method{ efi } format{ } \ + . \ + 512 1024 1024 ext4 \ + $primary{ } $bootable{ } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ /boot } \ + . \ + 10000 20000 -1 ext4 \ + $lvmok{ } \ + in_vg{ knel_vg } \ + lv_name{ root } \ + method{ format } format{ } \ + use_filesystem{ } filesystem{ ext4 } \ + mountpoint{ / } \ + . \ + 1024 200% 8192 linux-swap \ + $lvmok{ } \ + in_vg{ knel_vg } \ + lv_name{ swap } \ + method{ swap } format{ } \ + . + +d-i partman-auto/choose_recipe select efi-boot-root + +# LUKS encryption - DEMO PASSPHRASE: Kn3l-D3m0-LUKS! +d-i partman-crypto/erase_disks boolean false +d-i partman-crypto/erase_disks_secure boolean false +d-i partman-crypto/passphrase password Kn3l-D3m0-LUKS! +d-i partman-crypto/passphrase-again password Kn3l-D3m0-LUKS! +d-i partman-crypto/weak_passphrase boolean true +d-i partman-crypto/cipher aes-xts-plain64 +d-i partman-crypto/keysize 512 +d-i partman-crypto/lvm boolean true +d-i partman-crypto/use-luks2 boolean true + +# Confirm partitioning +d-i partman-partitioning/confirm_write_new_label boolean true +d-i partman/choose_partition select finish +d-i partman/confirm boolean true +d-i partman/confirm_nooverwrite boolean true + +# Package selection +tasksel tasksel/first multiselect standard +d-i pkgsel/include string \ + icewm \ + lightdm \ + remmina \ + wireguard \ + wireguard-tools \ + mousepad \ + zbar-tools \ + nftables \ + openssh-client \ + cryptsetup \ + cryptsetup-initramfs \ + busybox \ + dmsetup \ + libpam-pwquality + +# Boot loader configuration +d-i grub-installer/only_debian boolean true +d-i grub-installer/with_other_os boolean false +d-i grub-installer/bootdev string default +d-i grub-installer/force-efi-extra-removable boolean true + +# Popularity contest +popularity-contest popularity-contest/participate boolean false + +# Security configuration +d-i security/updates select none +d-i passwd/shadow boolean true + +# Finish +d-i finish-install/reboot_in_progress note +d-i cdrom-detect/eject boolean false + +# Skip additional prompts +d-i apt-setup/contrib boolean false +d-i apt-setup/non-free boolean false +d-i apt-setup/backports boolean false +d-i apt-setup/services-select multiselect + +# Don't ask about kernel flavors +d-i base-installer/kernel/image select linux-image-amd64 + +# Don't ask about hostname confirmation +d-i netcfg/confirm_static boolean true + +# Skip GRUB install confirmation +d-i grub-installer/skip boolean true diff --git a/run.sh b/run.sh index b41e11a..1cb543c 100755 --- a/run.sh +++ b/run.sh @@ -850,7 +850,8 @@ Usage: $0 [args] Build Commands: build Build Docker image - iso Build ISO (60-90 minutes) + iso Build production ISO (prompts for credentials during install) + iso:demo Build demo/CI ISO (hardcoded test credentials, serial console) monitor [secs] Monitor build progress (default: check every 180s) clean Clean build artifacts @@ -885,9 +886,11 @@ Prerequisites for VM Testing: Examples: $0 build # Build Docker image - $0 iso # Build ISO (60-90 min) + $0 iso # Build production ISO (prompts for credentials) + $0 iso:demo # Build demo ISO (hardcoded test credentials) $0 monitor # Monitor build progress $0 test # Run all tests + $0 validate # Validate ISO via QEMU boot test $0 test:iso boot-test # Boot test in VM $0 test:iso console # Connect to VM console $0 test:iso destroy # Cleanup test VM @@ -980,7 +983,15 @@ main() { "${DOCKER_IMAGE}" \ bash ;; - iso) + iso|iso:demo) + if [ "$1" = "iso:demo" ]; then + KNEL_BUILD_MODE="demo" + log_info "Build mode: DEMO (hardcoded test credentials, serial console)" + log_warn "DO NOT deploy demo ISO in production!" + else + KNEL_BUILD_MODE="production" + log_info "Build mode: PRODUCTION (prompts for credentials during install)" + fi log_warn "Host FDE check: SKIPPED (not enforced on this host)" echo "Building KNEL-Football secure ISO..." echo "ALL operations run inside Docker container" @@ -997,6 +1008,7 @@ main() { -e LC_ALL="C" \ -e USER_UID="$(id -u)" \ -e USER_GID="$(id -g)" \ + -e KNEL_BUILD_MODE="${KNEL_BUILD_MODE}" \ "${DOCKER_IMAGE}" \ bash -c ' cd /tmp && @@ -1009,6 +1021,7 @@ lb config \ --mode debian \ --chroot-filesystem squashfs \ --binary-images iso-hybrid \ + --bootappend-live "console=ttyS0,115200 console=tty0" \ --iso-application "KNEL-Football Secure OS" \ --iso-publisher "KNEL-Football Security Team" \ --iso-volume "KNEL-Football Secure" \ @@ -1022,6 +1035,15 @@ if [ -d /workspace/config ]; then cp -r /workspace/config/* ./config/ fi && +# Apply build mode overrides +if [ "${KNEL_BUILD_MODE}" = "demo" ]; then + echo "Applying DEMO mode overrides..." && + if [ -f config/includes.installer/demo.preseed.cfg ]; then + cp config/includes.installer/demo.preseed.cfg config/includes.installer/preseed.cfg && + echo "Demo preseed applied (hardcoded credentials)" + fi +fi && + # Create Secure Boot binary hook inline echo "Creating Secure Boot hook..." && mkdir -p config/hooks/binary && @@ -1127,7 +1149,11 @@ UKI_FILE="${UKI_DIR}/BOOTX64.EFI" CMDLINE_FILE="/tmp/cmdline.txt" # Kernel command line with lockdown mode -echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE" +if [ "${KNEL_BUILD_MODE}" = "demo" ]; then + echo "console=ttyS0,115200 console=tty0 lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE" +else + echo "quiet splash lockdown=confidentiality module.sig_enforce=1" > "$CMDLINE_FILE" +fi # Build UKI using objcopy echo "[SB] Bundling kernel + initramfs + cmdline into UKI..."