V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/partitioning/3200_partitioning.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Function that generates each partition on each device according to the chosen recipe string.
+# Globals:
+#   HMP_PATH_PARTUUID
+#   VAR_RECIPE_STRING
+#   VAR_RECIPE_TABLE
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   ERR_PARTITIONTBL
+#   ERR_PART_CREATE
+#   ERR_PART_READ
+#   ERR_TABLE_CREATE
+#   ERR_TABLE_DELETE
+#   0: on success
+#######################################
+partitioning() {
+  ### Declare Arrays and Variables.
+  declare -Agx HMP_PATH_PARTUUID
+  declare var_dev var_part var_end_arg var_begin var_end var_fs var_boot var_pri var_uuid var_mount_path
+  declare -a ary_devs ary_parts
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### All current data for the respective device will be deleted.
+    if ! blkdiscard "/dev/${var_dev}"; then
+      do_log "fatal" "false" "Partition table deletion '/dev/${var_dev}' failed."
+      return "${ERR_TABLE_DELETE}"
+    fi
+
+    do_log "info" "false" "Partition table of '/dev/${var_dev}' discarded."
+
+    case "${VAR_RECIPE_TABLE,,}" in
+
+      gpt|mbr)
+        if ! parted -s "/dev/${var_dev}" mklabel "${VAR_RECIPE_TABLE,,}"; then
+          do_log "fatal" "false" "Partition table creation '/dev/${var_dev}' failed."
+          return "${ERR_TABLE_CREATE}"
+        fi
+        do_log "info" "false" "Partition table '${VAR_RECIPE_TABLE}' of '/dev/${var_dev}' generated."
+        ;;
+      *)
+        do_log "fatal" "false" "No valid partition table chosen. String was '${VAR_RECIPE_TABLE}'."
+        return "${ERR_PARTITIONTBL}"
+        ;;
+
+    esac
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_begin=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.begin"           "${VAR_SETUP_PART}")
+      var_end=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.end"               "${VAR_SETUP_PART}")
+      var_fs=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version" "${VAR_SETUP_PART}")
+      var_boot=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.bootable"         "${VAR_SETUP_PART}")
+      var_pri=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.primary"           "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path" "${VAR_SETUP_PART}")
+
+      ### Generate partition.
+      if [[ "${var_end}" == "-1" ]]; then
+        var_end_arg="100%"
+      else
+        var_end_arg="${var_end}"
+      fi
+
+      if ! parted -s "/dev/${var_dev}" mkpart "${var_pri}" "${var_fs}" "${var_begin}" "${var_end_arg}"; then
+        do_log "fatal" "false" "Partition creation '/dev/${var_dev}${var_part}' failed."
+        return "${ERR_PART_CREATE}"
+      fi
+
+      do_log "info" "false" "Partition generated: '${var_part}' | on device '/dev/${var_dev}' | begin: '${var_begin}' | end: '${var_end_arg}'."
+
+      ### Set the bootable flag if necessary.
+      if [[ "${var_boot,,}" == "true" ]]; then
+        parted -s "/dev/${var_dev}" set "${var_part}" boot on
+        do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' marked as bootable."
+      fi
+
+      ### Store UUID of the partition.
+      var_uuid=$(blkid -s UUID -o value "/dev/${var_dev}${var_part}")
+      if [[ -z "${var_uuid}" ]]; then
+        do_log "fatal" "false" "WARNING: could not read UUID for '/dev/${var_dev}${var_part}'."
+        return "${ERR_PART_READ}"
+      else
+        HMP_PATH_PARTUUID["UUID_${var_mount_path}"]="${var_uuid}"
+      fi
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/partitioning/3220_partition_encryption.sh

@@ -0,0 +1,156 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Function to encrypt the respective partition on each device according to the chosen recipe string.
+# Globals:
+#   DIR_BAK
+#   DIR_CNF
+#   HMP_EPHEMERAL_DEV
+#   HMP_EPHEMERAL_ENCLABEL
+#   HMP_EPHEMERAL_FS_LABEL
+#   HMP_PATH_ENCLABEL
+#   HMP_PATH_LUKSUUID
+#   VAR_CRYPT_ROOT
+#   VAR_RECIPE_STRING
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+partition_encryption() {
+  ### Declare Arrays and Variables.
+  declare -Agx HMP_EPHEMERAL_DEV HMP_EPHEMERAL_ENCLABEL HMP_EPHEMERAL_FS_LABEL HMP_PATH_LUKSUUID HMP_PATH_ENCLABEL
+  declare var_dev var_part \
+    var_encryption_enable var_encryption_ephemeral var_encryption_integrity var_encryption_cipher \
+    var_encryption_hash var_encryption_iter var_encryption_key var_encryption_label var_encryption_meta \
+    var_encryption_pbkdf var_encryption_rng var_filesystem_label var_mount_path var_uuid
+  declare -a ary_devs=() ary_parts=() ary_luks_opts=()
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"       "${VAR_SETUP_PART}")
+      var_encryption_ephemeral=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.ephemeral" "${VAR_SETUP_PART}")
+      var_encryption_integrity=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.integrity" "${VAR_SETUP_PART}")
+      var_encryption_cipher=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.cipher"       "${VAR_SETUP_PART}")
+      var_encryption_hash=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.hash"           "${VAR_SETUP_PART}")
+      var_encryption_iter=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.itertime"       "${VAR_SETUP_PART}")
+      var_encryption_key=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.key"             "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"         "${VAR_SETUP_PART}")
+      var_encryption_meta=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.metadatasize"   "${VAR_SETUP_PART}")
+      var_encryption_pbkdf=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.pbkdf"         "${VAR_SETUP_PART}")
+      var_encryption_rng=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.rng"             "${VAR_SETUP_PART}")
+      var_filesystem_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"         "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                     "${VAR_SETUP_PART}")
+
+      if [[ "${var_encryption_enable,,}" != "true" ]]; then
+        continue
+      fi
+
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_boot.txt" )
+      else
+        ary_luks_opts=( "--key-file=${DIR_CNF}/password_luks_common.txt" )
+      fi
+
+      ary_luks_opts+=(
+        "--type luks2"
+        "--cipher ${var_encryption_cipher}"
+        "--hash ${var_encryption_hash}"
+        "--iter-time ${var_encryption_iter}"
+        "--key-size ${var_encryption_key}"
+        "--label ${var_encryption_label}"
+        "--luks2-metadata-size ${var_encryption_meta}"
+        "--pbkdf ${var_encryption_pbkdf}"
+        "--${var_encryption_rng}"
+        "--batch-mode --verbose"
+      )
+
+      [[ "${var_encryption_integrity,,}" == "true" ]] && ary_luks_opts+=( "--integrity hmac-sha512" )
+
+      if [[ "${var_encryption_ephemeral,,}" == "true" ]]; then
+
+        case "${var_mount_path}" in
+
+          SWAP|/tmp)
+
+            mkfs.ext4 -L "${var_filesystem_label}" "/dev/${var_dev}${var_part}" 1M
+            do_log "info" "true" "Ephemeral: '${var_mount_path}' prepared on: '/dev/${var_dev}${var_part}'."
+
+            HMP_EPHEMERAL_DEV["${var_mount_path}"]="/dev/${var_dev}${var_part}"
+            HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]="${var_encryption_label}"
+            HMP_EPHEMERAL_FS_LABEL["${var_mount_path}"]="${var_filesystem_label}"
+            do_log "info" "true" "Stored in HashMap [HMP_EPHEMERAL_DEV]     : '${var_mount_path}' -> '${HMP_EPHEMERAL_DEV["${var_mount_path}"]}'"
+            do_log "info" "true" "Stored in HashMap [HMP_EPHEMERAL_ENCLABEL]: '${var_mount_path}' -> '${HMP_EPHEMERAL_ENCLABEL["${var_mount_path}"]}'"
+            continue
+            ;;
+
+          *)
+            do_log "error" "true" "Invalid mount path: '${var_mount_path}' for partition: '/dev/${var_dev}${var_part}'."
+            continue
+            ;;
+
+        esac
+
+      fi
+
+      cryptsetup luksFormat "${ary_luks_opts[@]}" "/dev/${var_dev}${var_part}"
+
+      if [[ "${var_encryption_integrity,,}" == "true" ]]; then
+
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' dm-integrity encrypted."
+
+      else
+
+        do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' encrypted."
+
+      fi
+
+      cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
+
+      ### Opening encrypted container.
+      if [[ "${var_mount_path,,}" == "/boot" ]]; then
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_boot.txt" \
+          "${var_encryption_label}"
+      else
+        cryptsetup luksOpen "/dev/${var_dev}${var_part}" \
+          --key-file="${DIR_CNF}/password_luks_common.txt" \
+          "${var_encryption_label}"
+      fi
+      do_log "info" "true" "Partition: '/dev/${var_dev}${var_part}' opened as '/dev/mapper/${var_encryption_label}'."
+
+      ### Store UUID of the LUKS container.
+      var_uuid=$(blkid -s UUID -o value "/dev/mapper/${var_encryption_label}")
+      # shellcheck disable=SC2155
+      [[ "${var_mount_path}" == "/" ]] && declare -grx VAR_CRYPT_ROOT="${var_uuid}"
+      [[ "${var_mount_path}" == "/recovery" ]] && declare -grx VAR_CRYPT_RECOVERY="${var_uuid}"
+      HMP_PATH_LUKSUUID["UUID_${var_mount_path}"]="${var_uuid}"
+      HMP_PATH_ENCLABEL["LABEL_${var_mount_path}"]="${var_encryption_label}"
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/partitioning/3240_partition_formatting.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Function to format the respective partition on each device according to the recipe string chosen.
+# Globals:
+#   DIR_LOG
+#   HMP_PATH_FSUUID
+#   VAR_RECIPE_STRING
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+partition_formatting() {
+  ### Declare Arrays and Variables.
+  declare -Agx HMP_PATH_FSUUID
+  declare var_dev var_part \
+    var_encryption_enable var_encryption_label var_fs_btrfs_checksum var_fs_btrfs_compress var_fs_btrfs_dedup \
+    var_fs_format var_fs_label var_fs_options var_fs_version var_mount_path var_node var_fs_uuid
+  declare -a ary_devs ary_parts ary_opts ary_fmt_opts
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"         "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"           "${VAR_SETUP_PART}")
+      var_fs_btrfs_checksum=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.checksum" "${VAR_SETUP_PART}")
+      var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress" "${VAR_SETUP_PART}")
+      var_fs_btrfs_dedup=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.dedup"       "${VAR_SETUP_PART}")
+      var_fs_format=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.format"                 "${VAR_SETUP_PART}")
+      var_fs_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"                   "${VAR_SETUP_PART}")
+      var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options"               "${VAR_SETUP_PART}")
+      var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version"               "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                       "${VAR_SETUP_PART}")
+
+      [[ "${var_fs_format,,}" != "true" ]] && continue
+
+      ### Preparation of Ephemeral 'SWAP' and '/tmp' as per https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#UUID_and_LABEL
+      case "${var_mount_path,,}" in
+        swap|/tmp)
+            mkfs.ext4 -L "${var_fs_label}" "/dev/${var_dev}${var_part}" 1M
+          do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' ephemeral encryption prepared for: '${var_mount_path}'."
+          continue
+          ;;
+      esac
+
+      if [[ "${var_encryption_enable,,}" == "true" ]]; then
+        var_node="/dev/mapper/${var_encryption_label}"
+      else
+        var_node="/dev/${var_dev}${var_part}"
+      fi
+
+      case "${var_fs_version,,}" in
+
+        btrfs)
+          ary_opts=( -L "${var_fs_label}" -f --csum "${var_fs_btrfs_checksum}" -O compress="${var_fs_btrfs_compress}" )
+          [[ "${var_fs_btrfs_dedup,,}" == "true" ]] && ary_opts+=( -m dup )
+          mkfs.btrfs "${ary_opts[@]}" "${var_node}"
+          do_log "info" "false" "Partition: '${var_node}' formatted: btrfs."
+          echo "Partition: '${var_node}':" >> "${DIR_LOG}/btrfs.log"
+          btrfs filesystem show "${var_node}" >> "${DIR_LOG}/btrfs.log"
+          var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
+          HMP_PATH_FSUUID["UUID_${var_mount_path}"]="${var_fs_uuid}"
+          ;;
+
+        ext4)
+          read -r -a ary_fmt_opts <<< "${var_fs_options}"
+          mkfs.ext4 -L "${var_fs_label}" "${ary_fmt_opts[@]}" "${var_node}"
+          do_log "info" "false" "Partition: '${var_node}' formatted: ext4."
+          echo "Partition: '${var_node}':" >> "${DIR_LOG}/ext4.log"
+          tune2fs -l "${var_node}" >> "${DIR_LOG}/ext4.log"
+          var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
+          HMP_PATH_FSUUID["UUID_${var_mount_path}"]="${var_fs_uuid}"
+          ;;
+
+        fat32)
+          mkfs.fat -F 32 -n "${var_fs_label}" "${var_node}"
+          do_log "info" "false" "Partition: '${var_node}' formatted: FAT32."
+          var_fs_uuid=$(blkid -s UUID -o value "${var_node}")
+          HMP_PATH_FSUUID["UUID_${var_mount_path}"]="${var_fs_uuid}"
+          ;;
+
+        *)
+          do_log "error" "false" "Unsupported filesystem format: '${var_fs_version}'."
+          ;;
+
+      esac
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/partitioning/3260_setup_filesystem.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Function to prepare the filesystem to mount each partition on the respective path.
+# Globals:
+#   HMP_MOUNTPATH_DEV
+#   VAR_RECIPE_STRING
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+setup_filesystem() {
+  ### Declare Arrays and Variables.
+  declare -Ag HMP_MOUNTPATH_DEV
+  declare var_dev var_part var_encryption_enable var_encryption_label var_mount_enable var_mount_path var_node
+  declare -a ary_devs ary_parts
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable" "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"   "${VAR_SETUP_PART}")
+      var_mount_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.enable"           "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"               "${VAR_SETUP_PART}")
+
+      [[ -z "${var_mount_path}" ]] && continue
+
+      [[ "${var_mount_enable,,}" != "true" ]] && continue
+
+      [[ "${var_mount_path,,}" == "swap" || "${var_mount_path,,}" == "/tmp" ]] && continue
+
+      if [[ "${var_encryption_enable}" == "true" ]]; then
+
+        var_node="/dev/mapper/${var_encryption_label}"
+
+      elif [[ "${var_encryption_enable}" == "false" ]]; then
+
+        var_node="/dev/${var_dev}${var_part}"
+
+      else
+
+        do_log "error" "false" "Invalid value for encryption_enable: '${var_encryption_enable}', should be true or false."
+        continue
+
+      fi
+
+      HMP_MOUNTPATH_DEV["${var_mount_path}"]="${var_node}"
+      do_log "info" "false" "Saved in HashMap HMP_MOUNTPATH_DEV: '${var_mount_path}' -> '${HMP_MOUNTPATH_DEV["${var_mount_path}"]}'"
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/partitioning/3280_mount_partition.sh

@@ -0,0 +1,240 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Validates var_mount_path to be processed.
+# Arguments:
+#   1 var_mount_path
+# Returns:
+#   0: Skip mounting
+#   1: Process mount
+#######################################
+skip_path() {
+  declare -a ary_skip=( "/" "/boot" "/boot/efi" "/recovery" )
+  declare p
+  for p in "${ary_skip[@]}"; do [[ "$1" == "$p" ]] && return 0; done
+  return 1
+}
+
+#######################################
+# Function to create the mount path and mount the respective device on it.
+# Globals:
+#   ERR_MOUNTING_DEV
+#   TARGET
+# Arguments:
+#   1: MOUNT_PATH
+#   2: MOUNT_DEVICE
+#   3: MOUNT_OPTIONS
+#######################################
+mount_with_dir() {
+  declare var_mount_path="$1" var_mount_device="$2" var_mount_options="$3"
+
+  [[ "${var_mount_path}" != "/" ]] && mkdir -p "${TARGET}${var_mount_path}"
+
+  ### Build the command in an array to keep word boundaries intact
+  declare -a ary_cmd=(mount)
+  [[ -n "${var_mount_options}" ]] && ary_cmd+=("-o" "${var_mount_options}")
+  ary_cmd+=("${var_mount_device}" "${TARGET}${var_mount_path}")
+
+  safe_exec "${ary_cmd[@]}" "${ERR_MOUNTING_DEV}" || return
+  do_log "info" "false" "Mounted: '${var_mount_device}' on: '${TARGET}${var_mount_path}' (Options='${var_mount_options}')."
+}
+
+#######################################
+# Device Path Resolver
+# Arguments:
+#   1: Device
+#   2: Partition
+#   3: Boolean Encryption
+#   4: Encryption Label
+#######################################
+resolve_device() {
+  declare local_var_dev="$1" local_var_partition="$2" local_var_enc_boolean="$3" local_var_enc_label="$4"
+  if [[ "${local_var_enc_boolean,,}" == true ]]; then
+    printf '/dev/mapper/%s' "${local_var_enc_label}"
+  else
+    printf '/dev/%s%s' "${local_var_dev}" "${local_var_partition}"
+  fi
+}
+
+#######################################
+# Validates btrfs compression algo and level.
+# Arguments:
+#   1 var_fs_btrfs_compress
+#   2 var_fs_btrfs_level
+# Returns:
+#   0: Valid combination.
+#   1: Invalid combination.
+#######################################
+validate_btrfs_compression() {
+  declare var_algo="$1" var_level="$2"
+  case "${var_algo}:${var_level}" in
+    zstd:|zstd:[0-9]|zstd:1[0-9]|zstd:2[0-2]|lzo:) return 0 ;;
+    *) do_log "error" "false" "Invalid btrfs compression '${var_algo}:${var_level}'"; return "${ERR_BTRFS_OPTION}" ;;
+  esac
+}
+
+#######################################
+# Function for mounting all partitions for debootstrap, including the generation of btrfs subvolumes.
+# Globals:
+#   HMP_MOUNTPATH_DEV
+#   TARGET
+#   VAR_RECIPE_STRING
+#   VAR_SAFE_MNT_BASE
+#   VAR_SETUP_PART
+# Arguments:
+#   None
+# Returns:
+#   ERR_BTRFS_INITPH
+#   ERR_BTRFS_OPTION
+#   ERR_BTRFS_SUBVOL
+#   ERR_MOUNTING_DEV
+#   ERR_MOUNTING_ROOT
+#   0: on success
+#######################################
+mount_partition() {
+  ### Mount "/"-filesystem
+  declare -r var_mount_path_root="/"
+
+  if [[ -n ${HMP_MOUNTPATH_DEV[$var_mount_path_root]} ]]; then
+
+    mount_with_dir "${var_mount_path_root}" "${HMP_MOUNTPATH_DEV[$var_mount_path_root]}" || return "${ERR_MOUNTING_DEV}"
+
+  else
+
+    do_log "error" "false" "Root-filesystem '${var_mount_path_root}' not found in Hashmap."
+    return "${ERR_MOUNTING_ROOT}"
+
+  fi
+
+  ### Ensure order of "/boot" and "/boot/efi"
+  declare var_path
+
+  for var_path in "/boot" "/boot/efi"; do
+
+    if [[ -n ${HMP_MOUNTPATH_DEV[${var_path}]} ]]; then
+
+      mount_with_dir "${var_path}" "${HMP_MOUNTPATH_DEV[${var_path}]}" || return "${ERR_MOUNTING_DEV}"
+
+    else
+
+      do_log "info" "false" "Entry '${var_path}' not found in Hashmap."
+
+    fi
+
+  done
+
+  declare var_dev var_part \
+    var_fs_btrfs_compress var_fs_btrfs_level var_fs_btrfs_subvolume var_fs_btrfs_snapshot \
+    var_encryption_enable var_encryption_label \
+    var_fs_label var_fs_options var_fs_version var_mount_path var_mount_options var_mount_optsnap
+  declare -a ary_devs ary_parts
+
+  ### Iterate over all devices in the recipe.
+  readarray -t ary_devs < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev | keys | .[]" "${VAR_SETUP_PART}")
+  for var_dev in "${ary_devs[@]}"; do
+
+    ### Iterate over all partitions for this device.
+    readarray -t ary_parts < <(yq e -r ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev} | keys | .[]" "${VAR_SETUP_PART}")
+    for var_part in "${ary_parts[@]}"; do
+
+      ### Extract parameters from YAML.
+      var_fs_btrfs_compress=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.compress"   "${VAR_SETUP_PART}")
+      var_fs_btrfs_level=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.level"         "${VAR_SETUP_PART}")
+      var_fs_btrfs_subvolume=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.subvolume" "${VAR_SETUP_PART}")
+      var_fs_btrfs_snapshot=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.btrfs.snapshot"   "${VAR_SETUP_PART}")
+      var_encryption_enable=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.enable"           "${VAR_SETUP_PART}")
+      var_encryption_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.encryption.label"             "${VAR_SETUP_PART}")
+      var_fs_label=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.label"                     "${VAR_SETUP_PART}")
+      var_fs_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.options"                 "${VAR_SETUP_PART}")
+      var_fs_version=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.filesystem.version"                 "${VAR_SETUP_PART}")
+      var_mount_path=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.path"                         "${VAR_SETUP_PART}")
+      var_mount_options=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.options"                   "${VAR_SETUP_PART}")
+      var_mount_optsnap=$(yq_val ".recipe.${VAR_RECIPE_STRING}.dev.${var_dev}.${var_part}.mount.optsnap"                   "${VAR_SETUP_PART}")
+
+      ### Skip already mounted paths ("/", "/boot", "/boot/efi") and skip ("/recovery")
+      skip_path "${var_mount_path}" && continue
+
+      if [[ "${var_mount_path}" == "SWAP" ]]; then
+
+        cryptsetup open --type plain --key-file /dev/random \
+          --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+          --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
+        mkswap "/dev/mapper/${var_encryption_label}"
+        swapon "/dev/mapper/${var_encryption_label}"
+        do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        continue
+
+      elif [[ "${var_mount_path}" == "/tmp" ]]; then
+
+        cryptsetup open --type plain --key-file /dev/random \
+          --offset 2048 --cipher aes-xts-plain64 --key-size 512 \
+          --sector-size 4096 "/dev/disk/by-label/${var_fs_label}" "${var_encryption_label}"
+        mkdir -p "${TARGET}/tmp"
+        mkfs.ext4 "/dev/mapper/${var_encryption_label}"
+
+        ### Build the command in an array to keep word boundaries intact
+        declare -a ary_cmd2=(mount)
+        [[ -n "${var_mount_options}" ]] && ary_cmd2+=("-o" "${var_mount_options}")
+        ary_cmd2+=("/dev/mapper/${var_encryption_label}" "${TARGET}${var_mount_path}")
+
+        safe_exec "${ary_cmd2[@]}" "${ERR_MOUNTING_DEV}" || return "${ERR_MOUNTING_DEV}"
+        do_log "info" "false" "Mounted: '${var_mount_path}' on: '/dev/mapper/${var_encryption_label}'."
+        continue
+
+      fi
+
+      declare var_resolved_dev
+      var_resolved_dev=$(resolve_device "${var_dev}" "${var_part}" "${var_encryption_enable}" "${var_encryption_label}")
+
+      if [[ "${var_fs_version,,}" == btrfs ]]; then
+
+        ### Mount toplevel (subvolid=0) *without* extra options
+        declare -a ary_cmd_mount=(mount -o "subvolid=0" "${var_resolved_dev}" "${VAR_SAFE_MNT_BASE}")
+        safe_exec "${ary_cmd_mount[@]}" "${ERR_BTRFS_INITPH}" || return "${ERR_BTRFS_INITPH}"
+
+        btrfs subvolume create "${VAR_SAFE_MNT_BASE}"/"${var_fs_btrfs_subvolume}"
+
+        if [[ -n "${var_fs_btrfs_snapshot}" ]]; then
+          btrfs subvolume create "${VAR_SAFE_MNT_BASE}"/"${var_fs_btrfs_snapshot}" || return "${ERR_BTRFS_SUBVOL}"
+        fi
+
+        umount "${VAR_SAFE_MNT_BASE}"
+
+      fi
+
+      case "${var_fs_version,,}:${var_encryption_enable,,}" in
+        btrfs:*)
+          validate_btrfs_compression "${var_fs_btrfs_compress}" "${var_fs_btrfs_level}" || return "${ERR_BTRFS_OPTION}"
+          declare var_btrfs_compression_options="compress=${var_fs_btrfs_compress}:${var_fs_btrfs_level}"
+          [[ -n "${var_mount_options}" ]] && var_btrfs_compression_options+=",${var_mount_options}"
+          mount_with_dir "${var_mount_path}" "${var_resolved_dev}" "${var_btrfs_compression_options}" || return "${ERR_MOUNTING_DEV}"
+          if [[ -n "${var_fs_btrfs_snapshot}" ]]; then
+            mkdir -p "${TARGET}${var_mount_path}/.snapshots"
+            mount -o "${var_mount_optsnap}" "${var_resolved_dev}" "${TARGET}${var_mount_path}/.snapshots"
+          fi
+          ;;
+        ext4:*)
+          mount_with_dir "${var_mount_path}" "${var_resolved_dev}" "${var_mount_options}" || return "${ERR_MOUNTING_DEV}"
+          ;;
+        *) do_log "error" "false" "Unsupported fs/encryption combination."
+           return "${ERR_MOUNTING_DEV}" ;;
+      esac
+
+    done
+
+  done
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/partitioning/3290_uuid_logger.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Logger for all generated partition, LUKS container and file system UUIDs.
+# Globals:
+#   HMP_PATH_ENCLABEL
+#   HMP_PATH_FSUUID
+#   HMP_PATH_PARTUUID
+#   LOG_UID
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+uuid_logger() {
+  declare var_key var_mountpoint var_uuid
+  printf 'UUID Partition:\n' >> "${LOG_UID}"
+  for var_key in "${!HMP_PATH_PARTUUID[@]}"; do
+    # Remove Prefix "UUID_"
+    var_mountpoint="${var_key#UUID_}"
+    var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
+    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
+  done
+
+  printf '\n' >> "${LOG_UID}"
+  printf 'UUID LUKS Container:\n' >> "${LOG_UID}"
+  for var_key in "${!HMP_PATH_ENCLABEL[@]}"; do
+    var_mountpoint="${HMP_PATH_ENCLABEL[${var_key}]}"
+    var_uuid="${HMP_PATH_PARTUUID[${var_key}]}"
+    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
+  done
+
+  printf '\n' >> "${LOG_UID}"
+  printf 'UUID Filesystem:\n' >> "${LOG_UID}"
+  for var_key in "${!HMP_PATH_FSUUID[@]}"; do
+    # Remove Prefix "UUID_"
+    var_mountpoint="${var_key#UUID_}"
+    var_uuid="${HMP_PATH_FSUUID[${var_key}]}"
+    # Left-aligned field width 63; "UUID=" starts directly after column 64.
+    printf '%-63sUUID=%s\n' "${var_mountpoint}:" "${var_uuid}" >> "${LOG_UID}"
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh