V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-06 19:23:16 +02:00
parent b7a8e7174b
commit 03c63b8b87
25 changed files with 449 additions and 221 deletions
--- a/lib/cdi_0005_guard/0008_guard_variable.sh
+++ b/lib/cdi_0005_guard/0008_guard_variable.sh
@@ -13,14 +13,120 @@
 guard_sourcing

 #######################################
-# Ensures the value of the provided VAR is always lowercase.
-# Use: ensure_lowercase VAR
+# Converts the value of a passed variable to lowercase.
+# Example:
+#   ensure_lowercase "VAR"
 # Arguments:
 #   1: VARIABLE name only
+# Returns:
+#   0: on success
+#   ERR_UNBOUND_VARIABLE
 #######################################
 ensure_lowercase() {
-  declare -r name="${1}"
+  declare -r name="$1"
+  if ! declare -p "${name}" &>/dev/null; then
+    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
+    return "${ERR_UNBOUND_VARIABLE}"
+  fi
  declare -n ref="${name}"
  ref="${ref,,}"
+  return 0
+}
+
+#######################################
+# Converts the value of a passed variable to uppercase.
+# Example:
+#   ensure_uppercase "VAR"
+# Arguments:
+#   1: VARIABLE name only
+# Returns:
+#   0: on success
+#   ERR_UNBOUND_VARIABLE
+#######################################
+ensure_uppercase() {
+  declare -r name="$1"
+  if ! declare -p "${name}" &>/dev/null; then
+    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
+    return "${ERR_UNBOUND_VARIABLE}"
+  fi
+  declare -n ref="${name}"
+  ref="${ref^^}"
+  return 0
+}
+
+#######################################
+# Removes leading and trailing spaces in the value.
+# Example:
+#   ensure_trimmed "VAR"
+# Arguments:
+#   1: VARIABLE name only
+# Returns:
+#   0: on success
+#   ERR_UNBOUND_VARIABLE
+#######################################
+ensure_trimmed() {
+  declare -r name="$1"
+  if ! declare -p "${name}" &>/dev/null; then
+    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
+    return "${ERR_UNBOUND_VARIABLE}"
+  fi
+  declare -n ref="${name}"
+  ref="${ref#"${ref%%[![:space:]]*}"}"
+  ref="${ref%"${ref##*[![:space:]]}"}"
+  return 0
+}
+
+#######################################
+# Resets the value of the variable to a default value if it is empty or contains only whitespace.
+# Example:
+#   reset_to_default "VAR" "fallback"
+# Arguments:
+#   1: VARIABLE name only
+#   2: Fallback value
+# Returns:
+#   0: on success
+#   ERR_UNBOUND_VARIABLE
+#######################################
+reset_to_default() {
+  declare -r name="$1"
+  declare -r fallback="$2"
+  if ! declare -p "${name}" &>/dev/null; then
+    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
+    return "${ERR_UNBOUND_VARIABLE}"
+  fi
+  declare -n ref="${name}"
+  declare    trimmed="${ref#"${ref%%[![:space:]]*}"}"
+  trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
+  if [[ -z "${trimmed}" ]]; then
+    ref="${fallback}"
+  fi
+  return 0
+}
+
+#######################################
+# Checks whether the content of a variable matches a specific regex.
+# Example:
+#   assert_match "FOO" '^[a-z0-9_-]+$'
+# Arguments:
+#   1: VARIABLE name only
+#   2: Regex in 'single quotes'
+# Returns:
+#   0: on success
+#   ERR_UNBOUND_VARIABLE
+#   ERR_VAR_REGEX_CHK
+#######################################
+assert_match() {
+  declare -r name="$1"
+  declare -r pattern="$2"
+  if ! declare -p "${name}" &>/dev/null; then
+    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
+    return "${ERR_UNBOUND_VARIABLE}"
+  fi
+  declare -n ref="${name}"
+  if ! [[ "${ref}" =~ ${pattern} ]]; then
+    do_log "emergency" "file_only" "0008() Variable: [${name}] not matching Regex: [${pattern}]: [${ref}]."
+    return "${ERR_VAR_REGEX_CHK}"
+  fi
+  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0060_traps/0060_trap_err.sh
+++ b/lib/cdi_0060_traps/0060_trap_err.sh
@@ -228,6 +228,7 @@ trap_err() {
  case "${VAR_IN_DIALOG_WR}" in
    box   ) dialog_box_cleaner   ;;
    gauge ) dialog_gauge_cleaner ;;
+    text )  dialog_text_cleaner  ;;
  esac

  calculate_runtime
--- a/lib/cdi_0060_traps/0070_trap_exit.sh
+++ b/lib/cdi_0060_traps/0070_trap_exit.sh
@@ -152,6 +152,7 @@ trap_exit_non_zero() {
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
+      text )  dialog_text_cleaner  ;;
    esac

    calculate_runtime
--- a/lib/cdi_0060_traps/0080_trap_int.sh
+++ b/lib/cdi_0060_traps/0080_trap_int.sh
@@ -24,8 +24,9 @@ restart_dialog() {
  trap 'trap_int' INT TERM
  trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
  case "$1" in
-    box   ) dialog_box   ;;
-    gauge ) dialog_gauge ;;
+    box   ) dialog_box    ;;
+    gauge ) dialog_gauge  ;;
+    text  ) dialog_kernel ;;
    *     ) ;;
  esac
 }
@@ -48,6 +49,7 @@ trap_int() {
  case "${VAR_IN_DIALOG_WR}" in
    box   ) dialog_box_cleaner;   declare var_helper_dialog="box"   ;;
    gauge ) dialog_gauge_cleaner; declare var_helper_dialog="gauge" ;;
+    text )  dialog_text_cleaner;  declare var_helper_dialog="text"  ;;
    *     ) declare var_helper_dialog="false" ;;
  esac

@@ -62,6 +64,9 @@ trap_int() {
    elif [[ "${var_helper_dialog}" == "gauge" ]]; then
      restart_dialog "${var_helper_dialog}"
      return 0
+    elif [[ "${var_helper_dialog}" == "text" ]]; then
+      restart_dialog "${var_helper_dialog}"
+      return 0
    else
      restart_dialog "${var_helper_dialog}"
      return 0
--- a/lib/cdi_0100_arg/0102_arg_parser.sh
+++ b/lib/cdi_0100_arg/0102_arg_parser.sh
@@ -68,6 +68,7 @@ arg_parser() {

        --renice-priority)
          if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            # shellcheck disable=SC2034
            VAR_PRIORITY="${2}"
            shift 2
          else
@@ -80,6 +81,7 @@ arg_parser() {
            arg_mismatch "--reionice-priority no values provided."
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
+              # shellcheck disable=SC2034
              VAR_REIONICE_CLASS="${2}"
              if [[ -z "${3-}" ]]; then
                :
--- a/lib/cdi_0110_interactive/0110_dialog_kernel.sh
+++ b/lib/cdi_0110_interactive/0110_dialog_kernel.sh
@@ -15,16 +15,19 @@ guard_sourcing
 #######################################
 # Kernel Image Selector.
 # Globals:
+#   VAR_DIALOG
 #   VAR_KERNEL
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
+#   VAR_NOTES
+#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: On sorting Error.
 #######################################
-check_kernel() {
+dialog_kernel() {
  declare -i counter=1 rc=0
  declare    first_string="" line="" name="" options="" var_cpu_vendor="" var_system_architecture=""

@@ -33,33 +36,34 @@ check_kernel() {
  var_system_architecture="$(dpkg --print-architecture)"

  cat << EOF >| "${VAR_NOTES}"
+CISS.debian.installer
 Build: ${VAR_VERSION}

-Press 'EXIT' to go back to the menu [Select the Kernel for the CISS.debian.installer].
+Press 'EXIT' to return to the menu: "Select the Kernel for the target system".

-Kernel available
+Kernel available :
 This section lists available Debian kernel variants. Each type addresses specific requirements such as
-hardware support, virtualization, real-time processing, or Secure Boot compatibility.
+hardware support, virtualization, real-time processing, or Secure-Boot compatibility.

-*+bpo*       : Debian Backported Kernel
+*+bpo*           : Debian Backported Kernel
 Backported kernels from Debian testing or unstable, offering newer features, improved hardware
-support, and updated drivers—especially useful on modern systems or special-purpose hardware.
+support, and updated drivers, especially useful on modern systems or special-purpose hardware.

-*cloud*      : Special lightweight images for KVM
+*cloud*          : Special lightweight images for KVM
 Cloud-optimized kernels tailored for virtualized environments (e.g., KVM, OpenStack). These images
 are minimal, fast-booting, and reduce unnecessary modules and firmware to save memory and time.

-*unsigned*   : Unsigned Kernel
+*unsigned*       : Unsigned Kernel
 Kernel images without Microsoft Secure Boot signatures. These require custom Secure Boot key
 management (e.g., using your own PK/KEK/DB or MOK with shim) and will not boot on locked-down systems.

-*preempt_rt* : Special Kernel for real-time-computing
+*preempt_rt*     : Special Kernel for real-time-computing
 Real-time variant with full preemption enabled. Designed for workloads needing deterministic latency
 such as robotics, industrial control, scientific instrumentation, or low-latency audio processing.

-Note:
-All kernel packages **not** marked as *unsigned* are **Microsoft-signed** and should work out of the
-box with Secure Boot enabled, assuming the UEFI firmware trusts Microsoft’s root keys.
+Note             :
+All kernel packages NOT marked as *unsigned* are **Microsoft-signed** and should work out of the
+box with Secure-Boot enabled, assuming the UEFI firmware trusts Microsofts root keys.
 EOF

  case "${var_system_architecture}" in
@@ -75,13 +79,13 @@ EOF
      ;;

    *)
-      do_log "info" "file_only" "4140() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
+      do_log "info" "file_only" "0110() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
      ;;

  esac

  sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
-    printf "❌ Error 0110_check_kernel.sh Line 52 sort failed\n" >&2
+    printf "❌ Error 0110_check_kernel.sh Line 84 sort failed\n" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    return 42
@@ -95,15 +99,18 @@ EOF
  done < "${VAR_KERNEL_SRT}"

  while true; do
-  # shellcheck disable=SC2034
+
+    declare -gx VAR_IN_DIALOG_WR="text"
+
+    # shellcheck disable=SC2034
    if VAR_KERNEL=$(dialog \
      --no-collapse \
      --ascii-lines \
      --clear \
      --help-button --help-label "Info" \
      --backtitle "CISS.debian.installer" \
-      --title "Select the Kernel for the CISS.debian.installer" \
-      --radiolist "Kernel available \n *+bpo*       : Debian Backported Kernel \n *cloud*      : Special lightweight images for KVM \n *unsigned*   : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
+      --title "Select the Kernel for the target system." \
+      --radiolist "Kernel available: \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)

    then

@@ -129,7 +136,7 @@ EOF
          --ascii-lines \
          --clear \
          --backtitle "CISS.debian.installer" \
-          --title "Select the Kernel for the CISS.debian.installer" \
+          --title "Select the Kernel for the target system." \
          --scrollbar \
          --textbox "${VAR_NOTES}" 32 128
        clear
@@ -140,8 +147,10 @@ EOF
    fi

  done
+
+  declare -gx VAR_IN_DIALOG_WR="false"
  # shellcheck disable=SC2312
-  cat "${VAR_DIALOG}" | tail -n 30
+  cat "${VAR_DIALOG}" | tail -n 64

  return 0
 }
--- a/lib/cdi_0110_interactive/0115_check_provider.sh
+++ b/lib/cdi_0110_interactive/0115_check_provider.sh
@@ -1,69 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# TODO: Update this module
-
-guard_sourcing
-
-#######################################
-# Notes Textbox
-# Arguments:
-#  None
-#######################################
-check_provider() {
-  clear
-  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.00.000.2025.06.17
-
-Press 'EXIT' to continue with CISS.debian.installer.
-
-When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
-for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
-backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
-you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
-earlier one-leading to confusing failures and wasted troubleshooting time.
-
-A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
-matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
-After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
-due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
-one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
-
- 'nomodeset', or
- 'vga=0x318',
-
-do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
-in modern cloud images.
-
-To mitigate this, you can:
-
- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
-  for cloud-init but presume a different console setup.
-
- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
-  command line. This aligns the initramfs console driver with the actual firmware framebuffer.
-
- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
-  example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
-  graphical framebuffer entirely.
-EOF
-
-  dialog --no-collapse \
-         --ascii-lines \
-         --clear \
-         --backtitle "CISS.debian.installer" \
-         --title "Important Notes" \
-         --scrollbar \
-         --textbox "${VAR_NOTES}" 32 128
-  clear
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0110_interactive/0115_dialog_notes.sh
+++ b/lib/cdi_0110_interactive/0115_dialog_notes.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Notes Textbox.
+# Arguments:
+#   None
+#######################################
+dialog_notes() {
+  clear
+  cat << EOF >| "${VAR_NOTES}"
+CISS.debian.installer
+Build: ${VAR_VERSION}
+
+Press 'EXIT' to return to the CISS.debian.installer.
+
+CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
+
+The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
+with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
+attack surface throughout the entire installation process.
+
+Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
+emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
+bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
+eliminating interactive ambiguity and reducing the risk of misconfiguration.
+
+Key features include:
+
+- Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
+  optional two-factor unlocking, and dm-integrity support.
+- Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
+  secured channel with full key-based authentication and hardened SSHD configuration.
+- Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
+  binaries without relying on Microsofts root certificates.
+- Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
+  safety flags [set -Ceuo pipefail] enforced across all sourced modules.
+- Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
+  and separate ephemeral volumes for [/tmp] and [SWAP].
+
+All components are validated using static analysis and runtime verification. A deterministic runtime
+model ensures that the system state post-install is both reproducible and audit-ready.
+
+CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
+and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
+default [/EFI/BOOT/].
+
+With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
+CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
+scenarios where control, auditability, and long-term reproducibility are paramount.
+EOF
+
+  declare -gx VAR_IN_DIALOG_WR="text"
+
+  dialog --no-collapse \
+         --ascii-lines \
+         --clear \
+         --backtitle "CISS.debian.installer" \
+         --title "Important Notes" \
+         --scrollbar \
+         --textbox "${VAR_NOTES}" 32 128
+  clear
+
+  declare -gx VAR_IN_DIALOG_WR="false"
+  # shellcheck disable=SC2312
+  cat "${VAR_DIALOG}" | tail -n 64
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0200_dialog/0200_dialog_helper.sh
+++ b/lib/cdi_0200_dialog/0200_dialog_helper.sh
@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Terminal cleaner for Dialog Wrappers.
 # Arguments:
-#  None
+#   None
 #######################################
 clean_screen() {
  tput cnorm > /dev/tty # Cursor visible
@@ -35,7 +35,7 @@ clean_screen() {
 #   PIPE_DIALOG_GAUGE
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_gauge() {
  clear
@@ -66,7 +66,7 @@ dialog_gauge() {
 #   ROWS_USE
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_box() {
  ### Save original stdout
@@ -108,10 +108,12 @@ dialog_box() {
 #######################################
 # Dialog Program Box Cleaner.
 # Globals:
+#   FD_SAVE_OUT
 #   PID_DIALOG_BOX
 #   PIPE_DIALOG_BOX
+#   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_box_cleaner() {
  [[ -n "${FD_SAVE_OUT-}" ]] && exec 1>&"${FD_SAVE_OUT}" 2>&"${FD_SAVE_OUT}"
@@ -131,10 +133,12 @@ dialog_box_cleaner() {
 #######################################
 # Dialog Gauge Bar Cleaner.
 # Globals:
+#   FD_GAUGE
 #   PID_DIALOG_GAUGE
 #   PIPE_DIALOG_GAUGE
+#   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_gauge_cleaner() {
  if [[ -n "${FD_GAUGE-}" ]]; then
@@ -150,4 +154,17 @@ dialog_gauge_cleaner() {
  clean_screen
  sleep 1
 }
+
+#######################################
+# Dialog Gauge Bar Cleaner.
+# Globals:
+#   VAR_IN_DIALOG_WR
+# Arguments:
+#   None
+#######################################
+dialog_text_cleaner() {
+  declare -gx VAR_IN_DIALOG_WR="false"
+  clean_screen
+  sleep 1
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh