V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/cdi_0110_interactive/0115_dialog_notes.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Notes Textbox.
+# Arguments:
+#   None
+#######################################
+dialog_notes() {
+  clear
+  cat << EOF >| "${VAR_NOTES}"
+CISS.debian.installer
+Build: ${VAR_VERSION}
+
+Press 'EXIT' to return to the CISS.debian.installer.
+
+CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
+
+The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
+with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
+attack surface throughout the entire installation process.
+
+Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
+emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
+bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
+eliminating interactive ambiguity and reducing the risk of misconfiguration.
+
+Key features include:
+
+- Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
+  optional two-factor unlocking, and dm-integrity support.
+- Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
+  secured channel with full key-based authentication and hardened SSHD configuration.
+- Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
+  binaries without relying on Microsofts root certificates.
+- Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
+  safety flags [set -Ceuo pipefail] enforced across all sourced modules.
+- Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
+  and separate ephemeral volumes for [/tmp] and [SWAP].
+
+All components are validated using static analysis and runtime verification. A deterministic runtime
+model ensures that the system state post-install is both reproducible and audit-ready.
+
+CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
+and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
+default [/EFI/BOOT/].
+
+With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
+CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
+scenarios where control, auditability, and long-term reproducibility are paramount.
+EOF
+
+  declare -gx VAR_IN_DIALOG_WR="text"
+
+  dialog --no-collapse \
+         --ascii-lines \
+         --clear \
+         --backtitle "CISS.debian.installer" \
+         --title "Important Notes" \
+         --scrollbar \
+         --textbox "${VAR_NOTES}" 32 128
+  clear
+
+  declare -gx VAR_IN_DIALOG_WR="false"
+  # shellcheck disable=SC2312
+  cat "${VAR_DIALOG}" | tail -n 64
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh