V9.14.000.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 15:46:30 +01:00
parent aa94c53d65
commit 261d770e42
54 changed files with 515 additions and 203 deletions
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,7 +16,7 @@

 set -e

-printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
@@ -137,6 +140,6 @@ install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"


-printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-initramfs.sh] \n\e[0m"
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_initramfs.sh] \n\e[0m"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -13,10 +16,11 @@

 set -e

-printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -34,6 +38,6 @@ export PS1='$( STATUS=$?; \
  fi; ) '
 EOF

-printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999-custom-prompt.sh] \n\e[0m"
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_prompt.sh] \n\e[0m"

 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -1,4 +1,7 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
@@ -14,6 +17,7 @@ set -e

 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
 case "${1}" in
  prereqs) prereqs; exit 0 ;;
 esac
@@ -415,8 +415,12 @@ CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA2
 # TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

+# ToDo: Update PQC Groups to include P-521 and P-384.
+
 # Prefer strong, widely-supported ECDHE groups (first = most preferred):
-Groups = X448:X25519:P-521:P-384
+Groups = X448:P-521:P-384
+
+SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256

 # Operational flags:
 # -SessionTicket   => disable TLS session tickets (TLS 1.2 + 1.3)
@@ -1,15 +1,18 @@
 #!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh

 PREREQ="udev"

 prereqs() {
-    echo "${PREREQ}"
+  echo "${PREREQ}"
 }

+# shellcheck disable=SC2249
 case "$1" in
-    prereqs)
-        prereqs
-        exit 0
+  prereqs)
+    prereqs
+    exit 0
    ;;
 esac

@@ -18,31 +21,32 @@ esac


 run_dropbear() {
-    ### CISS.debian.installer
-    ### Remove old flags for dropbear version 2025.88-2.
-    ### Only accepts flags from '/etc/dropbear/dropbear.conf'.
+  ### CISS.debian.installer
+  ### Remove old flags for dropbear version 2025.88-2.
+  ### Only accepts flags from '/etc/dropbear/dropbear.conf'.

-    #local flags="Fs"
-    # shellcheck disable=SC2292
-    [ "${debug}" != y ] || flags="E${flags}" # log to standard error
+  #local flags="Fs"
+  # shellcheck disable=SC2034,SC2154,SC2292
+  [ "${debug}" != y ] || flags="E${flags}" # log to standard error

-    # Always run configure_networking() before dropbear(8); on NFS
-    # mounts this has been done already
+  # Always run configure_networking() before dropbear(8); on NFS
+  # mounts this has been done already

-    # shellcheck disable=SC2292
-    [ "${BOOT}" = nfs ] || configure_networking
+  # shellcheck disable=SC2292
+  [ "${BOOT}" = nfs ] || configure_networking

-    log_begin_msg "Starting dropbear"
-    # Using exec and keeping dropbear in the foreground enables the
-    # init-bottom script to kill the remaining ipconfig processes if
-    # someone unlocks the rootfs from the console while the network is
-    # being configured
-    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
+  log_begin_msg "Starting dropbear"
+  # Using exec and keeping dropbear in the foreground enables the
+  # init-bottom script to kill the remaining ipconfig processes if
+  # someone unlocks the rootfs from the console while the network is
+  # being configured
+  # shellcheck disable=SC2086
+  exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
 }

 # shellcheck disable=SC2292
 if [ -e /etc/dropbear/dropbear.conf ]; then
-    . /etc/dropbear/dropbear.conf
+  . /etc/dropbear/dropbear.conf
 fi
 . /scripts/functions

@@ -57,3 +61,5 @@ fi

 run_dropbear &
 echo $! >/run/dropbear.pid
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh