V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-06 19:23:16 +02:00
parent b7a8e7174b
commit 03c63b8b87
25 changed files with 449 additions and 221 deletions
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -23,13 +23,13 @@ installer:
 # APT settings
 ################################################################################################################################
 apt:
-  contrib: true                # Optionally install contrib software.
+  contrib: true                # Optionally, install contrib software.
  deb_sources: true            # Optionally includes deb-src entries for source repositories.
  default_list: true           # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
  full_upgrade: true           # Whether to upgrade packages after debootstrap.
  install_recommends: true     # Configure APT to not install recommended packages by default.
-  non_free: true               # Optionally install non-free software.
+  non_free: true               # Optionally, install non-free software.
-  non_free_firmware: true      # Optionally install non-free firmware. MUST be "true" for microcode updates.
+  non_free_firmware: true      # Optionally, install non-free firmware. MUST be "true" for microcode updates.
  sec: "security.debian.org"   # Debian Security Updates Archive.
  ##############################################################################################################################
@@ -77,7 +77,7 @@ apt:
 ################################################################################################################################
 # Basic settings
 ################################################################################################################################
-architecture: "amd64"          # MUST be one of "amd64", "intel64" or "arm64".
+architecture: "amd64"          # MUST be one of "amd64" or "arm64".
 debootstrap:                   # Provide a mirror for downloading the Debian packages for debootstrap.
                               # Specify the packages to be included in the debootstrapping process. Include a comma-separated
                               # list of official Debian packages.
@@ -249,7 +249,7 @@ grub_parameter:
  # attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted).
  # Why is 'mitigations=auto,nosmt' better than setting everything manually?
  # Automatically adjusted: Depending on CPU family, stepping, microcode.
-  # Consistency guaranteed: No contradictions between flags possible
+  # Consistency guaranteed: No contradictions between flags are possible
  # (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off).
  # Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.
  ##############################################################################################################################
@@ -282,7 +282,7 @@ grub_parameter:
  ##############################################################################################################################
  # If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
-  # Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.
+  # Enable mitigations for the MDS vulnerability through clearing the buffer cache and disabling SMT.
  # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
  ##############################################################################################################################
  #- "mds=full,nosmt"
@@ -328,7 +328,7 @@ grub_parameter:
  # Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with Return Instructions) vulnerability and disable
  # SMT. If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant mitigations, provided the CPU
  # is affected; 'retbleed=auto,nosmt' explicitly overrides the internal assessment and forces full protection. If maximum
-  # hardening is required, and one does not want to rely on "auto-detection" then it is recommended to additionally set
+  # hardening is required, and one does not want to rely on "auto-detection", then it is recommended to additionally set
  # 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient.
  # https://www.suse.com/support/kb/doc/?id=000020693
  ##############################################################################################################################
@@ -353,8 +353,8 @@ grub_parameter:
  - "rodata=on"
  ##############################################################################################################################
-  # Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects heap
+  # Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects a heap of
-  # out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels, and
+  # out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels and
  # has near zero performance overhead. Compared to KASAN, KFENCE trades performance for precision. The main motivation behind
  # KFENCE design is that with enough total uptime, KFENCE will detect bugs in code paths not typically exercised by
  # non-production test workloads. One way to quickly achieve a large enough total uptime is when the tool is deployed across a
@@ -431,7 +431,7 @@ grub:
                               # GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
                               # when powered on. However, you may prefer to disable this behavior and avoid changes to your
                               # boot configuration. For example, if your NVRAM variables have been set up such that your
-                               # system contacts a PXE server on every boot, this would preserve that behavior.
+                               # the system contacts a PXE server on every boot, this would preserve that behavior.
 ################################################################################################################################
 # Locale settings set language, country, locale, keyboard map and timezone
@@ -597,9 +597,8 @@ software:
  # cryptsetup
  # cryptsetup-initramfs
  ##############################################################################################################################
-  ### Installed by 4230_update_grub.sh
+  ### Installed by 4230_installation_grub.sh
  ##############################################################################################################################
  # grub2
  # grub2-common
  # grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32
  ##############################################################################################################################
@@ -772,8 +771,8 @@ user:
      description: "Root user with full system access and administrative privileges."
      sudo: false              # Whether the user can escalate to root using sudo.
      system: true             # Whether this is a low-UID system user (e.g., for automation).
-      restricted: false        # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
+      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
-      shell: true              # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
+      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
  ##############################################################################################################################
  # Primary administrative user with full sudo access
@@ -802,8 +801,8 @@ user:
      description: "Primary admin user with full sudo access and interactive login."
      sudo: true               # Whether the user can escalate to root using sudo.
      system: false            # Whether this is a low-UID system user (e.g., for automation).
-      restricted: false        # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
+      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
-      shell: true              # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
+      shell: true              # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
  ##############################################################################################################################
  # ansible – System user for automation, no interactive shell
@@ -832,7 +831,7 @@ user:
      description: "Automation user without interactive shell and no sudo."
      sudo: true               # Whether the user can escalate to root using sudo.
      system: true             # Whether this is a low-UID system user (e.g., for automation).
-      restricted: false        # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
+      restricted: false        # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
-      shell: false             # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
+      shell: false             # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -13,12 +13,10 @@
 ### Contributions so far see ./docs/CREDITS.md
 # TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
 # TODO: Copy Grub Boot Loader to default path via manuel cp. Refactor 4230_update_grub.sh
 # TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock-wrapper.sh
 # TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml Refactor 4500_installation_accounts.sh
 # TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
 # TODO: What do we need for CISS environment?
 # TODO: Any changes to the NTPSec Servers?
 # TODO: Hardening Scripts Integration
 # TODO: SSH 2fa integration
 # TODO: Recovery Partition Integration
@@ -28,6 +26,8 @@
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall
 # TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
 # TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
@@ -143,11 +143,10 @@ fi
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AND FILES ..."
 gen_dir_files
 # TODO: Reactivate
 ### CHECKING REQUIRED PACKAGES.
 #color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: 0030_check_pkgs.sh ..."
 #check_pkgs
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES ..."
 check_pkgs
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES ..."
 check_git
 ### ADVISORY LOCK.
@@ -177,10 +176,10 @@ trap 'trap_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${B
 trap 'trap_int' INT TERM
 ### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
-# TODO: Update /lib/cdi_0110_interactive/0115_check_provider.sh & sourcing
+dialog_kernel
-check_kernel
+dialog_notes
-#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
+#if ! "${VAR_AUTO_INSTALL}"; then dialog_kernel; fi
-#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
+#if ! "${VAR_AUTO_INSTALL}"; then dialog_notes; fi
 ### Dialog Output for Initialization START.
 color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK DIALOG WRAPPER ..."
@@ -200,12 +199,10 @@ arg_parser "$@"
 echo "MAIN PROGRAM SEQUENCE: 0103_arg_priority_check.sh ..."
 arg_priority_check
 # TODO: Implement loop_pass() for other passwords.
 ### HASHING PASSWORDS.
 echo "MAIN PROGRAM SEQUENCE: 0105_arg_nuke_converter.sh ..."
 nuke_passphrase
 # TODO: Implement / Integrate IP, Port validation
 ### CDI_1200
 ### CDI_1250
@@ -273,10 +270,10 @@ echo "MAIN PROGRAM SEQUENCE: 4210_generate_crypttab.sh ..."
 generate_crypttab
 echo "MAIN PROGRAM SEQUENCE: 4220_installation_cryptsetup.sh ..."
 installation_cryptsetup
-echo "MAIN PROGRAM SEQUENCE: 4230_update_grub.sh ..."
+echo "MAIN PROGRAM SEQUENCE: 4230_installation_grub.sh ..."
-update_grub # TODO: Checks ongoing
+installation_grub
 echo "MAIN PROGRAM SEQUENCE: 4240_update_grub_password.sh ..."
-update_grub_password
+update_grub_password # TODO: Checks ongoing
 echo "MAIN PROGRAM SEQUENCE: 4250_update_grub_bootparameter.sh ..."
 update_grub_bootparameter
--- a/func/cdi_1250_yaml/1250_yaml_parser.sh
+++ b/func/cdi_1250_yaml/1250_yaml_parser.sh
@@ -77,17 +77,6 @@ yaml_parser() {
    s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
 ' "${VAR_PRESEED}"
 #  ### Delete the respective 'key:value'-variables in the global variable set.
 #  sed -i '/^grub_parameter_[0-9]\+=/d' "${VAR_PRESEED}"
 #  sed -i '/^locale_locale_[0-9]\+=/d' "${VAR_PRESEED}"
 #  sed -i '/^ntp_server_[0-9]\+=/d' "${VAR_PRESEED}"
 #  sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
 #  ### Substitute all key= by key=""
 #  sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
 #  ### Wrap each key=value by '' e.g., key='value'
 #  sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
  # shellcheck disable=SC1090
  . "${VAR_PRESEED}"
--- a/func/cdi_1250_yaml/1251_yaml_reader.sh
+++ b/func/cdi_1250_yaml/1251_yaml_reader.sh
@@ -15,15 +15,21 @@ guard_sourcing
 #######################################
 # Reading and extracting variables from "${PRESEED}".
 # Globals:
 #   BASH_REMATCH
 #   HMP_RECIPE_DEV_PARTITIONS
 #   VAR_ARCHITECTURE
 #   VAR_CODENAME
 #   VAR_NEED_RUN_IN_TARGET
 #   VAR_NUKE
 #   VAR_PRESEED
 #   VAR_RECIPE_FIRMWARE
 #   VAR_RECIPE_HIGHEST_DEVICE
 #   VAR_RECIPE_STRING
 #   VAR_RECIPE_TABLE
 #   VAR_RECOVERY
 #   architecture
 #   distribution
 #   needrun
 # Arguments:
 #   None
 # Returns:
@@ -44,11 +50,11 @@ yaml_reader() {
  ### Read "${var_if}" line by line.
  while IFS= read -r var_line; do
-    ### Check, if line matches the search pattern.
+    ### Check if the line matches the search pattern.
    if [[ "${var_line}" =~ ^recipe_([^_]+)_active=\'true\' ]]; then
      var_middle_part="${BASH_REMATCH[1]}"
-      VAR_RECIPE_STRING="${var_middle_part}"
+      VAR_RECIPE_STRING="${var_middle_part,,}"
      break
    fi
@@ -144,30 +150,30 @@ END { print max }
  ### Extract chosen firmware.
  recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
-  VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
+  VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
  ### Extract the chosen Nuke mechanism.
  recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
  # shellcheck disable=SC2034
-  VAR_NUKE="${!recipe_nuke_var}"
+  VAR_NUKE="${!recipe_nuke_var,,}"
  ### Extract chosen partition table.
  recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
-  VAR_RECIPE_TABLE="${!recipe_table_var}"
+  VAR_RECIPE_TABLE="${!recipe_table_var,,}"
-  if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+  if [[ "${VAR_RECIPE_TABLE}" == "gpt" && "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
    do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
-  elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
+  elif [[ "${VAR_RECIPE_TABLE}" == "gpt" && "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
    do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
-  elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+  elif [[ "${VAR_RECIPE_TABLE}" == "msdos" && "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
    do_log "warn" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
-  elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
+  elif [[ "${VAR_RECIPE_TABLE}" == "msdos" && "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
    do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
@@ -176,7 +182,7 @@ END { print max }
  ### Extract the chosen Recovery mechanism.
  recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery"
  # shellcheck disable=SC2034
-  VAR_RECOVERY="${!recipe_recovery_var}"
+  VAR_RECOVERY="${!recipe_recovery_var,,}"
  return 0
 }
--- a/func/cdi_4100_base/4110_update_sources.sh
+++ b/func/cdi_4100_base/4110_update_sources.sh
@@ -14,8 +14,10 @@ guard_sourcing
 #######################################
 # Update generated sources.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   DIR_LOG
 #   TARGET
 #   apt_updates_policy
 # Arguments:
@@ -35,11 +37,11 @@ update_sources() {
  do_log "info" "file_only" "4110() Sources lists: updated successfully."
-  ### Update unattended, security or no unattended updates at all.
+  ### Update unattended, security, or no unattended updates at all.
  if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
    do_in_target_script "${TARGET}" "
-      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
      echo ExitCode: \$? >> ${var_logfile}
    "
    do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -47,7 +49,7 @@ update_sources() {
  elif [[ "${apt_updates_policy,,}" == "security" ]]; then
    do_in_target_script "${TARGET}" "
-      apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
      echo ExitCode: \$? >> ${var_logfile}
    "
--- a/func/cdi_4100_base/4120_installation_kernel.sh
+++ b/func/cdi_4100_base/4120_installation_kernel.sh
@@ -14,9 +14,12 @@ guard_sourcing
 #######################################
 # Installation of the specified kernel.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   DIR_LOG
 #   TARGET
 #   VAR_KERNEL
 #   image
 # Arguments:
 #   None
@@ -32,7 +35,7 @@ installation_kernel() {
  if [[ -n "${VAR_KERNEL}" ]]; then
    do_in_target_script "${TARGET}" '
-      apt-get install -y -o DPkg::Options::="--no-triggers" --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
      echo ExitCode: $? >> '"${var_logfile}"'
    '
@@ -43,7 +46,7 @@ installation_kernel() {
  else
    do_in_target_script "${TARGET}" "
-      apt-get install -y --no-install-recommends --no-install-suggests ${image} 2>&1 | tee -a ${var_logfile}
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
      echo ExitCode: \$? >> ${var_logfile}
    "
--- a/func/cdi_4100_base/4130_installation_toolset.sh
+++ b/func/cdi_4100_base/4130_installation_toolset.sh
@@ -14,8 +14,10 @@ guard_sourcing
 #######################################
 # Check and set up the minimum required tools for the next installation steps.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   DIR_LOG
 #   TARGET
 # Arguments:
 #   None
@@ -118,7 +120,7 @@ installation_toolset() {
    do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
    do_in_target_script "${TARGET}" "
-      apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
      echo ExitCode: \$? >> ${var_logfile}
    "
--- a/func/cdi_4100_base/4131_installation_systemd.sh
+++ b/func/cdi_4100_base/4131_installation_systemd.sh
@@ -14,8 +14,10 @@ guard_sourcing
 #######################################
 # Ensure systemd is in place.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   DIR_LOG
 #   TARGET
 # Arguments:
 #   None
@@ -32,8 +34,7 @@ installation_systemd() {
    do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
    do_in_target_script "${TARGET}" "
-      apt-get update 2>&1 | tee -a ${var_logfile}
+      export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
      apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
      echo ExitCode: \$? >> ${var_logfile}
    "
--- a/func/cdi_4100_base/4140_installation_microcode.sh
+++ b/func/cdi_4100_base/4140_installation_microcode.sh
@@ -14,6 +14,9 @@ guard_sourcing
 #######################################
 # Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   TARGET
 # Arguments:
@@ -52,14 +55,14 @@ installation_microcode() {
    if ! do_in_target_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
      do_in_target_script "${TARGET}" "
-        apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
+        export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
        echo ExitCode: \$? >> ${var_logfile}
      "
    else
      do_in_target_script "${TARGET}" "
-        apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
+        export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
        echo ExitCode: \$? >> ${var_logfile}
      "
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -14,6 +14,9 @@ guard_sourcing
 #######################################
 # Setup chrony NTPSec client.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   ARY_NTPSRVR
 #   DIR_BAK
@@ -44,7 +47,7 @@ installation_chrony() {
  mkdir -p "${TARGET}/var/log/chrony"
  do_in_target_script "${TARGET}" "
-    apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
+    export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
    echo ExitCode: \$? >> ${var_logfile}
  "
@@ -58,6 +61,9 @@ installation_chrony() {
  mv "${TARGET}/etc/chrony/chrony.conf" "${DIR_BAK}/etc/chrony/chrony.conf.bak"
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
  insert_chrony_comments "${TARGET}/etc/chrony/chrony.conf"
  cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
  do_log "debug" "file_only" "4150() Executing: [do_in_target_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
@@ -72,4 +78,27 @@ installation_chrony() {
  return 0
 }
 #######################################
 # Helper to insert the Metadata field into '/etc/chrony/chrony.conf'.
 # Globals:
 #   VAR_ARCHITECTURE
 #   VAR_CODENAME
 #   VAR_VERSION
 # Arguments:
 #   1: /etc/chrony/chrony.conf
 # Returns:
 #   0: on success
 #######################################
 insert_chrony_comments() {
  declare file="${1}"
  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
 # /etc/chrony/conf.d    : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
 \
 # Architecture          : '"${VAR_ARCHITECTURE}"'\
 \
 # Distribution          : '"${VAR_CODENAME}"'
 ' "${file}"
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4220_installation_cryptsetup.sh
+++ b/func/cdi_4200_boot/4220_installation_cryptsetup.sh
@@ -14,6 +14,9 @@ guard_sourcing
 #######################################
 # Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   TARGET
 # Arguments:
@@ -28,7 +31,7 @@ installation_cryptsetup() {
  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
  do_in_target_script "${TARGET}" '
-    apt-get install -y -o DPkg::Options::="--no-triggers" --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
+    export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
    echo ExitCode: $? >> '"${var_logfile}"'
  '
--- a/func/cdi_4200_boot/4230_installation_grub.sh
+++ b/func/cdi_4200_boot/4230_installation_grub.sh
@@ -26,6 +26,9 @@ guard_sourcing
 #######################################
 # Installation and setup of the GRUB2 (backported) version.
 # The backported version MUST be installed for LUKS2 '/boot' encryption.
 # Every 'apt-get install' command is invoked by adding 'export INITRD=No'
 # to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
 # https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
 # Globals:
 #   TARGET
 #   VAR_ARCHITECTURE
@@ -44,7 +47,7 @@ guard_sourcing
 #   ERR_GRUB_BACKGROUND
 #   ERR_GRUB_EFI_FORCE
 #######################################
-update_grub() {
+installation_grub() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -g  var_update_grub_required="false" grub_update_nvram=${grub_update_nvram:-false}
  declare -r  var_logfile="/root/.ciss/cdi/log/4230_update_grub.log"
@@ -52,53 +55,51 @@ update_grub() {
  touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
-  do_log "debug" "file_only" "4230() Detected firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'"
+  get_grub_modinfo_path
-  if [[ "${grub_skip,,}" != "true" ]]; then
+  ensure_lowercase "grub_skip"
  ensure_lowercase "grub_latest"
  ensure_lowercase "grub_background_enable"
  ensure_lowercase "grub_prober"
  ensure_lowercase "grub_update_nvram"
  ensure_lowercase "grub_force_efi"
  do_log "debug" "file_only" "4230() Preseeded firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'"
  if [[ "${grub_skip}" != "true" ]]; then
    ### Install GRUB2 package
-    if [[ "${grub_latest,,}" == "true" ]]; then
+    if [[ "${grub_latest}" == "true" ]]; then
      ### Install the GRUB2 backported version from the Bookworm backports repository.
-      if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+      if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
-        case "${VAR_ARCHITECTURE,,}" in
+        case "${VAR_ARCHITECTURE}" in
          amd64)
            do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-amd64"
            do_in_target_script "${TARGET}" "
-              apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
+              export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
              echo ExitCode: \$? >> ${var_logfile}
            "
            ;;
          arm64)
            do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-arm64"
            do_in_target_script "${TARGET}" "
-              apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
+              export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
              echo ExitCode: \$? >> ${var_logfile}
            "
           ;;
          i386)
            do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-ia32"
            do_in_target_script "${TARGET}" "
              apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-ia32 grub-efi-ia32-bin 2>&1 | tee -a ${var_logfile}
              echo ExitCode: \$? >> ${var_logfile}
            "
            ;;
          *)
-            do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}"
+            do_log "emergency" "file_only" "4230() Unsupported architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}"
            ;;
        esac
      else
        do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-pc-bin"
        do_in_target_script "${TARGET}" "
-          apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
+          export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
          echo ExitCode: \$? >> ${var_logfile}
        "
@@ -107,18 +108,17 @@ update_grub() {
    else
      ### Install the GRUB2 stable version.
-      if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+      if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
-        case "${VAR_ARCHITECTURE,,}" in
+        case "${VAR_ARCHITECTURE}" in
-          amd64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-amd64 grub-efi-amd64-bin      ;;
+          amd64) do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin       ;;
-          arm64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-arm64 grub-efi-arm64-bin      ;;
+          arm64) do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin       ;;
-          i386)  do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-ia32  grub-efi-ia32-bin       ;;
+          *)     do_log "emergency" "file_only" "4230() Unsupported architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
          *)     do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
        esac
      else
-        do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-pc grub-pc-bin
+        do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2 grub2-common grub-pc grub-pc-bin
      fi
@@ -135,7 +135,7 @@ EOF
    var_update_grub_required="true"
    ### Install a boot menu background.
-    if [[ "${grub_background_enable,,}" == "true" ]]; then
+    if [[ "${grub_background_enable}" == "true" ]]; then
      var_background=$(basename "${grub_background_path}")
      install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
@@ -157,9 +157,9 @@ EOF
    fi
    ### Change the GRUB OS detection configuration accordingly.
-    if [[ "${grub_prober,,}" == "true" ]]; then
+    if [[ "${grub_prober}" == "true" ]]; then
-      do_in_target "${TARGET}" apt-get install -y --no-install-recommends os-prober
+      do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends os-prober
      cat << EOF >> "${TARGET}/etc/default/grub"
 # If your computer has multiple operating systems installed, then you
@@ -173,7 +173,7 @@ EOF
      var_update_grub_required="true"
-    elif [[ "${grub_prober,,}" == "false" ]]; then
+    elif [[ "${grub_prober}" == "false" ]]; then
      cat << EOF >> "${TARGET}/etc/default/grub"
 # If your computer has multiple operating systems installed, then you
@@ -192,15 +192,16 @@ EOF
  else
    do_log "info" "file_only" "4230() GRUB2 setup skipped."
    return 0
  fi
  ### Install grub on the specific device.
-  if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
+  if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
    install_grub_uefi
-  elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
+  elif [[ "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
    install_grub_bios
@@ -222,6 +223,7 @@ EOF
 # Installs GRUB to BIOS in BIOS mode.
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
 #   grub_bootdev
 #   var_update_grub_required
 # Arguments:
@@ -235,6 +237,11 @@ install_grub_bios() {
  declare -a ary_bios_arg=()
  declare    var_bios_mod=""
  if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then
    do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]."
    return "${ERR_GRUB_INSTALL}"
  fi
  ### Cryptographic modules.
  var_bios_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 "
  ### Filesystem modules.
@@ -248,7 +255,7 @@ install_grub_bios() {
  ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=${var_bios_mod}" )
-  do_in_target "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}"  || return "${ERR_GRUB_INSTALL}"
+  do_in_target "${TARGET}" export INITRD=No grub-install "${ary_bios_arg[@]}" "${grub_bootdev}"  || return "${ERR_GRUB_INSTALL}"
  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]."
  var_update_grub_required="true"
@@ -259,6 +266,7 @@ install_grub_bios() {
 # Installs GRUB to ESP in UEFI mode.
 # Globals:
 #   TARGET
 #   VAR_MODINFO_PATH
 #   grub_bootdev
 #   grub_force_efi
 #   grub_update_nvram
@@ -272,16 +280,10 @@ install_grub_bios() {
 install_grub_uefi() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -a ary_uefi_arg=()
-  declare    var_uefi_mod="" var_modinfo_path=""
+  declare    var_uefi_mod=""
-  case "${VAR_ARCHITECTURE,,}" in
+  if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then
-    amd64) var_modinfo_path="/usr/lib/grub/x86_64-efi/modinfo.sh" ;;
+    do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]."
    arm64) var_modinfo_path="/usr/lib/grub/arm64-efi/modinfo.sh"  ;;
    i386)  var_modinfo_path="/usr/lib/grub/i386-efi/modinfo.sh"   ;;
  esac
  if ! [[ -x "${TARGET}${var_modinfo_path}" ]]; then
    do_log "emergency" "file_only" "4230() Missing: [${var_modinfo_path}]."
    return "${ERR_GRUB_INSTALL}"
  fi
@@ -298,13 +300,13 @@ install_grub_uefi() {
  ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=debian "--modules=${var_uefi_mod}" )
-  [[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
+  [[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
-  do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
+  do_in_target "${TARGET}" export INITRD=No grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
  do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
  var_update_grub_required="true"
-  if [[ "${grub_force_efi,,}" == "true" ]]; then
+  if [[ "${grub_force_efi}" == "true" ]]; then
    mkdir -p "${TARGET}/boot/efi/EFI/BOOT"
    cp "${TARGET}/boot/efi/EFI/debian/grubx64.efi" "${TARGET}/boot/efi/EFI/BOOT/BOOTX64.EFI"
@@ -314,4 +316,43 @@ install_grub_uefi() {
  return 0
 }
 #######################################
 # Get the path of the required Grub modules.
 # Globals:
 #   VAR_ARCHITECTURE
 #   VAR_MODINFO_PATH
 #   VAR_RECIPE_FIRMWARE
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 get_grub_modinfo_path() {
  ### Declare Arrays, HashMaps, and Variables.
  delcare -gx VAR_MODINFO_PATH=""
  case "${VAR_RECIPE_FIRMWARE}" in
    uefi)
      case "${VAR_ARCHITECTURE}" in
        amd64) VAR_MODINFO_PATH="/usr/lib/grub/x86_64-efi/modinfo.sh" ;;
        arm64) VAR_MODINFO_PATH="/usr/lib/grub/arm64-efi/modinfo.sh"  ;;
        i386)  VAR_MODINFO_PATH="/usr/lib/grub/i386-efi/modinfo.sh"   ;;
        *)     ;;
      esac
      ;;
    bios)
      VAR_MODINFO_PATH="/usr/lib/grub/i386-pc/modinfo.sh"
      ;;
  esac
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4240_update_grub_password.sh
+++ b/func/cdi_4200_boot/4240_update_grub_password.sh
@@ -16,9 +16,7 @@ guard_sourcing
 # Append the GRUB superuser block to '/etc/grub.d/40_custom'.
 # Globals:
 #   DIR_CNF
 #   ERR_READ_GRUB_FILE
 #   TARGET
 #   VAR_DEBUG_TRACE
 # Arguments:
 #   None
 # Returns:
@@ -29,13 +27,14 @@ update_grub_password() {
  declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
    var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
  # TODO: Reactivate XTRACE Password Truncation
  ### No tracing for security reasons
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
  if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
    return "${ERR_READ_GRUB_FILE}"
  fi
  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")
--- a/lib/cdi_0005_guard/0008_guard_variable.sh
+++ b/lib/cdi_0005_guard/0008_guard_variable.sh
@@ -13,14 +13,120 @@
 guard_sourcing
 #######################################
-# Ensures the value of the provided VAR is always lowercase.
+# Converts the value of a passed variable to lowercase.
-# Use: ensure_lowercase VAR
+# Example:
 #   ensure_lowercase "VAR"
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
 #   0: on success
 #   ERR_UNBOUND_VARIABLE
 #######################################
 ensure_lowercase() {
-  declare -r name="${1}"
+  declare -r name="$1"
  if ! declare -p "${name}" &>/dev/null; then
    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
    return "${ERR_UNBOUND_VARIABLE}"
  fi
  declare -n ref="${name}"
  ref="${ref,,}"
  return 0
 }
 #######################################
 # Converts the value of a passed variable to uppercase.
 # Example:
 #   ensure_uppercase "VAR"
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
 #   0: on success
 #   ERR_UNBOUND_VARIABLE
 #######################################
 ensure_uppercase() {
  declare -r name="$1"
  if ! declare -p "${name}" &>/dev/null; then
    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
    return "${ERR_UNBOUND_VARIABLE}"
  fi
  declare -n ref="${name}"
  ref="${ref^^}"
  return 0
 }
 #######################################
 # Removes leading and trailing spaces in the value.
 # Example:
 #   ensure_trimmed "VAR"
 # Arguments:
 #   1: VARIABLE name only
 # Returns:
 #   0: on success
 #   ERR_UNBOUND_VARIABLE
 #######################################
 ensure_trimmed() {
  declare -r name="$1"
  if ! declare -p "${name}" &>/dev/null; then
    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
    return "${ERR_UNBOUND_VARIABLE}"
  fi
  declare -n ref="${name}"
  ref="${ref#"${ref%%[![:space:]]*}"}"
  ref="${ref%"${ref##*[![:space:]]}"}"
  return 0
 }
 #######################################
 # Resets the value of the variable to a default value if it is empty or contains only whitespace.
 # Example:
 #   reset_to_default "VAR" "fallback"
 # Arguments:
 #   1: VARIABLE name only
 #   2: Fallback value
 # Returns:
 #   0: on success
 #   ERR_UNBOUND_VARIABLE
 #######################################
 reset_to_default() {
  declare -r name="$1"
  declare -r fallback="$2"
  if ! declare -p "${name}" &>/dev/null; then
    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
    return "${ERR_UNBOUND_VARIABLE}"
  fi
  declare -n ref="${name}"
  declare    trimmed="${ref#"${ref%%[![:space:]]*}"}"
  trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
  if [[ -z "${trimmed}" ]]; then
    ref="${fallback}"
  fi
  return 0
 }
 #######################################
 # Checks whether the content of a variable matches a specific regex.
 # Example:
 #   assert_match "FOO" '^[a-z0-9_-]+$'
 # Arguments:
 #   1: VARIABLE name only
 #   2: Regex in 'single quotes'
 # Returns:
 #   0: on success
 #   ERR_UNBOUND_VARIABLE
 #   ERR_VAR_REGEX_CHK
 #######################################
 assert_match() {
  declare -r name="$1"
  declare -r pattern="$2"
  if ! declare -p "${name}" &>/dev/null; then
    do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
    return "${ERR_UNBOUND_VARIABLE}"
  fi
  declare -n ref="${name}"
  if ! [[ "${ref}" =~ ${pattern} ]]; then
    do_log "emergency" "file_only" "0008() Variable: [${name}] not matching Regex: [${pattern}]: [${ref}]."
    return "${ERR_VAR_REGEX_CHK}"
  fi
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0060_traps/0060_trap_err.sh
+++ b/lib/cdi_0060_traps/0060_trap_err.sh
@@ -228,6 +228,7 @@ trap_err() {
  case "${VAR_IN_DIALOG_WR}" in
    box   ) dialog_box_cleaner   ;;
    gauge ) dialog_gauge_cleaner ;;
    text )  dialog_text_cleaner  ;;
  esac
  calculate_runtime
--- a/lib/cdi_0060_traps/0070_trap_exit.sh
+++ b/lib/cdi_0060_traps/0070_trap_exit.sh
@@ -152,6 +152,7 @@ trap_exit_non_zero() {
    case "${VAR_IN_DIALOG_WR}" in
      box   ) dialog_box_cleaner   ;;
      gauge ) dialog_gauge_cleaner ;;
      text )  dialog_text_cleaner  ;;
    esac
    calculate_runtime
--- a/lib/cdi_0060_traps/0080_trap_int.sh
+++ b/lib/cdi_0060_traps/0080_trap_int.sh
@@ -24,8 +24,9 @@ restart_dialog() {
  trap 'trap_int' INT TERM
  trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
  case "$1" in
-    box   ) dialog_box   ;;
+    box   ) dialog_box    ;;
-    gauge ) dialog_gauge ;;
+    gauge ) dialog_gauge  ;;
    text  ) dialog_kernel ;;
    *     ) ;;
  esac
 }
@@ -48,6 +49,7 @@ trap_int() {
  case "${VAR_IN_DIALOG_WR}" in
    box   ) dialog_box_cleaner;   declare var_helper_dialog="box"   ;;
    gauge ) dialog_gauge_cleaner; declare var_helper_dialog="gauge" ;;
    text )  dialog_text_cleaner;  declare var_helper_dialog="text"  ;;
    *     ) declare var_helper_dialog="false" ;;
  esac
@@ -62,6 +64,9 @@ trap_int() {
    elif [[ "${var_helper_dialog}" == "gauge" ]]; then
      restart_dialog "${var_helper_dialog}"
      return 0
    elif [[ "${var_helper_dialog}" == "text" ]]; then
      restart_dialog "${var_helper_dialog}"
      return 0
    else
      restart_dialog "${var_helper_dialog}"
      return 0
--- a/lib/cdi_0100_arg/0102_arg_parser.sh
+++ b/lib/cdi_0100_arg/0102_arg_parser.sh
@@ -68,6 +68,7 @@ arg_parser() {
        --renice-priority)
          if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
            # shellcheck disable=SC2034
            VAR_PRIORITY="${2}"
            shift 2
          else
@@ -80,6 +81,7 @@ arg_parser() {
            arg_mismatch "--reionice-priority no values provided."
          else
            if [[ "${2}" =~ ^[1-3]$ ]]; then
              # shellcheck disable=SC2034
              VAR_REIONICE_CLASS="${2}"
              if [[ -z "${3-}" ]]; then
                :
--- a/lib/cdi_0110_interactive/0110_dialog_kernel.sh
+++ b/lib/cdi_0110_interactive/0110_dialog_kernel.sh
@@ -15,16 +15,19 @@ guard_sourcing
 #######################################
 # Kernel Image Selector.
 # Globals:
 #   VAR_DIALOG
 #   VAR_KERNEL
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
 #   VAR_NOTES
 #   VAR_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: On sorting Error.
 #######################################
-check_kernel() {
+dialog_kernel() {
  declare -i counter=1 rc=0
  declare    first_string="" line="" name="" options="" var_cpu_vendor="" var_system_architecture=""
@@ -33,33 +36,34 @@ check_kernel() {
  var_system_architecture="$(dpkg --print-architecture)"
  cat << EOF >| "${VAR_NOTES}"
 CISS.debian.installer
 Build: ${VAR_VERSION}
-Press 'EXIT' to go back to the menu [Select the Kernel for the CISS.debian.installer].
+Press 'EXIT' to return to the menu: "Select the Kernel for the target system".
-Kernel available
+Kernel available :
 This section lists available Debian kernel variants. Each type addresses specific requirements such as
-hardware support, virtualization, real-time processing, or Secure Boot compatibility.
+hardware support, virtualization, real-time processing, or Secure-Boot compatibility.
-*+bpo*       : Debian Backported Kernel
+*+bpo*           : Debian Backported Kernel
 Backported kernels from Debian testing or unstable, offering newer features, improved hardware
-support, and updated drivers—especially useful on modern systems or special-purpose hardware.
+support, and updated drivers, especially useful on modern systems or special-purpose hardware.
-*cloud*      : Special lightweight images for KVM
+*cloud*          : Special lightweight images for KVM
 Cloud-optimized kernels tailored for virtualized environments (e.g., KVM, OpenStack). These images
 are minimal, fast-booting, and reduce unnecessary modules and firmware to save memory and time.
-*unsigned*   : Unsigned Kernel
+*unsigned*       : Unsigned Kernel
 Kernel images without Microsoft Secure Boot signatures. These require custom Secure Boot key
 management (e.g., using your own PK/KEK/DB or MOK with shim) and will not boot on locked-down systems.
-*preempt_rt* : Special Kernel for real-time-computing
+*preempt_rt*     : Special Kernel for real-time-computing
 Real-time variant with full preemption enabled. Designed for workloads needing deterministic latency
 such as robotics, industrial control, scientific instrumentation, or low-latency audio processing.
-Note:
+Note             :
-All kernel packages **not** marked as *unsigned* are **Microsoft-signed** and should work out of the
+All kernel packages NOT marked as *unsigned* are **Microsoft-signed** and should work out of the
-box with Secure Boot enabled, assuming the UEFI firmware trusts Microsoft’s root keys.
+box with Secure-Boot enabled, assuming the UEFI firmware trusts Microsofts root keys.
 EOF
  case "${var_system_architecture}" in
@@ -75,13 +79,13 @@ EOF
      ;;
    *)
-      do_log "info" "file_only" "4140() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
+      do_log "info" "file_only" "0110() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
      ;;
  esac
  sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
-    printf "❌ Error 0110_check_kernel.sh Line 52 sort failed\n" >&2
+    printf "❌ Error 0110_check_kernel.sh Line 84 sort failed\n" >&2
    # shellcheck disable=SC2162
    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
    return 42
@@ -95,15 +99,18 @@ EOF
  done < "${VAR_KERNEL_SRT}"
  while true; do
-  # shellcheck disable=SC2034
+
    declare -gx VAR_IN_DIALOG_WR="text"
    # shellcheck disable=SC2034
    if VAR_KERNEL=$(dialog \
      --no-collapse \
      --ascii-lines \
      --clear \
      --help-button --help-label "Info" \
      --backtitle "CISS.debian.installer" \
-      --title "Select the Kernel for the CISS.debian.installer" \
+      --title "Select the Kernel for the target system." \
-      --radiolist "Kernel available \n *+bpo*       : Debian Backported Kernel \n *cloud*      : Special lightweight images for KVM \n *unsigned*   : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
+      --radiolist "Kernel available: \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
    then
@@ -129,7 +136,7 @@ EOF
          --ascii-lines \
          --clear \
          --backtitle "CISS.debian.installer" \
-          --title "Select the Kernel for the CISS.debian.installer" \
+          --title "Select the Kernel for the target system." \
          --scrollbar \
          --textbox "${VAR_NOTES}" 32 128
        clear
@@ -140,8 +147,10 @@ EOF
    fi
  done
  declare -gx VAR_IN_DIALOG_WR="false"
  # shellcheck disable=SC2312
-  cat "${VAR_DIALOG}" | tail -n 30
+  cat "${VAR_DIALOG}" | tail -n 64
  return 0
 }
--- a/lib/cdi_0110_interactive/0115_check_provider.sh
+++ b/lib/cdi_0110_interactive/0115_check_provider.sh
@@ -1,69 +0,0 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # TODO: Update this module
 guard_sourcing
 #######################################
 # Notes Textbox
 # Arguments:
 #  None
 #######################################
 check_provider() {
  clear
  cat << 'EOF' >| "${VAR_NOTES}"
 Build: Master V8.00.000.2025.06.17
 Press 'EXIT' to continue with CISS.debian.installer.
 When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
 for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
 backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
 you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
 earlier one-leading to confusing failures and wasted troubleshooting time.
 A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
 matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
 After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
 due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
 one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
 - 'nomodeset', or
 - 'vga=0x318',
 do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
 in modern cloud images.
 To mitigate this, you can:
 - Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
  for cloud-init but presume a different console setup.
 - Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
  command line. This aligns the initramfs console driver with the actual firmware framebuffer.
 - Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
  example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
  graphical framebuffer entirely.
 EOF
  dialog --no-collapse \
         --ascii-lines \
         --clear \
         --backtitle "CISS.debian.installer" \
         --title "Important Notes" \
         --scrollbar \
         --textbox "${VAR_NOTES}" 32 128
  clear
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0110_interactive/0115_dialog_notes.sh
+++ b/lib/cdi_0110_interactive/0115_dialog_notes.sh
@@ -0,0 +1,81 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 guard_sourcing
 #######################################
 # Notes Textbox.
 # Arguments:
 #   None
 #######################################
 dialog_notes() {
  clear
  cat << EOF >| "${VAR_NOTES}"
 CISS.debian.installer
 Build: ${VAR_VERSION}
 Press 'EXIT' to return to the CISS.debian.installer.
 CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
 The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
 with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
 attack surface throughout the entire installation process.
 Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
 emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
 bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
 eliminating interactive ambiguity and reducing the risk of misconfiguration.
 Key features include:
 - Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
  optional two-factor unlocking, and dm-integrity support.
 - Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
  secured channel with full key-based authentication and hardened SSHD configuration.
 - Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
  binaries without relying on Microsofts root certificates.
 - Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
  safety flags [set -Ceuo pipefail] enforced across all sourced modules.
 - Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
  and separate ephemeral volumes for [/tmp] and [SWAP].
 All components are validated using static analysis and runtime verification. A deterministic runtime
 model ensures that the system state post-install is both reproducible and audit-ready.
 CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
 and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
 default [/EFI/BOOT/].
 With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
 CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
 scenarios where control, auditability, and long-term reproducibility are paramount.
 EOF
  declare -gx VAR_IN_DIALOG_WR="text"
  dialog --no-collapse \
         --ascii-lines \
         --clear \
         --backtitle "CISS.debian.installer" \
         --title "Important Notes" \
         --scrollbar \
         --textbox "${VAR_NOTES}" 32 128
  clear
  declare -gx VAR_IN_DIALOG_WR="false"
  # shellcheck disable=SC2312
  cat "${VAR_DIALOG}" | tail -n 64
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0200_dialog/0200_dialog_helper.sh
+++ b/lib/cdi_0200_dialog/0200_dialog_helper.sh
@@ -15,7 +15,7 @@ guard_sourcing
 #######################################
 # Terminal cleaner for Dialog Wrappers.
 # Arguments:
-#  None
+#   None
 #######################################
 clean_screen() {
  tput cnorm > /dev/tty # Cursor visible
@@ -35,7 +35,7 @@ clean_screen() {
 #   PIPE_DIALOG_GAUGE
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_gauge() {
  clear
@@ -66,7 +66,7 @@ dialog_gauge() {
 #   ROWS_USE
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_box() {
  ### Save original stdout
@@ -108,10 +108,12 @@ dialog_box() {
 #######################################
 # Dialog Program Box Cleaner.
 # Globals:
 #   FD_SAVE_OUT
 #   PID_DIALOG_BOX
 #   PIPE_DIALOG_BOX
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_box_cleaner() {
  [[ -n "${FD_SAVE_OUT-}" ]] && exec 1>&"${FD_SAVE_OUT}" 2>&"${FD_SAVE_OUT}"
@@ -131,10 +133,12 @@ dialog_box_cleaner() {
 #######################################
 # Dialog Gauge Bar Cleaner.
 # Globals:
 #   FD_GAUGE
 #   PID_DIALOG_GAUGE
 #   PIPE_DIALOG_GAUGE
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#  None
+#   None
 #######################################
 dialog_gauge_cleaner() {
  if [[ -n "${FD_GAUGE-}" ]]; then
@@ -150,4 +154,17 @@ dialog_gauge_cleaner() {
  clean_screen
  sleep 1
 }
 #######################################
 # Dialog Gauge Bar Cleaner.
 # Globals:
 #   VAR_IN_DIALOG_WR
 # Arguments:
 #   None
 #######################################
 dialog_text_cleaner() {
  declare -gx VAR_IN_DIALOG_WR="false"
  clean_screen
  sleep 1
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -62,7 +62,7 @@ source_guard "./func/cdi_4100_base/4150_installation_chrony.sh"
 source_guard "./func/cdi_4200_boot/4200_generate_fstab.sh"
 source_guard "./func/cdi_4200_boot/4210_generate_crypttab.sh"
 source_guard "./func/cdi_4200_boot/4220_installation_cryptsetup.sh"
-source_guard "./func/cdi_4200_boot/4230_update_grub.sh"
+source_guard "./func/cdi_4200_boot/4230_installation_grub.sh"
 source_guard "./func/cdi_4200_boot/4240_update_grub_password.sh"
 source_guard "./func/cdi_4200_boot/4250_update_grub_bootparameter.sh"
--- a/meta_loader_lib.sh
+++ b/meta_loader_lib.sh
@@ -42,8 +42,8 @@ source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
 source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
 source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
-source_guard "./lib/cdi_0110_interactive/0110_check_kernel.sh"
+source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
-#source_guard "./lib/cdi_0110_interactive/0115_check_provider.sh"
+source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"
 source_guard "./lib/cdi_0200_dialog/0200_dialog_helper.sh"
--- a/var/errors.var.sh
+++ b/var/errors.var.sh
@@ -51,6 +51,7 @@ declare -girx ERR_READ_NUKE_FILE=222    # Error reading the Luks Nuke password f
 declare -girx ERR_READ_GRUB_FILE=221    # Error reading the Grub password file.
 declare -girx ERR_READ_PASS_FILE=220    # Error reading the password file.
 declare -girx ERR_GENERATE_SALT=219     # Error generating salt.
 declare -girx ERR_VAR_REGEX_CHK=218     # Error checking VAR against REGEX.
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE