msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-06 19:23:16 +02:00
parent b7a8e7174b
commit 03c63b8b87
25 changed files with 449 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
.preseed/preseed.yaml
View File

@@ -23,13 +23,13 @@ installer:
# APT settings
################################################################################################################################
apt:
contrib: true # Optionally install contrib software.
contrib: true # Optionally, install contrib software.
deb_sources: true # Optionally includes deb-src entries for source repositories.
default_list: true # By default, source repositories are listed in '/etc/apt/sources.list'. This MUST be "true".
full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally install non-free software.
non_free_firmware: true # Optionally install non-free firmware. MUST be "true" for microcode updates.
non_free: true # Optionally, install non-free software.
non_free_firmware: true # Optionally, install non-free firmware. MUST be "true" for microcode updates.
sec: "security.debian.org" # Debian Security Updates Archive.
##############################################################################################################################
@@ -77,7 +77,7 @@ apt:
################################################################################################################################
# Basic settings
################################################################################################################################
architecture: "amd64" # MUST be one of "amd64", "intel64" or "arm64".
architecture: "amd64" # MUST be one of "amd64" or "arm64".
debootstrap: # Provide a mirror for downloading the Debian packages for debootstrap.
# Specify the packages to be included in the debootstrapping process. Include a comma-separated
# list of official Debian packages.
@@ -249,7 +249,7 @@ grub_parameter:
# attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted).
# Why is 'mitigations=auto,nosmt' better than setting everything manually?
# Automatically adjusted: Depending on CPU family, stepping, microcode.
# Consistency guaranteed: No contradictions between flags possible
# Consistency guaranteed: No contradictions between flags are possible
# (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off).
# Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.
##############################################################################################################################
@@ -282,7 +282,7 @@ grub_parameter:
##############################################################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
# Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.
# Enable mitigations for the MDS vulnerability through clearing the buffer cache and disabling SMT.
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
##############################################################################################################################
#- "mds=full,nosmt"
@@ -328,7 +328,7 @@ grub_parameter:
# Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with Return Instructions) vulnerability and disable
# SMT. If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant mitigations, provided the CPU
# is affected; 'retbleed=auto,nosmt' explicitly overrides the internal assessment and forces full protection. If maximum
# hardening is required, and one does not want to rely on "auto-detection" then it is recommended to additionally set
# hardening is required, and one does not want to rely on "auto-detection", then it is recommended to additionally set
# 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient.
# https://www.suse.com/support/kb/doc/?id=000020693
##############################################################################################################################
@@ -353,8 +353,8 @@ grub_parameter:
- "rodata=on"
##############################################################################################################################
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects heap
# out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels, and
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety error detector. KFENCE detects a heap of
# out-of-bounds access, use-after-free, and invalid-free errors. KFENCE is designed to be enabled in production kernels and
# has near zero performance overhead. Compared to KASAN, KFENCE trades performance for precision. The main motivation behind
# KFENCE design is that with enough total uptime, KFENCE will detect bugs in code paths not typically exercised by
# non-production test workloads. One way to quickly achieve a large enough total uptime is when the tool is deployed across a
@@ -431,7 +431,7 @@ grub:
# GRUB can configure your platform's NVRAM variables so that it boots into Debian automatically
# when powered on. However, you may prefer to disable this behavior and avoid changes to your
# boot configuration. For example, if your NVRAM variables have been set up such that your
# system contacts a PXE server on every boot, this would preserve that behavior.
# the system contacts a PXE server on every boot, this would preserve that behavior.
################################################################################################################################
# Locale settings set language, country, locale, keyboard map and timezone
@@ -597,9 +597,8 @@ software:
# cryptsetup
# cryptsetup-initramfs
##############################################################################################################################
### Installed by 4230_update_grub.sh
### Installed by 4230_installation_grub.sh
##############################################################################################################################
# grub2
# grub2-common
# grub-efi-amd64 || grub-efi-arm64 || grub-efi-ia32
##############################################################################################################################
@@ -772,8 +771,8 @@ user:
description: "Root user with full system access and administrative privileges."
sudo: false # Whether the user can escalate to root using sudo.
system: true # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# Primary administrative user with full sudo access
@@ -802,8 +801,8 @@ user:
description: "Primary admin user with full sudo access and interactive login."
sudo: true # Whether the user can escalate to root using sudo.
system: false # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: true # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
##############################################################################################################################
# ansible System user for automation, no interactive shell
@@ -832,7 +831,7 @@ user:
description: "Automation user without interactive shell and no sudo."
sudo: true # Whether the user can escalate to root using sudo.
system: true # Whether this is a low-UID system user (e.g., for automation).
restricted: false # If true, user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: false # MUST be "true" if shell is not '/usr/sbin/nologin' or '/bin/false'.
restricted: false # If true, the user is limited in scope (e.g., no login, no file access, --no-create-home)
shell: false # MUST be "true" if the shell is not '/usr/sbin/nologin' or '/bin/false'.
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

25
ciss_debian_installer.sh
View File

@@ -13,12 +13,10 @@
### Contributions so far see ./docs/CREDITS.md
# TODO: Implement Clang Build Chain and Secure Boot PK CISS.ROOT.CA Signing Workflow
# TODO: Copy Grub Boot Loader to default path via manuel cp. Refactor 4230_update_grub.sh
# TODO: Update preseed.yaml for pgp signing key OR implementation of presigned unlock-wrapper.sh
# TODO: Implement Console Login Deactivation and 2fa as advertised in preseed.yaml Refactor 4500_installation_accounts.sh
# TODO: Check Packages for installation. Refactor preseed.yaml, 4130_installation_toolset.sh, 4700_setup_packages.sh
# TODO: What do we need for CISS environment?
# TODO: Any changes to the NTPSec Servers?
# TODO: Hardening Scripts Integration
# TODO: SSH 2fa integration
# TODO: Recovery Partition Integration
@@ -28,6 +26,8 @@
# TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
# TODO: Reboot function for Autoinstall
# TODO: 0105_arg_nuke_converter.sh - implement HashRounds as argument
# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
# TODO: Implement / Integrate IP, Port validation CDI_1200
### WHY BASH?
# Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
@@ -143,11 +143,10 @@ fi
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: PREPARING DIRECTORIES AND FILES ..."
gen_dir_files
# TODO: Reactivate
### CHECKING REQUIRED PACKAGES.
#color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: 0030_check_pkgs.sh ..."
#check_pkgs
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING REQUIRED PACKAGES ..."
check_pkgs
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECKING GIT VARIABLES ..."
check_git
### ADVISORY LOCK.
@@ -177,10 +176,10 @@ trap 'trap_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${B
trap 'trap_int' INT TERM
### INTERACTIVE MODE NOTES AND KERNEL SELECTION.
# TODO: Update /lib/cdi_0110_interactive/0115_check_provider.sh & sourcing
check_kernel
#if ! "${VAR_AUTO_INSTALL}"; then check_provider; fi
#if ! "${VAR_AUTO_INSTALL}"; then check_kernel; fi
dialog_kernel
dialog_notes
#if ! "${VAR_AUTO_INSTALL}"; then dialog_kernel; fi
#if ! "${VAR_AUTO_INSTALL}"; then dialog_notes; fi
### Dialog Output for Initialization START.
color_echo "${GRE}" "CISS.DEBIAN.INSTALLER PREPARATION: CHECK DIALOG WRAPPER ..."
@@ -200,12 +199,10 @@ arg_parser "$@"
echo "MAIN PROGRAM SEQUENCE: 0103_arg_priority_check.sh ..."
arg_priority_check
# TODO: Implement loop_pass() for other passwords.
### HASHING PASSWORDS.
echo "MAIN PROGRAM SEQUENCE: 0105_arg_nuke_converter.sh ..."
nuke_passphrase
# TODO: Implement / Integrate IP, Port validation
### CDI_1200
### CDI_1250
@@ -273,10 +270,10 @@ echo "MAIN PROGRAM SEQUENCE: 4210_generate_crypttab.sh ..."
generate_crypttab
echo "MAIN PROGRAM SEQUENCE: 4220_installation_cryptsetup.sh ..."
installation_cryptsetup
echo "MAIN PROGRAM SEQUENCE: 4230_update_grub.sh ..."
update_grub # TODO: Checks ongoing
echo "MAIN PROGRAM SEQUENCE: 4230_installation_grub.sh ..."
installation_grub
echo "MAIN PROGRAM SEQUENCE: 4240_update_grub_password.sh ..."
update_grub_password
update_grub_password # TODO: Checks ongoing
echo "MAIN PROGRAM SEQUENCE: 4250_update_grub_bootparameter.sh ..."
update_grub_bootparameter

11
func/cdi_1250_yaml/1250_yaml_parser.sh
View File

@@ -77,17 +77,6 @@ yaml_parser() {
s/^(.*)=([^'\''"]+)/\1='\''\2'\''/ # wrap value in single quotes
' "${VAR_PRESEED}"
# ### Delete the respective 'key:value'-variables in the global variable set.
# sed -i '/^grub_parameter_[0-9]\+=/d' "${VAR_PRESEED}"
# sed -i '/^locale_locale_[0-9]\+=/d' "${VAR_PRESEED}"
# sed -i '/^ntp_server_[0-9]\+=/d' "${VAR_PRESEED}"
# sed -i '/^software_[0-9]\+=/d' "${VAR_PRESEED}"
# ### Substitute all key= by key=""
# sed -i -E 's/^(.*)=\s*$/\1=""/' "${VAR_PRESEED}"
# ### Wrap each key=value by '' e.g., key='value'
# sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
# shellcheck disable=SC1090
. "${VAR_PRESEED}"

26
func/cdi_1250_yaml/1251_yaml_reader.sh
View File

@@ -15,15 +15,21 @@ guard_sourcing
#######################################
# Reading and extracting variables from "${PRESEED}".
# Globals:
# BASH_REMATCH
# HMP_RECIPE_DEV_PARTITIONS
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_NEED_RUN_IN_TARGET
# VAR_NUKE
# VAR_PRESEED
# VAR_RECIPE_FIRMWARE
# VAR_RECIPE_HIGHEST_DEVICE
# VAR_RECIPE_STRING
# VAR_RECIPE_TABLE
# VAR_RECOVERY
# architecture
# distribution
# needrun
# Arguments:
# None
# Returns:
@@ -44,11 +50,11 @@ yaml_reader() {
### Read "${var_if}" line by line.
while IFS= read -r var_line; do
### Check, if line matches the search pattern.
### Check if the line matches the search pattern.
if [[ "${var_line}" =~ ^recipe_([^_]+)_active=\'true\' ]]; then
var_middle_part="${BASH_REMATCH[1]}"
VAR_RECIPE_STRING="${var_middle_part}"
VAR_RECIPE_STRING="${var_middle_part,,}"
break
fi
@@ -144,30 +150,30 @@ END { print max }
### Extract chosen firmware.
recipe_firmware_var="recipe_${VAR_RECIPE_STRING}_control_firmware"
VAR_RECIPE_FIRMWARE="${!recipe_firmware_var}"
VAR_RECIPE_FIRMWARE="${!recipe_firmware_var,,}"
### Extract the chosen Nuke mechanism.
recipe_nuke_var="recipe_${VAR_RECIPE_STRING}_control_nuke"
# shellcheck disable=SC2034
VAR_NUKE="${!recipe_nuke_var}"
VAR_NUKE="${!recipe_nuke_var,,}"
### Extract chosen partition table.
recipe_table_var="recipe_${VAR_RECIPE_STRING}_control_table"
VAR_RECIPE_TABLE="${!recipe_table_var}"
VAR_RECIPE_TABLE="${!recipe_table_var,,}"
if [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
if [[ "${VAR_RECIPE_TABLE}" == "gpt" && "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP 'EF00' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "gpt" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
elif [[ "${VAR_RECIPE_TABLE}" == "gpt" && "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > BIOS Boot Partition 'EF02' necessary."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
elif [[ "${VAR_RECIPE_TABLE}" == "msdos" && "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
do_log "warn" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > ESP on MBR needs partition type '0xEF'."
elif [[ "${VAR_RECIPE_TABLE,,}" == "msdos" && "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
elif [[ "${VAR_RECIPE_TABLE}" == "msdos" && "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
do_log "info" "file_only" "1251() Partition table: '${VAR_RECIPE_TABLE}' and firmware: '${VAR_RECIPE_FIRMWARE}' > No special firmware partition necessary."
@@ -176,7 +182,7 @@ END { print max }
### Extract the chosen Recovery mechanism.
recipe_recovery_var="recipe_${VAR_RECIPE_STRING}_control_recovery"
# shellcheck disable=SC2034
VAR_RECOVERY="${!recipe_recovery_var}"
VAR_RECOVERY="${!recipe_recovery_var,,}"
return 0
}

10
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -14,8 +14,10 @@ guard_sourcing
#######################################
# Update generated sources.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# DIR_LOG
# TARGET
# apt_updates_policy
# Arguments:
@@ -35,11 +37,11 @@ update_sources() {
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security or no unattended updates at all.
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_log "info" "file_only" "4110() The update policy was set at installation time to: '${apt_updates_policy}'."
@@ -47,7 +49,7 @@ update_sources() {
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

9
func/cdi_4100_base/4120_installation_kernel.sh
View File

@@ -14,9 +14,12 @@ guard_sourcing
#######################################
# Installation of the specified kernel.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# DIR_LOG
# TARGET
# VAR_KERNEL
# image
# Arguments:
# None
@@ -32,7 +35,7 @@ installation_kernel() {
if [[ -n "${VAR_KERNEL}" ]]; then
do_in_target_script "${TARGET}" '
apt-get install -y -o DPkg::Options::="--no-triggers" --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'
'
@@ -43,7 +46,7 @@ installation_kernel() {
else
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${image} 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

6
func/cdi_4100_base/4130_installation_toolset.sh
View File

@@ -14,8 +14,10 @@ guard_sourcing
#######################################
# Check and set up the minimum required tools for the next installation steps.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# DIR_LOG
# TARGET
# Arguments:
# None
@@ -118,7 +120,7 @@ installation_toolset() {
do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

7
func/cdi_4100_base/4131_installation_systemd.sh
View File

@@ -14,8 +14,10 @@ guard_sourcing
#######################################
# Ensure systemd is in place.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# DIR_LOG
# TARGET
# Arguments:
# None
@@ -32,8 +34,7 @@ installation_systemd() {
do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
do_in_target_script "${TARGET}" "
apt-get update 2>&1 | tee -a ${var_logfile}
apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

7
func/cdi_4100_base/4140_installation_microcode.sh
View File

@@ -14,6 +14,9 @@ guard_sourcing
#######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# TARGET
# Arguments:
@@ -52,14 +55,14 @@ installation_microcode() {
if ! do_in_target_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
else
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

31
func/cdi_4100_base/4150_installation_chrony.sh
View File

@@ -14,6 +14,9 @@ guard_sourcing
#######################################
# Setup chrony NTPSec client.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# ARY_NTPSRVR
# DIR_BAK
@@ -44,7 +47,7 @@ installation_chrony() {
mkdir -p "${TARGET}/var/log/chrony"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
@@ -58,6 +61,9 @@ installation_chrony() {
mv "${TARGET}/etc/chrony/chrony.conf" "${DIR_BAK}/etc/chrony/chrony.conf.bak"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"
insert_chrony_comments "${TARGET}/etc/chrony/chrony.conf"
cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
do_log "debug" "file_only" "4150() Executing: [do_in_target_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
@@ -72,4 +78,27 @@ installation_chrony() {
return 0
}
#######################################
# Helper to insert the Metadata field into '/etc/chrony/chrony.conf'.
# Globals:
# VAR_ARCHITECTURE
# VAR_CODENAME
# VAR_VERSION
# Arguments:
# 1: /etc/chrony/chrony.conf
# Returns:
# 0: on success
#######################################
insert_chrony_comments() {
declare file="${1}"
sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
# /etc/chrony/conf.d : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
\
# Architecture : '"${VAR_ARCHITECTURE}"'\
\
# Distribution : '"${VAR_CODENAME}"'
' "${file}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

5
func/cdi_4200_boot/4220_installation_cryptsetup.sh
View File

@@ -14,6 +14,9 @@ guard_sourcing
#######################################
# Installation of 'cryptsetup' and 'cryptsetup-initramfs' after '/etc/crypttab' generation.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# TARGET
# Arguments:
@@ -28,7 +31,7 @@ installation_cryptsetup() {
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" '
apt-get install -y -o DPkg::Options::="--no-triggers" --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
export INITRD=No apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'
'

135
func/cdi_4200_boot/4230_update_grub.sh → func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -26,6 +26,9 @@ guard_sourcing
#######################################
# Installation and setup of the GRUB2 (backported) version.
# The backported version MUST be installed for LUKS2 '/boot' encryption.
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# TARGET
# VAR_ARCHITECTURE
@@ -44,7 +47,7 @@ guard_sourcing
# ERR_GRUB_BACKGROUND
# ERR_GRUB_EFI_FORCE
#######################################
update_grub() {
installation_grub() {
### Declare Arrays, HashMaps, and Variables.
declare -g var_update_grub_required="false" grub_update_nvram=${grub_update_nvram:-false}
declare -r var_logfile="/root/.ciss/cdi/log/4230_update_grub.log"
@@ -52,53 +55,51 @@ update_grub() {
touch "${TARGET}${var_logfile}" && chmod 0600 "${TARGET}${var_logfile}"
do_log "debug" "file_only" "4230() Detected firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'"
get_grub_modinfo_path
if [[ "${grub_skip,,}" != "true" ]]; then
ensure_lowercase "grub_skip"
ensure_lowercase "grub_latest"
ensure_lowercase "grub_background_enable"
ensure_lowercase "grub_prober"
ensure_lowercase "grub_update_nvram"
ensure_lowercase "grub_force_efi"
do_log "debug" "file_only" "4230() Preseeded firmware: '${VAR_RECIPE_FIRMWARE}', architecture: '${VAR_ARCHITECTURE}'"
if [[ "${grub_skip}" != "true" ]]; then
### Install GRUB2 package
if [[ "${grub_latest,,}" == "true" ]]; then
if [[ "${grub_latest}" == "true" ]]; then
### Install the GRUB2 backported version from the Bookworm backports repository.
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
case "${VAR_ARCHITECTURE}" in
amd64)
do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-amd64"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
;;
arm64)
do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-arm64"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
;;
i386)
do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-efi-ia32"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-ia32 grub-efi-ia32-bin 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
;;
*)
do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}"
do_log "emergency" "file_only" "4230() Unsupported architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}"
;;
esac
else
do_log "debug" "file_only" "4230() Installing GRUB package variant: grub-pc-bin"
do_in_target_script "${TARGET}" "
apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
export INITRD=No apt-get install -y --no-install-recommends -t bookworm-backports grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
@@ -107,18 +108,17 @@ update_grub() {
else
### Install the GRUB2 stable version.
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
case "${VAR_ARCHITECTURE,,}" in
amd64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-amd64 grub-efi-amd64-bin ;;
arm64) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-arm64 grub-efi-arm64-bin ;;
i386) do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-efi-ia32 grub-efi-ia32-bin ;;
*) do_log "emergency" "file_only" "4230() Unsupported UEFI architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
case "${VAR_ARCHITECTURE}" in
amd64) do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin ;;
arm64) do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin ;;
*) do_log "emergency" "file_only" "4230() Unsupported architecture: ${VAR_ARCHITECTURE}"; return "${ERR_GRUB_ARCHITECTURE}" ;;
esac
else
do_in_target "${TARGET}" apt-get install -y --no-install-recommends grub2 grub2-common grub-pc grub-pc-bin
do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends grub2 grub2-common grub-pc grub-pc-bin
fi
@@ -135,7 +135,7 @@ EOF
var_update_grub_required="true"
### Install a boot menu background.
if [[ "${grub_background_enable,,}" == "true" ]]; then
if [[ "${grub_background_enable}" == "true" ]]; then
var_background=$(basename "${grub_background_path}")
install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
@@ -157,9 +157,9 @@ EOF
fi
### Change the GRUB OS detection configuration accordingly.
if [[ "${grub_prober,,}" == "true" ]]; then
if [[ "${grub_prober}" == "true" ]]; then
do_in_target "${TARGET}" apt-get install -y --no-install-recommends os-prober
do_in_target "${TARGET}" export INITRD=No apt-get install -y --no-install-recommends os-prober
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
@@ -173,7 +173,7 @@ EOF
var_update_grub_required="true"
elif [[ "${grub_prober,,}" == "false" ]]; then
elif [[ "${grub_prober}" == "false" ]]; then
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
@@ -192,15 +192,16 @@ EOF
else
do_log "info" "file_only" "4230() GRUB2 setup skipped."
return 0
fi
### Install grub on the specific device.
if [[ "${VAR_RECIPE_FIRMWARE,,}" == "uefi" ]]; then
if [[ "${VAR_RECIPE_FIRMWARE}" == "uefi" ]]; then
install_grub_uefi
elif [[ "${VAR_RECIPE_FIRMWARE,,}" == "bios" ]]; then
elif [[ "${VAR_RECIPE_FIRMWARE}" == "bios" ]]; then
install_grub_bios
@@ -222,6 +223,7 @@ EOF
# Installs GRUB to BIOS in BIOS mode.
# Globals:
# TARGET
# VAR_MODINFO_PATH
# grub_bootdev
# var_update_grub_required
# Arguments:
@@ -235,6 +237,11 @@ install_grub_bios() {
declare -a ary_bios_arg=()
declare var_bios_mod=""
if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then
do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]."
return "${ERR_GRUB_INSTALL}"
fi
### Cryptographic modules.
var_bios_mod+="cryptodisk gcry_rijndael gcry_sha256 gcry_sha512 gcry_whirlpool gcry_serpent gcry_twofish luks luks2 "
### Filesystem modules.
@@ -248,7 +255,7 @@ install_grub_bios() {
ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=${var_bios_mod}" )
do_in_target "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_in_target "${TARGET}" export INITRD=No grub-install "${ary_bios_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]."
var_update_grub_required="true"
@@ -259,6 +266,7 @@ install_grub_bios() {
# Installs GRUB to ESP in UEFI mode.
# Globals:
# TARGET
# VAR_MODINFO_PATH
# grub_bootdev
# grub_force_efi
# grub_update_nvram
@@ -272,16 +280,10 @@ install_grub_bios() {
install_grub_uefi() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_uefi_arg=()
declare var_uefi_mod="" var_modinfo_path=""
declare var_uefi_mod=""
case "${VAR_ARCHITECTURE,,}" in
amd64) var_modinfo_path="/usr/lib/grub/x86_64-efi/modinfo.sh" ;;
arm64) var_modinfo_path="/usr/lib/grub/arm64-efi/modinfo.sh" ;;
i386) var_modinfo_path="/usr/lib/grub/i386-efi/modinfo.sh" ;;
esac
if ! [[ -x "${TARGET}${var_modinfo_path}" ]]; then
do_log "emergency" "file_only" "4230() Missing: [${var_modinfo_path}]."
if ! [[ -x "${TARGET}${VAR_MODINFO_PATH}" ]]; then
do_log "emergency" "file_only" "4230() Missing: [${VAR_MODINFO_PATH}]."
return "${ERR_GRUB_INSTALL}"
fi
@@ -298,13 +300,13 @@ install_grub_uefi() {
ary_uefi_arg+=( --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=debian "--modules=${var_uefi_mod}" )
[[ "${grub_update_nvram,,}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
[[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_in_target "${TARGET}" export INITRD=No grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
var_update_grub_required="true"
if [[ "${grub_force_efi,,}" == "true" ]]; then
if [[ "${grub_force_efi}" == "true" ]]; then
mkdir -p "${TARGET}/boot/efi/EFI/BOOT"
cp "${TARGET}/boot/efi/EFI/debian/grubx64.efi" "${TARGET}/boot/efi/EFI/BOOT/BOOTX64.EFI"
@@ -314,4 +316,43 @@ install_grub_uefi() {
return 0
}
#######################################
# Get the path of the required Grub modules.
# Globals:
# VAR_ARCHITECTURE
# VAR_MODINFO_PATH
# VAR_RECIPE_FIRMWARE
# Arguments:
# None
# Returns:
# 0: on success
#######################################
get_grub_modinfo_path() {
### Declare Arrays, HashMaps, and Variables.
delcare -gx VAR_MODINFO_PATH=""
case "${VAR_RECIPE_FIRMWARE}" in
uefi)
case "${VAR_ARCHITECTURE}" in
amd64) VAR_MODINFO_PATH="/usr/lib/grub/x86_64-efi/modinfo.sh" ;;
arm64) VAR_MODINFO_PATH="/usr/lib/grub/arm64-efi/modinfo.sh" ;;
i386) VAR_MODINFO_PATH="/usr/lib/grub/i386-efi/modinfo.sh" ;;
*) ;;
esac
;;
bios)
VAR_MODINFO_PATH="/usr/lib/grub/i386-pc/modinfo.sh"
;;
esac
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

7
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -16,9 +16,7 @@ guard_sourcing
# Append the GRUB superuser block to '/etc/grub.d/40_custom'.
# Globals:
# DIR_CNF
# ERR_READ_GRUB_FILE
# TARGET
# VAR_DEBUG_TRACE
# Arguments:
# None
# Returns:
@@ -29,13 +27,14 @@ update_grub_password() {
declare var_username="superadmin" var_password="" var_password_file="${DIR_CNF}/password_grub.txt" \
var_of="${TARGET}/etc/grub.d/40_custom" var_grub_entry=""
# TODO: Reactivate XTRACE Password Truncation
### No tracing for security reasons
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
if [[ ! -f "${var_password_file}" ]] || ! IFS= read -r var_password < "${var_password_file}"; then
return "${ERR_READ_GRUB_FILE}"
fi
### Turn on tracing again
[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
#[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
var_grub_entry=$(generate_grub_password_pbkdf2 "${var_username}" "${var_password}")

112
lib/cdi_0005_guard/0008_guard_variable.sh
View File

@@ -13,14 +13,120 @@
guard_sourcing
#######################################
# Ensures the value of the provided VAR is always lowercase.
# Use: ensure_lowercase VAR
# Converts the value of a passed variable to lowercase.
# Example:
# ensure_lowercase "VAR"
# Arguments:
# 1: VARIABLE name only
# Returns:
# 0: on success
# ERR_UNBOUND_VARIABLE
#######################################
ensure_lowercase() {
declare -r name="${1}"
declare -r name="$1"
if ! declare -p "${name}" &>/dev/null; then
do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
return "${ERR_UNBOUND_VARIABLE}"
fi
declare -n ref="${name}"
ref="${ref,,}"
return 0
}
#######################################
# Converts the value of a passed variable to uppercase.
# Example:
# ensure_uppercase "VAR"
# Arguments:
# 1: VARIABLE name only
# Returns:
# 0: on success
# ERR_UNBOUND_VARIABLE
#######################################
ensure_uppercase() {
declare -r name="$1"
if ! declare -p "${name}" &>/dev/null; then
do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
return "${ERR_UNBOUND_VARIABLE}"
fi
declare -n ref="${name}"
ref="${ref^^}"
return 0
}
#######################################
# Removes leading and trailing spaces in the value.
# Example:
# ensure_trimmed "VAR"
# Arguments:
# 1: VARIABLE name only
# Returns:
# 0: on success
# ERR_UNBOUND_VARIABLE
#######################################
ensure_trimmed() {
declare -r name="$1"
if ! declare -p "${name}" &>/dev/null; then
do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
return "${ERR_UNBOUND_VARIABLE}"
fi
declare -n ref="${name}"
ref="${ref#"${ref%%[![:space:]]*}"}"
ref="${ref%"${ref##*[![:space:]]}"}"
return 0
}
#######################################
# Resets the value of the variable to a default value if it is empty or contains only whitespace.
# Example:
# reset_to_default "VAR" "fallback"
# Arguments:
# 1: VARIABLE name only
# 2: Fallback value
# Returns:
# 0: on success
# ERR_UNBOUND_VARIABLE
#######################################
reset_to_default() {
declare -r name="$1"
declare -r fallback="$2"
if ! declare -p "${name}" &>/dev/null; then
do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
return "${ERR_UNBOUND_VARIABLE}"
fi
declare -n ref="${name}"
declare trimmed="${ref#"${ref%%[![:space:]]*}"}"
trimmed="${trimmed%"${trimmed##*[![:space:]]}"}"
if [[ -z "${trimmed}" ]]; then
ref="${fallback}"
fi
return 0
}
#######################################
# Checks whether the content of a variable matches a specific regex.
# Example:
# assert_match "FOO" '^[a-z0-9_-]+$'
# Arguments:
# 1: VARIABLE name only
# 2: Regex in 'single quotes'
# Returns:
# 0: on success
# ERR_UNBOUND_VARIABLE
# ERR_VAR_REGEX_CHK
#######################################
assert_match() {
declare -r name="$1"
declare -r pattern="$2"
if ! declare -p "${name}" &>/dev/null; then
do_log "emergency" "file_only" "0008() Unbound variable: [${name}]."
return "${ERR_UNBOUND_VARIABLE}"
fi
declare -n ref="${name}"
if ! [[ "${ref}" =~ ${pattern} ]]; then
do_log "emergency" "file_only" "0008() Variable: [${name}] not matching Regex: [${pattern}]: [${ref}]."
return "${ERR_VAR_REGEX_CHK}"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

1
lib/cdi_0060_traps/0060_trap_err.sh
View File

@@ -228,6 +228,7 @@ trap_err() {
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
text ) dialog_text_cleaner ;;
esac
calculate_runtime

1
lib/cdi_0060_traps/0070_trap_exit.sh
View File

@@ -152,6 +152,7 @@ trap_exit_non_zero() {
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner ;;
gauge ) dialog_gauge_cleaner ;;
text ) dialog_text_cleaner ;;
esac
calculate_runtime

5
lib/cdi_0060_traps/0080_trap_int.sh
View File

@@ -26,6 +26,7 @@ restart_dialog() {
case "$1" in
box ) dialog_box ;;
gauge ) dialog_gauge ;;
text ) dialog_kernel ;;
* ) ;;
esac
}
@@ -48,6 +49,7 @@ trap_int() {
case "${VAR_IN_DIALOG_WR}" in
box ) dialog_box_cleaner; declare var_helper_dialog="box" ;;
gauge ) dialog_gauge_cleaner; declare var_helper_dialog="gauge" ;;
text ) dialog_text_cleaner; declare var_helper_dialog="text" ;;
* ) declare var_helper_dialog="false" ;;
esac
@@ -62,6 +64,9 @@ trap_int() {
elif [[ "${var_helper_dialog}" == "gauge" ]]; then
restart_dialog "${var_helper_dialog}"
return 0
elif [[ "${var_helper_dialog}" == "text" ]]; then
restart_dialog "${var_helper_dialog}"
return 0
else
restart_dialog "${var_helper_dialog}"
return 0

2
lib/cdi_0100_arg/0102_arg_parser.sh
View File

@@ -68,6 +68,7 @@ arg_parser() {
--renice-priority)
if [[ -n ${2-} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
# shellcheck disable=SC2034
VAR_PRIORITY="${2}"
shift 2
else
@@ -80,6 +81,7 @@ arg_parser() {
arg_mismatch "--reionice-priority no values provided."
else
if [[ "${2}" =~ ^[1-3]$ ]]; then
# shellcheck disable=SC2034
VAR_REIONICE_CLASS="${2}"
if [[ -z "${3-}" ]]; then
:

37
lib/cdi_0110_interactive/0110_check_kernel.sh → lib/cdi_0110_interactive/0110_dialog_kernel.sh
View File

@@ -15,16 +15,19 @@ guard_sourcing
#######################################
# Kernel Image Selector.
# Globals:
# VAR_DIALOG
# VAR_KERNEL
# VAR_KERNEL_SRT
# VAR_KERNEL_TMP
# VAR_NOTES
# VAR_VERSION
# Arguments:
# None
# Returns:
# 0: on success
# 42: On sorting Error.
#######################################
check_kernel() {
dialog_kernel() {
declare -i counter=1 rc=0
declare first_string="" line="" name="" options="" var_cpu_vendor="" var_system_architecture=""
@@ -33,17 +36,18 @@ check_kernel() {
var_system_architecture="$(dpkg --print-architecture)"
cat << EOF >| "${VAR_NOTES}"
CISS.debian.installer
Build: ${VAR_VERSION}
Press 'EXIT' to go back to the menu [Select the Kernel for the CISS.debian.installer].
Press 'EXIT' to return to the menu: "Select the Kernel for the target system".
Kernel available
Kernel available :
This section lists available Debian kernel variants. Each type addresses specific requirements such as
hardware support, virtualization, real-time processing, or Secure Boot compatibility.
hardware support, virtualization, real-time processing, or Secure-Boot compatibility.
*+bpo* : Debian Backported Kernel
Backported kernels from Debian testing or unstable, offering newer features, improved hardware
support, and updated driversespecially useful on modern systems or special-purpose hardware.
support, and updated drivers, especially useful on modern systems or special-purpose hardware.
*cloud* : Special lightweight images for KVM
Cloud-optimized kernels tailored for virtualized environments (e.g., KVM, OpenStack). These images
@@ -57,9 +61,9 @@ management (e.g., using your own PK/KEK/DB or MOK with shim) and will not boot o
Real-time variant with full preemption enabled. Designed for workloads needing deterministic latency
such as robotics, industrial control, scientific instrumentation, or low-latency audio processing.
Note:
All kernel packages **not** marked as *unsigned* are **Microsoft-signed** and should work out of the
box with Secure Boot enabled, assuming the UEFI firmware trusts Microsofts root keys.
Note :
All kernel packages NOT marked as *unsigned* are **Microsoft-signed** and should work out of the
box with Secure-Boot enabled, assuming the UEFI firmware trusts Microsofts root keys.
EOF
case "${var_system_architecture}" in
@@ -75,13 +79,13 @@ EOF
;;
*)
do_log "info" "file_only" "4140() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
do_log "info" "file_only" "0110() Unknown Architecture: '${var_system_architecture}' and / or unsupported CPU vendor: '${var_cpu_vendor}', skipping."
;;
esac
sort --output="${VAR_KERNEL_SRT}" "${VAR_KERNEL_TMP}" || {
printf "❌ Error 0110_check_kernel.sh Line 52 sort failed\n" >&2
printf "❌ Error 0110_check_kernel.sh Line 84 sort failed\n" >&2
# shellcheck disable=SC2162
read -p $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
return 42
@@ -95,6 +99,9 @@ EOF
done < "${VAR_KERNEL_SRT}"
while true; do
declare -gx VAR_IN_DIALOG_WR="text"
# shellcheck disable=SC2034
if VAR_KERNEL=$(dialog \
--no-collapse \
@@ -102,8 +109,8 @@ EOF
--clear \
--help-button --help-label "Info" \
--backtitle "CISS.debian.installer" \
--title "Select the Kernel for the CISS.debian.installer" \
--radiolist "Kernel available \n *+bpo* : Debian Backported Kernel \n *cloud* : Special lightweight images for KVM \n *unsigned* : Unsigned Kernel \n *preempt_rt* : Special Kernel for real-time-computing \n Not unsigned marked are MS signed Kernel for Secure Boot \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
--title "Select the Kernel for the target system." \
--radiolist "Kernel available: \n" 0 0 "${options[@]}" 3>&1 1>&2 2>&3 3>&-)
then
@@ -129,7 +136,7 @@ EOF
--ascii-lines \
--clear \
--backtitle "CISS.debian.installer" \
--title "Select the Kernel for the CISS.debian.installer" \
--title "Select the Kernel for the target system." \
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
@@ -140,8 +147,10 @@ EOF
fi
done
declare -gx VAR_IN_DIALOG_WR="false"
# shellcheck disable=SC2312
cat "${VAR_DIALOG}" | tail -n 30
cat "${VAR_DIALOG}" | tail -n 64
return 0
}

69
lib/cdi_0110_interactive/0115_check_provider.sh
View File

@@ -1,69 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
# TODO: Update this module
guard_sourcing
#######################################
# Notes Textbox
# Arguments:
# None
#######################################
check_provider() {
clear
cat << 'EOF' >| "${VAR_NOTES}"
Build: Master V8.00.000.2025.06.17
Press 'EXIT' to continue with CISS.debian.installer.
When you provision ISO images using the Netcup provider, you MUST always supply a globally unique identifier
for each image via the --control argument. If you omit this flag or reuse an existing identifier, Netcup's
backend will automatically locate and mount the oldest ISO carrying that same name. In practice, this means
you might believe you're booting a freshly uploaded image, but in fact, the system silently reattaches an
earlier one-leading to confusing failures and wasted troubleshooting time.
A separate but related issue emerges when booting certain Debian "cloud" kernel images-specifically those
matching the patterns *.+bpo-cloud-amd64 or *.+bpo-cloud-arm64-on a Netcup G11 instance or on a Hetzner VM.
After the initramfs is loaded, the console output often becomes garbled or completely unreadable. This is not
due to a kernel panic, but rather to a mismatch between the framebuffer mode expected by the initramfs and the
one actually provided by the virtual hardware. Common workarounds, like editing the boot entry (e) and appending
- 'nomodeset', or
- 'vga=0x318',
do not resolve the issue because they address legacy VGA modes rather than the EFI framebuffer parameters used
in modern cloud images.
To mitigate this, you can:
- Use a plain Debian kernel (e.g., linux-image-amd64) instead of the bpo-cloud variants, which are optimized
for cloud-init but presume a different console setup.
- Explicitly set an EFI-compatible framebuffer by adding something like 'video=efifb:mode=auto' to the kernel
command line. This aligns the initramfs console driver with the actual firmware framebuffer.
- Build a custom initramfs that includes the correct video modules or switches back to a serial console. For
example, adding 'console=ttyS0,115200' can force all early messages to the serial port bypassing the
graphical framebuffer entirely.
EOF
dialog --no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.installer" \
--title "Important Notes" \
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

81
lib/cdi_0110_interactive/0115_dialog_notes.sh Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Notes Textbox.
# Arguments:
# None
#######################################
dialog_notes() {
clear
cat << EOF >| "${VAR_NOTES}"
CISS.debian.installer
Build: ${VAR_VERSION}
Press 'EXIT' to return to the CISS.debian.installer.
CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
attack surface throughout the entire installation process.
Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
eliminating interactive ambiguity and reducing the risk of misconfiguration.
Key features include:
- Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
optional two-factor unlocking, and dm-integrity support.
- Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
secured channel with full key-based authentication and hardened SSHD configuration.
- Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
binaries without relying on Microsofts root certificates.
- Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
safety flags [set -Ceuo pipefail] enforced across all sourced modules.
- Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
and separate ephemeral volumes for [/tmp] and [SWAP].
All components are validated using static analysis and runtime verification. A deterministic runtime
model ensures that the system state post-install is both reproducible and audit-ready.
CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
default [/EFI/BOOT/].
With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
scenarios where control, auditability, and long-term reproducibility are paramount.
EOF
declare -gx VAR_IN_DIALOG_WR="text"
dialog --no-collapse \
--ascii-lines \
--clear \
--backtitle "CISS.debian.installer" \
--title "Important Notes" \
--scrollbar \
--textbox "${VAR_NOTES}" 32 128
clear
declare -gx VAR_IN_DIALOG_WR="false"
# shellcheck disable=SC2312
cat "${VAR_DIALOG}" | tail -n 64
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

17
lib/cdi_0200_dialog/0200_dialog_helper.sh
View File

@@ -108,8 +108,10 @@ dialog_box() {
#######################################
# Dialog Program Box Cleaner.
# Globals:
# FD_SAVE_OUT
# PID_DIALOG_BOX
# PIPE_DIALOG_BOX
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
@@ -131,8 +133,10 @@ dialog_box_cleaner() {
#######################################
# Dialog Gauge Bar Cleaner.
# Globals:
# FD_GAUGE
# PID_DIALOG_GAUGE
# PIPE_DIALOG_GAUGE
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
@@ -150,4 +154,17 @@ dialog_gauge_cleaner() {
clean_screen
sleep 1
}
#######################################
# Dialog Gauge Bar Cleaner.
# Globals:
# VAR_IN_DIALOG_WR
# Arguments:
# None
#######################################
dialog_text_cleaner() {
declare -gx VAR_IN_DIALOG_WR="false"
clean_screen
sleep 1
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

2
meta_loader_func.sh
View File

@@ -62,7 +62,7 @@ source_guard "./func/cdi_4100_base/4150_installation_chrony.sh"
source_guard "./func/cdi_4200_boot/4200_generate_fstab.sh"
source_guard "./func/cdi_4200_boot/4210_generate_crypttab.sh"
source_guard "./func/cdi_4200_boot/4220_installation_cryptsetup.sh"
source_guard "./func/cdi_4200_boot/4230_update_grub.sh"
source_guard "./func/cdi_4200_boot/4230_installation_grub.sh"
source_guard "./func/cdi_4200_boot/4240_update_grub_password.sh"
source_guard "./func/cdi_4200_boot/4250_update_grub_bootparameter.sh"

4
meta_loader_lib.sh
View File

@@ -42,8 +42,8 @@ source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"
source_guard "./lib/cdi_0110_interactive/0110_check_kernel.sh"
#source_guard "./lib/cdi_0110_interactive/0115_check_provider.sh"
source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"
source_guard "./lib/cdi_0200_dialog/0200_dialog_helper.sh"

1
var/errors.var.sh
View File

@@ -51,6 +51,7 @@ declare -girx ERR_READ_NUKE_FILE=222 # Error reading the Luks Nuke password f
declare -girx ERR_READ_GRUB_FILE=221 # Error reading the Grub password file.
declare -girx ERR_READ_PASS_FILE=220 # Error reading the password file.
declare -girx ERR_GENERATE_SALT=219 # Error generating salt.
declare -girx ERR_VAR_REGEX_CHK=218 # Error checking VAR against REGEX.
### Definition of error trap vars.
declare -gx ERRCODE="" # = $? = $1 = ERRCODE