V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/cdi_0110_interactive/0110_dialog_kernel.sh

@@ -15,16 +15,19 @@ guard_sourcing
 #######################################
 # Kernel Image Selector.
 # Globals:
+#   VAR_DIALOG
 #   VAR_KERNEL
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
+#   VAR_NOTES
+#   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: On sorting Error.
 #######################################
-check_kernel() {
+dialog_kernel() {
   declare -i counter=1 rc=0
   declare    first_string="" line="" name="" options="" var_cpu_vendor="" var_system_architecture=""
 
@@ -33,33 +36,34 @@ check_kernel() {
   var_system_architecture="$(dpkg --print-architecture)"
 
   cat << EOF >| "${VAR_NOTES}"
+CISS.debian.installer
 Build: ${VAR_VERSION}
 
-Press 'EXIT' to go back to the menu [Select the Kernel for the CISS.debian.installer].
+Press 'EXIT' to return to the menu: "Select the Kernel for the target system".
 
-Kernel available
+Kernel available :
 This section lists available Debian kernel variants. Each type addresses specific requirements such as
-hardware support, virtualization, real-time processing, or Secure Boot compatibility.
+hardware support, virtualization, real-time processing, or Secure-Boot compatibility.
 
-*+bpo*       : Debian Backported Kernel
+*+bpo*           : Debian Backported Kernel
 Backported kernels from Debian testing or unstable, offering newer features, improved hardware
-support, and updated drivers—especially useful on modern systems or special-purpose hardware.
+support, and updated drivers, especially useful on modern systems or special-purpose hardware.
 
-*cloud*      : Special lightweight images for KVM
+*cloud*          : Special lightweight images for KVM
 Cloud-optimized kernels tailored for virtualized environments (e.g., KVM, OpenStack). These images
 are minimal, fast-booting, and reduce unnecessary modules and firmware to save memory and time.
 
-*unsigned*   : Unsigned Kernel
+*unsigned*       : Unsigned Kernel
 Kernel images without Microsoft Secure Boot signatures. These require custom Secure Boot key
 management (e.g., using your own PK/KEK/DB or MOK with shim) and will not boot on locked-down systems.
 
-*preempt_rt* : Special Kernel for real-time-computing
+*preempt_rt*     : Special Kernel for real-time-computing
 Real-time variant with full preemption enabled. Designed for workloads needing deterministic latency
 such as robotics, industrial control, scientific instrumentation, or low-latency audio processing.
 
-Note:
-All kernel packages **not** marked as *unsigned* are **Microsoft-signed** and should work out of the
-box with Secure Boot enabled, assuming the UEFI firmware trusts Microsoft’s root keys.
+Note             :
+All kernel packages NOT marked as *unsigned* are **Microsoft-signed** and should work out of the
+box with Secure-Boot enabled, assuming the UEFI firmware trusts Microsofts root keys.
 EOF
 
   case "${var_system_architecture}" in
@@ -75,13 +79,13 @@ EOF
       ;;
 
     *)
-      do_log "info" "file_only" "4140() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
+      do_log "info" "file_only" "0110() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
       ;;
 
   esac
 
   sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
-    printf "❌ Error 0110_check_kernel.sh Line 52 sort failed\n" >&2
+    printf "❌ Error 0110_check_kernel.sh Line 84 sort failed\n" >&2
     # shellcheck disable=SC2162
     read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
     return 42
@@ -95,15 +99,18 @@ EOF
   done < "${VAR_KERNEL_SRT}"
 
   while true; do
-  # shellcheck disable=SC2034
+
+    declare -gx VAR_IN_DIALOG_WR="text"
+
+    # shellcheck disable=SC2034
     if VAR_KERNEL=$(dialog \
       --no-collapse \
       --ascii-lines \
       --clear \
       --help-button --help-label "Info" \
       --backtitle "CISS.debian.installer" \
-      --title "Select the Kernel for the CISS.debian.installer" \
-      --radiolist "Kernel available \n *+bpo*       : Debian Backported Kernel \n *cloud*      : Special lightweight images for KVM \n *unsigned*   : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
+      --title "Select the Kernel for the target system." \
+      --radiolist "Kernel available: \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
 
     then
 
@@ -129,7 +136,7 @@ EOF
           --ascii-lines \
           --clear \
           --backtitle "CISS.debian.installer" \
-          --title "Select the Kernel for the CISS.debian.installer" \
+          --title "Select the Kernel for the target system." \
           --scrollbar \
           --textbox "${VAR_NOTES}" 32 128
         clear
@@ -140,8 +147,10 @@ EOF
     fi
 
   done
+
+  declare -gx VAR_IN_DIALOG_WR="false"
   # shellcheck disable=SC2312
-  cat "${VAR_DIALOG}" | tail -n 30
+  cat "${VAR_DIALOG}" | tail -n 64
 
   return 0
 }

lib/cdi_0110_interactive/0115_check_provider.sh

@@ -1,69 +0,0 @@
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-# TODO: Update this module
-
-guard_sourcing
-
-#######################################
-# Notes Textbox
-# Arguments:
-#  None
-#######################################
-check_provider() {
-  clear
-  cat << 'EOF' >| "${VAR_NOTES}"
-Build: Master V8.00.000.2025.06.17
-
-Press 'EXIT' to continue with CISS.debian.installer.
-
-When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
-for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
-backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
-you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
-earlier one-leading to confusing failures and wasted troubleshooting time.
-
-A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
-matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
-After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
-due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
-one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
-
-- 'nomodeset', or
-- 'vga=0x318',
-
-do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
-in modern cloud images.
-
-To mitigate this, you can:
-
-- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
-  for cloud-init but presume a different console setup.
-
-- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
-  command line. This aligns the initramfs console driver with the actual firmware framebuffer.
-
-- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
-  example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
-  graphical framebuffer entirely.
-EOF
-
-  dialog --no-collapse \
-         --ascii-lines \
-         --clear \
-         --backtitle "CISS.debian.installer" \
-         --title "Important Notes" \
-         --scrollbar \
-         --textbox "${VAR_NOTES}" 32 128
-  clear
-}
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0110_interactive/0115_dialog_notes.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Notes Textbox.
+# Arguments:
+#   None
+#######################################
+dialog_notes() {
+  clear
+  cat << EOF >| "${VAR_NOTES}"
+CISS.debian.installer
+Build: ${VAR_VERSION}
+
+Press 'EXIT' to return to the CISS.debian.installer.
+
+CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
+
+The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
+with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
+attack surface throughout the entire installation process.
+
+Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
+emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
+bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
+eliminating interactive ambiguity and reducing the risk of misconfiguration.
+
+Key features include:
+
+- Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
+  optional two-factor unlocking, and dm-integrity support.
+- Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
+  secured channel with full key-based authentication and hardened SSHD configuration.
+- Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
+  binaries without relying on Microsofts root certificates.
+- Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
+  safety flags [set -Ceuo pipefail] enforced across all sourced modules.
+- Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
+  and separate ephemeral volumes for [/tmp] and [SWAP].
+
+All components are validated using static analysis and runtime verification. A deterministic runtime
+model ensures that the system state post-install is both reproducible and audit-ready.
+
+CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
+and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
+default [/EFI/BOOT/].
+
+With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
+CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
+scenarios where control, auditability, and long-term reproducibility are paramount.
+EOF
+
+  declare -gx VAR_IN_DIALOG_WR="text"
+
+  dialog --no-collapse \
+         --ascii-lines \
+         --clear \
+         --backtitle "CISS.debian.installer" \
+         --title "Important Notes" \
+         --scrollbar \
+         --textbox "${VAR_NOTES}" 32 128
+  clear
+
+  declare -gx VAR_IN_DIALOG_WR="false"
+  # shellcheck disable=SC2312
+  cat "${VAR_DIALOG}" | tail -n 64
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh