V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

ciss_debian_installer.sh

@@ -28,15 +28,35 @@
 
 ### PRELIMINARY CHECKS
 [ -z "${BASH_VERSINFO[0]}" ] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are using 'bash'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
+  printf "%s❌ Please make sure you are using 'bash'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
+  exit "${ERR_UNSUPPORTED_BASH}"
+  }
+
 [[ ${EUID} -ne 0 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are 'root'! Bye... \e[0m\n" >&2; exit "${ERR_USER_IS_NOT_ROOT}"; }
+  . ./meta_loader_early.sh
+  printf "%s❌ Please make sure you are 'root'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
+  exit "${ERR_USER_IS_NOT_ROOT}"
+  }
+
 [[ $(kill -l | grep -c SIG) -eq 0 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Please make sure you are calling the script without leading 'sh'! Bye... \e[0m\n" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
+  printf "%s❌ Please make sure you are calling the script without leading 'sh'! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
+  exit "${ERR_UNSUPPORTED_BASH}"
+  }
+
 [[ ${BASH_VERSINFO[0]} -lt 5 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
+  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${C_RED}" "${BASH_VERSION}" "${C_RES}" "${NL}" >&2
+  exit "${ERR_UNSUPPORTED_BASH}"
+  }
+
 [[ ${BASH_VERSINFO[0]} -le 5 ]] && [[ ${BASH_VERSINFO[1]} -le 1 ]] && {
-  . ./var/errors.var.sh; printf "\e[91m❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... \e[0m\n" "${BASH_VERSION}" >&2; exit "${ERR_UNSUPPORTED_BASH}"; }
+  . ./meta_loader_early.sh
+  printf "%s❌ Minimum requirement is bash 5.1. You are using '%s'! Bye... %s%s" "${C_RED}" "${BASH_VERSION}" "${C_RES}" "${NL}" >&2
+  exit "${ERR_UNSUPPORTED_BASH}"
+  }
+
 [[ ${#} -eq 0 ]] && {
   . ./lib/0000_usage.sh; usage >&2; exit 1; }
 
@@ -67,17 +87,17 @@ pre_scan_debug "$@"
 
 ### ADVISORY LOCK
 exec 127>/var/lock/ciss_debian_installer.lock || {
-  printf "\e[91m❌ Cannot open lockfile for writing! Bye... \e[0m\n" >&2
+  printf "%s❌ Cannot open lockfile for writing! Bye... %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
   exit "${ERR_FLOCK_PROTECTED}"
 }
 
 if ! flock -x -n 127; then
-  printf "\e[91m❌ Another instance is running! Bye...\e[0m\n" >&2
+  printf "%s❌ Another instance is running! Bye...%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
   exit "${ERR_FLOCK_COLLISION}"
 fi
 
 ### SOURCING
-[[ "${VAR_SETUP}" == true ]] && {
+[[ "${VAR_SETUP}" == "true" ]] && {
   ### SOURCING BASH OPTIONS
   . ./var/bash.var.sh
   ### SOURCING FUNCTIONS
@@ -99,7 +119,7 @@ gen_dir_files
 
 
 ### Dialog Output for Initialization
-if ! $VAR_AUTO_INSTALL; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
+if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_gauge; fi
 
 
 

func/1250_yaml_parser.sh

@@ -13,8 +13,9 @@
 guard_sourcing
 
 #######################################
-# Parsing './.preseed/preseed.yaml'.
+# Parsing './.preseed/preseed.yaml' and './.preseed/partitioning.yaml'.
 # Globals:
+#   ARY_BOOTPARAM
 #   ARY_NTPSRVR
 #   ARY_PACKAGES
 #   DIR_CNF
@@ -30,7 +31,7 @@ yaml_parser() {
 
   yq -o=shell "${DIR_TMP}/combined.yaml" >| "${VAR_PRESEED}"
 
-  declare -agx ARY_BOOTPARAM ARY_NTPSRVR ARY_PACKAGES
+  declare -agx ARY_BOOTPARAM=() ARY_NTPSRVR=() ARY_PACKAGES=()
   declare var_key var_value
 
   while IFS='=' read -r var_key var_value; do

func/3220_partition_encryption.sh

@@ -121,19 +121,6 @@ partition_encryption() {
 
       fi
 
-      if [[ "${var_encryption_nuke,,}" == "true" ]]; then
-
-        cryptsetup luksAddKey \
-          --key-file="${DIR_CNF}/password.txt" \
-          --new-keyfile="${DIR_CNF}/password_nuke.txt" \
-          --new-key-slot 31 \
-          --batch-mode --verbose \
-          "/dev/${var_dev}${var_part}"
-
-          do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' 'Nuke-Key' added."
-
-      fi
-
       cryptsetup luksHeaderBackup --header-backup-file="${DIR_BAK}/luks_header_${var_dev}${var_part}.bak" "/dev/${var_dev}${var_part}"
       do_log "info" "false" "Partition: '/dev/${var_dev}${var_part}' LUKS Header saved: '${DIR_BAK}/luks_header_${var_dev}${var_part}.bak'."
 

func/4130_setup_network.sh

@@ -58,16 +58,16 @@ setup_network() {
   declare -a ary_ipv4_ns ary_ipv6_ns
 
   ary_ipv4_ns+=("${network_static_ipv4nameserver_0}")
-  [[ -n "${network_static_ipv4nameserver_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
-  [[ -n "${network_static_ipv4nameserver_2}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
-  [[ -n "${network_static_ipv4nameserver_fallback_0}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
-  [[ -n "${network_static_ipv4nameserver_fallback_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
+  [[ -v "${network_static_ipv4nameserver_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_1}")
+  [[ -v "${network_static_ipv4nameserver_2}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_2}")
+  [[ -v "${network_static_ipv4nameserver_fallback_0}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_0}")
+  [[ -v "${network_static_ipv4nameserver_fallback_1}" ]] && ary_ipv4_ns+=("${network_static_ipv4nameserver_fallback_1}")
 
   ary_ipv6_ns+=("${network_static_ipv6nameserver_0}")
-  [[ -n "${network_static_ipv6nameserver_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
-  [[ -n "${network_static_ipv6nameserver_2}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
-  [[ -n "${network_static_ipv6nameserver_fallback_0}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
-  [[ -n "${network_static_ipv6nameserver_fallback_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
+  [[ -v "${network_static_ipv6nameserver_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_1}")
+  [[ -v "${network_static_ipv6nameserver_2}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_2}")
+  [[ -v "${network_static_ipv6nameserver_fallback_0}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_0}")
+  [[ -v "${network_static_ipv6nameserver_fallback_1}" ]] && ary_ipv6_ns+=("${network_static_ipv6nameserver_fallback_1}")
 
   ### Check current network connection and configure variables
   var_auto_nic=$(ip -o link show | awk -F': ' '/state UP/ && $2!="lo" {print $2; exit}')

func/4195_setup_dropbear.sh

@@ -53,9 +53,9 @@ setup_dropbear() {
   ### Prepare dropbear authorized_keys
   declare -a ary_user=()
   ary_user+=("${user_root_ssh_pubkeys_0}")
-  [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
-  [[ -n "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
-  [[ -n "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
+  [[ -v "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
+  [[ -v "${user_root_ssh_pubkeys_2}" ]] && ary_user+=("${user_root_ssh_pubkeys_2}")
+  [[ -v "${user_root_ssh_pubkeys_3}" ]] && ary_user+=("${user_root_ssh_pubkeys_3}")
 
   touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
   printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
@@ -151,7 +151,6 @@ EOF
 
   fi
 
-
   ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
   do_in_target "${TARGET}" update-grub
   do_in_target "${TARGET}" update-initramfs -u -v -k all

includes/initramfs-tools/files/unlock_wrapper.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.hardened.installer framework.
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command

includes/initramfs-tools/files/unlock_wrapper_advanced.sh

@@ -0,0 +1,395 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper_advanced.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
+
+set -Ceuo pipefail
+
+### Variable declaration
+declare -ir MAX_RETRIES=2
+# shellcheck disable=SC2155
+declare -r CURRENTDATE=$(date +"%F %T")
+# shellcheck disable=SC2155
+declare -r IFS=$(printf ' \n\t')
+declare -r GRN='\e[0;92m'
+declare -r MAG='\e[0;95m'
+declare -r RED='\e[0;91m'
+declare -r RES='\e[0m'
+declare -r NL='\n'
+
+#######################################
+# Generates informative shell prompt.
+# Globals:
+#   PS1
+# Arguments:
+#   None
+#######################################
+prompt_string() {
+  declare -gx PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+  # Show exit status in green if zero
+  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+else \
+  # Show exit status in red otherwise
+  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+fi)\
+|~\$ "
+}
+
+#######################################
+# Die helper: print and exit hard.
+# Globals:
+#   NC
+#   RED
+# Arguments:
+#   1: Message string to print.
+#######################################
+die() {
+  printf "%s✘ %s%s\n" "${RED}" "$1" "${RES}" >&2
+  power_off 3
+}
+
+#######################################
+# Unified power-off routine.
+# Arguments:
+#   1: Sleep time before power-off in seconds.
+#######################################
+power_off() {
+  declare -r wait="${1:-0}"
+  sleep "${wait}"
+  sync
+  echo 1 >| /proc/sys/kernel/sysrq
+  echo o >| /proc/sysrq-trigger
+  # The System powers off immediately; no further code is executed.
+}
+
+#######################################
+# Trap function to be called on 'ERR'.
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+trap_on_err() {
+  declare -r errcode="$1"
+  declare -r errscrt="$2"
+  declare -r errline="$3"
+  declare -r errfunc="$4"
+  declare -r errcmmd="$5"
+  trap - ERR INT TERM
+  stty echo
+  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
+  power_off 16
+}
+
+#######################################
+# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the Nuke Routine.
+# Globals:
+#   NL
+#   RED
+#   RES
+# Arguments:
+#   None
+#######################################
+trap_on_term() {
+  trap - ERR INT TERM
+  stty echo
+  printf "%s" "${NL}"
+  printf "%s✘ System caught a 'SIGINT'. System Power Off in 3 seconds. %s%s" "${RED}" "${RES}" "${NL}" >&2
+  power_off 3
+}
+
+#######################################
+# Print Error Message for Trap on 'ERR' on Terminal.
+# Globals:
+#   NL
+#   RED
+#   RES
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+print_scr_err() {
+  declare -r scr_err_errcode="$1"
+  declare -r scr_err_errscrt="$2"
+  declare -r scr_err_errline="$3"
+  declare -r scr_err_errfunc="$4"
+  declare -r scr_err_errcmmd="$5"
+  printf "%s" "${NL}"
+  printf "%s✘ System caught an 'ERROR'. System Power Off in 15 seconds. %s%s" "${RED}" "${RES}" "${NL}" >&2
+  printf "%s" "${NL}"
+  printf "%s✘ Error               : %s %s%s" "${RED}" "${scr_err_errcode}" "${RES}" "${NL}" >&2
+  printf "%s✘ Line                : %s %s%s" "${RED}" "${scr_err_errline}" "${RES}" "${NL}" >&2
+  printf "%s✘ Script              : %s %s%s" "${RED}" "${scr_err_errscrt}" "${RES}" "${NL}" >&2
+  printf "%s✘ Function            : %s %s%s" "${RED}" "${scr_err_errfunc}" "${RES}" "${NL}" >&2
+  printf "%s✘ Command             : %s %s%s" "${RED}" "${scr_err_errcmmd}" "${RES}" "${NL}" >&2
+  printf "%s" "${NL}"
+}
+
+#######################################
+# Print Error Message for '0'-Exit-Code Trap on 'ERR' on Terminal.
+# Arguments:
+#   none
+#######################################
+print_scr_scc() {
+  printf "%s✅ Script exited successfully. Proceeding with booting. %s%s" "${GRN}" "${RES}" "${NL}"
+}
+
+#######################################
+# Gather information of all LUKS Devices available on the system.
+# Arguments:
+#   None
+#######################################
+gather_luks_devices() {
+  declare prev=() curr=() tries=0
+
+  while ((tries < 10)); do
+    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
+
+    if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
+      break
+    fi
+
+    prev=("${curr[@]}")
+    tries=$((tries + 1))
+    sleep 1
+  done
+
+  printf '%s\n' "${curr[@]}"
+}
+
+#######################################
+# Extract the 'nuke='-parameter from '/proc/cmdline'.
+# Globals:
+#   VAR_NUKE_HASH
+# Returns:
+#   0: if nuke= was found and extracted.
+#   1: if not found.
+#######################################
+extract_nuke_hash() {
+  declare ARG="" CMDLINE=""
+  ### Read /proc/cmdline into a single line safely
+  read -r CMDLINE < /proc/cmdline
+  for ARG in ${CMDLINE}; do
+    case "${ARG}" in
+      nuke=*) declare -gr VAR_NUKE_HASH="${ARG#nuke=}"; return 0 ;;
+    esac
+  done
+  ### Not found
+  return 1
+}
+
+
+
+#######################################
+# Read passphrase interactively.
+# Arguments:
+#  None
+#######################################
+passphrase_ask() {
+  declare -g PASSPHRASE=""
+  printf "\n"
+  stty -echo
+  printf "\e[0;95m🔐 Enter passphrase for decryption: \e[0m\n"
+  read -r PASSPHRASE
+  stty echo
+  printf "\n"
+}
+
+#######################################
+# Test the entered passphrase against the dedicated Nuke Keyslot #31.
+# Arguments:
+#   $1: DEVICE
+#   $2: PASSWD
+#######################################
+passphrase_test() {
+  declare -r DEVICE="$1"
+  declare -r PASPHR="$2"
+  printf '%s' "${PASPHR}" | cryptsetup open --batch-mode --test-passphrase --key-slot 31 "${DEVICE}" > /dev/null 2>&1
+}
+
+#######################################
+# Check the integrity and authenticity of this script itself.
+# Arguments:
+#   $0: Script Name
+#######################################
+verify_coresecret() {
+  ### Directory of this script
+  # shellcheck disable=SC2155
+  declare dir="$(dirname "$(readlink -f "${0}")")"
+  # shellcheck disable=SC2155
+  declare script="$(basename "${0}")"
+  declare algo
+
+  for algo in sha512 sha384; do
+    # shellcheck disable=SC2155
+    declare hashfile="${dir}/${script}.${algo}"
+    # shellcheck disable=SC2155
+    declare sigfile="${hashfile}.sig"
+    # shellcheck disable=SC2155
+    declare cmd="${algo}sum"
+
+    printf "\e[0;95m🔏 Verifying signature of: [%s] \e[0m\n" "${hashfile}"
+    gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
+      printf "\e[0;91m✘ Signature verification failed for: [%s] \e[0m\n" "${hashfile}" >&2
+      printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
+      sync
+      sleep 3
+      set +C
+      echo 1 > /proc/sys/kernel/sysrq
+      echo o > /proc/sysrq-trigger
+    }
+    printf "\e[0;92m🔏 Verifying signature of: [%s] successful. \e[0m\n" "${hashfile}"
+
+    printf "\e[0;95m🔢 Recomputing Hash: [%s] \e[0m\n" "${algo}"
+    # shellcheck disable=SC2155
+    declare computed=$($cmd "${dir}/${script}" | awk '{print $1}')
+    # shellcheck disable=SC2155
+    declare expected=$(cat "${hashfile}")
+
+    if [[ ${computed} != "${expected}" ]]; then
+      printf "\e[0;91m✘ Hash mismatch for: [%s] \e[0m\n" "${algo}" >&2
+      printf "\e[0;91m✘ System Power Off in 3 seconds. \e[0m\n" >&2
+      sync
+      sleep 3
+      set +C
+      echo 1 > /proc/sys/kernel/sysrq
+      echo o > /proc/sysrq-trigger
+    fi
+    printf "\e[0;92m🔢 Recomputing Hash: [%s] successful. \e[0m\n" "${algo}"
+  done
+
+  printf "\e[0;92m🔏 All signatures and hashes verified successfully. Proceeding. \e[0m\n"
+}
+
+### Main Programm
+trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+trap 'trap_on_term' INT TERM
+
+printf "\e[0;91mCoresecret Connection established.\e[0m\n"
+printf "\e[0;91mStarting Time: %s\e[0m\n" "${CURRENTDATE}"
+printf "\n"
+
+verify_coresecret
+
+### Read newline-separated output into an array
+mapfile -t DEVICES_LUKS < <(gather_luks_devices)
+mapfile -t DEVICES_NUKE < <(gather_nuke_devices)
+
+### Debug output: list each element with its index
+#for idx in "${!DEVICES_LUKS[@]}"; do
+#  printf 'Luks[%d]: %s\n' "${idx}" "${DEVICES_LUKS[${idx}]}"
+#done
+
+### Debug output: list each element with its index
+#for idx in "${!DEVICES_NUKE[@]}"; do
+#  printf 'Nuke[%d]: %s\n' "${idx}" "${DEVICES_NUKE[${idx}]}"
+#done
+
+### # If there are no LUKS devices at all, drop to bash
+[[ -n ${DEVICES_LUKS[*]} ]] || {
+  printf "\e[0;92m✘ No LUKS Devices found. Dropping to bash ... \e[0m\n"
+  prompt_string
+  exec /bin/bash -i
+}
+
+### If there are LUKS devices but no Nuke devices, try unlocking flow
+if [[ -n ${DEVICES_LUKS[*]} ]] && [[ -z ${DEVICES_NUKE[*]} ]]; then
+  ### Attempt interactive unlock with cryptroot-unlock
+  if cryptroot-unlock; then
+
+    exit 0
+
+  else
+
+    printf "\n"
+    printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
+    printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
+    printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
+    prompt_string
+    exec /bin/bash -i
+
+  fi
+
+elif [[ -n ${DEVICES_LUKS[*]} ]] && [[ -n ${DEVICES_NUKE[*]} ]]; then
+
+  declare -i attempt=1
+  declare NUKED=false
+  declare TEST_DEV="${DEVICES_NUKE[0]}"
+
+  while ((attempt <= MAX_RETRIES)); do
+
+    printf "\e[0;95m🔐Attempt %s/%s: \e[0m\n" "${attempt}" "${MAX_RETRIES}"
+
+    passphrase_ask
+    declare -g PASSWD="${PASSPHRASE}"
+
+    if passphrase_test "${TEST_DEV}" "${PASSWD}"; then
+
+      for dev in "${DEVICES_NUKE[@]}"; do
+        cryptsetup erase --batch-mode "${dev}" > /dev/null 2>&1
+        printf "%s:\e[0;95m✘ LUKS Device Header malfunction. \e[0m\n" "${dev}"
+      done
+
+      declare -r NUKED=true
+      unset PASSWD
+      break
+
+    else
+
+      declare code="$?"
+
+      case "${code}" in
+        1) printf "\e[0;91m✘ No usable key slot is available. \e[0m\n" ;;
+        2) printf "\e[0;91m✘ No key available with this passphrase. \e[0m\n" ;;
+        3) printf "\e[0;93m✘ Out of memory. \e[0m\n" ;;
+        *) printf "\e[0;91m✘ Unexpected Return Code. \e[0m\n" ;;
+      esac
+
+    fi
+
+    attempt=$((attempt + 1))
+
+  done
+
+  if [[ ${NUKED} == true ]]; then
+    stty echo
+    sleep 3
+    sync
+    set +C
+    echo 1 > /proc/sys/kernel/sysrq
+    echo o > /proc/sysrq-trigger
+  fi
+
+  if cryptroot-unlock; then
+
+    exit 0
+
+  else
+
+    printf "\e[0;91m✘ Unsuccessful command 'cryptroot-unlock'. \e[0m\n"
+    printf "\e[0;92m✘ No LUKS operations performed. Dropping to bash ... \e[0m\n"
+    printf "\e[0;92m✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'. \e[0m\n"
+    prompt_string
+    exec /bin/bash -i
+
+  fi
+
+fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/hooks/custom-initramfs.sh

@@ -21,10 +21,11 @@ esac
 . /usr/share/initramfs-tools/hook-functions
 
 ### Ensure directory structure in initramfs
-mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
-mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
-mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/etc/dropbear"
+mkdir -p "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/usr/local/bin"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 
 ### Include Bash
 copy_exec /usr/bin/bash /usr/bin
@@ -36,6 +37,9 @@ copy_exec /usr/bin/busybox /bin
 ### Include lsblk (block device info tool)
 copy_exec /usr/bin/lsblk /usr/bin
 
+### Include mkpasswd
+copy_exec /usr/bin/mkpasswd /usr/bin
+
 ### Include udevadm (udev management tool)
 copy_exec /usr/bin/udevadm /usr/bin
 
@@ -46,6 +50,9 @@ copy_exec /usr/bin/sha384sum /usr/bin
 ### Include Signature-Verifier
 copy_exec /usr/bin/gpgv /usr/bin
 
+### Include Whois
+copy_exec /usr/bin/whois /usr/bin
+
 ### Link busybox applets for compatibility
 for dir in bin usr/bin; do
   ln -sf busybox "${DESTDIR}/${dir}/cat"
@@ -56,7 +63,7 @@ done
 install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
 
 ### Install Dropbear configuration
-install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/initramfs/dropbear.conf"
+install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 
 ### Install Dropbear Cryptroot Unlock Wrapper
 install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"

lib/0060_trap_err.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Print Error Message for Trap on 'ERR' in '${ERROR_LOG}'.
 # Globals:
@@ -24,6 +26,7 @@
 #   LOG_ERROR
 #   LOG_TRACE
 #   LOG_VAR
+#   NL
 #   SECONDS
 #   VAR_ARG_SANITIZED
 #   VAR_DEBUG_TRACE
@@ -36,32 +39,32 @@
 #######################################
 print_file_err() {
   {
-    printf "❌ CISS.debian.installer Script failed. \n"
-    printf "❌ GIT Commit          : %s \n" "${VAR_GIT_HEAD}"
-    printf "❌ Version             : %s \n" "${VAR_VERSION}"
-    printf "❌ Hostsystem          : %s \n" "${VAR_SYSTEM}"
-    printf "❌ Error               : %s \n" "${ERRCODE}"
-    printf "❌ Line                : %s \n" "${ERRLINE}"
-    printf "❌ Script              : %s \n" "${ERRSCRT}"
-    printf "❌ Function            : %s \n" "${ERRFUNC}"
-    printf "❌ Command             : %s \n" "${ERRCMMD}"
-    printf "❌ Script PID          : %s \n" "${$}"
-    printf "❌ Script Runtime      : %s \n" "${SECONDS}"
-    printf "❌ Arguments Counter   : %s \n" "${ARGUMENTS_COUNT}"
-    printf "❌ Arguments Original  : %s \n" "${ARG_STR_ORG_INPUT}"
-    printf "❌ Arguments Sanitized : %s \n" "${VAR_ARG_SANITIZED}"
+    printf "❌ CISS.debian.installer Script failed. %s" "${NL}"
+    printf "❌ GIT Commit          : %s %s" "${VAR_GIT_HEAD}" "${NL}"
+    printf "❌ Version             : %s %s" "${VAR_VERSION}" "${NL}"
+    printf "❌ Hostsystem          : %s %s" "${VAR_SYSTEM}" "${NL}"
+    printf "❌ Error               : %s %s" "${ERRCODE}" "${NL}"
+    printf "❌ Line                : %s %s" "${ERRLINE}" "${NL}"
+    printf "❌ Script              : %s %s" "${ERRSCRT}" "${NL}"
+    printf "❌ Function            : %s %s" "${ERRFUNC}" "${NL}"
+    printf "❌ Command             : %s %s" "${ERRCMMD}" "${NL}"
+    printf "❌ Script PID          : %s %s" "${$}" "${NL}"
+    printf "❌ Script Runtime      : %s %s" "${SECONDS}" "${NL}"
+    printf "❌ Arguments Counter   : %s %s" "${ARGUMENTS_COUNT}" "${NL}"
+    printf "❌ Arguments Original  : %s %s" "${ARG_STR_ORG_INPUT}" "${NL}"
+    printf "❌ Arguments Sanitized : %s %s" "${VAR_ARG_SANITIZED}" "${NL}"
     if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
-      printf "❌ Vars Dump saved at  : %s \n" "${LOG_VAR}"
+      printf "❌ Vars Dump saved at  : %s %s" "${LOG_VAR}" "${NL}"
     fi
     if "${VAR_DEBUG_TRAP}"; then
-      printf "❌ DEBUG Log saved at  : %s \n" "${LOG_DEBUG}"
-      printf "❌                   cat %s \n" "${LOG_DEBUG}"
+      printf "❌ DEBUG Log saved at  : %s %s" "${LOG_DEBUG}" "${NL}"
+      printf "❌                   cat %s %s" "${LOG_DEBUG}" "${NL}"
     fi
     if "${VAR_DEBUG_TRACE}"; then
-      printf "❌ TRACE Log saved at  : %s \n" "${LOG_TRACE}"
-      printf "❌                   cat %s \n" "${LOG_TRACE}"
+      printf "❌ TRACE Log saved at  : %s %s" "${LOG_TRACE}" "${NL}"
+      printf "❌                   cat %s %s" "${LOG_TRACE}" "${NL}"
     fi
-    printf "\n"
+    printf "%s" "${NL}"
   } >> "${LOG_ERROR}"
 }
 
@@ -70,6 +73,8 @@ print_file_err() {
 # Globals:
 #   ARGUMENTS_COUNT
 #   ARG_STR_ORG_INPUT
+#   C_RED
+#   C_RES
 #   ERRCMMD
 #   ERRCODE
 #   ERRFUNC
@@ -79,6 +84,7 @@ print_file_err() {
 #   LOG_ERROR
 #   LOG_TRACE
 #   LOG_VAR
+#   NL
 #   SECONDS
 #   VAR_ARG_SANITIZED
 #   VAR_DEBUG_TRACE
@@ -90,34 +96,34 @@ print_file_err() {
 #  None
 #######################################
 print_scr_err() {
-  printf "\e[91m❌ CISS.debian.installer Script failed. \e[0m\n" >&2
-  printf "\e[91m❌ GIT Commit          : %s \e[0m\n" "${VAR_GIT_HEAD}" >&2
-  printf "\e[91m❌ Version             : %s \e[0m\n" "${VAR_VERSION}" >&2
-  printf "\e[91m❌ Hostsystem          : %s \e[0m\n" "${VAR_SYSTEM}" >&2
-  printf "\e[91m❌ Error               : %s \e[0m\n" "${ERRCODE}" >&2
-  printf "\e[91m❌ Line                : %s \e[0m\n" "${ERRLINE}" >&2
-  printf "\e[91m❌ Script              : %s \e[0m\n" "${ERRSCRT}" >&2
-  printf "\e[91m❌ Function            : %s \e[0m\n" "${ERRFUNC}" >&2
-  printf "\e[91m❌ Command             : %s \e[0m\n" "${ERRCMMD}" >&2
-  printf "\e[91m❌ Script PID          : %s \e[0m\n" "${$}" >&2
-  printf "\e[91m❌ Script Runtime      : %s \e[0m\n" "${SECONDS}" >&2
-  printf "\e[91m❌ Arguments Counter   : %s \e[0m\n" "${ARGUMENTS_COUNT}" >&2
-  printf "\e[91m❌ Arguments Original  : %s \e[0m\n" "${ARG_STR_ORG_INPUT}" >&2
-  printf "\e[91m❌ Arguments Sanitized : %s \e[0m\n" "${VAR_ARG_SANITIZED}" >&2
-  printf "\e[91m❌ Error Log saved at  : %s \e[0m\n" "${LOG_ERROR}" >&2
-  printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_ERROR}" >&2
+  printf "%s❌ CISS.debian.installer Script failed. %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ GIT Commit          : %s %s%s" "${C_RED}" "${VAR_GIT_HEAD}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Version             : %s %s%s" "${C_RED}" "${VAR_VERSION}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Hostsystem          : %s %s%s" "${C_RED}" "${VAR_SYSTEM}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Error               : %s %s%s" "${C_RED}" "${ERRCODE}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Line                : %s %s%s" "${C_RED}" "${ERRLINE}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Script              : %s %s%s" "${C_RED}" "${ERRSCRT}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Function            : %s %s%s" "${C_RED}" "${ERRFUNC}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Command             : %s %s%s" "${C_RED}" "${ERRCMMD}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Script PID          : %s %s%s" "${C_RED}" "${$}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Script Runtime      : %s %s%s" "${C_RED}" "${SECONDS}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Arguments Counter   : %s %s%s" "${C_RED}" "${ARGUMENTS_COUNT}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Arguments Original  : %s %s%s" "${C_RED}" "${ARG_STR_ORG_INPUT}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Arguments Sanitized : %s %s%s" "${C_RED}" "${VAR_ARG_SANITIZED}" "${C_RES}" "${NL}" >&2
+  printf "%s❌ Error Log saved at  : %s %s%s" "${C_RED}" "${LOG_ERROR}" "${C_RES}" "${NL}" >&2
+  printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_ERROR}" "${C_RES}" "${NL}" >&2
   if [[ "${VAR_DEBUG_TRACE}" || "${VAR_DEBUG_TRAP}" ]]; then
-    printf "\e[91m❌ Vars Dump saved at  : %s \e[0m\n" "${LOG_VAR}" >&2
+    printf "%s❌ Vars Dump saved at  : %s %s%s" "${C_RED}" "${LOG_VAR}" "${C_RES}" "${NL}" >&2
   fi
   if "${VAR_DEBUG_TRAP}"; then
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_DEBUG}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_DEBUG}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${C_RED}" "${LOG_DEBUG}" "${C_RES}" "${NL}" >&2
+    printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_DEBUG}" "${C_RES}" "${NL}" >&2
   fi
   if "${VAR_DEBUG_TRACE}"; then
-    printf "\e[91m❌ Debug Log saved at  : %s \e[0m\n" "${LOG_TRACE}" >&2
-    printf "\e[91m❌                   cat %s \e[0m\n" "${LOG_TRACE}" >&2
+    printf "%s❌ Debug Log saved at  : %s %s%s" "${C_RED}" "${LOG_TRACE}" "${C_RES}" "${NL}" >&2
+    printf "%s❌                   cat %s %s%s" "${C_RED}" "${LOG_TRACE}" "${C_RES}" "${NL}" >&2
   fi
-  printf "\n"
+  printf "%s" "${NL}"
 }
 
 #######################################

lib/0100_arg_mismatch.sh

@@ -10,14 +10,19 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Wrapper for mismatched Arguments.
 # Globals:
+#   C_RED
+#   C_RES
 #   ERR_ARG_MISMATCH
+#   NL
 #   VAR_AUTO_INSTALL
 #   VAR_IN_DIALOG_WR
 # Arguments:
-#   $1: Error message to be printed.
+#   1: Message to be printed.
 #######################################
 arg_mismatch() {
   ### Call cleaner if and only if not in auto-install mode.
@@ -29,7 +34,7 @@ arg_mismatch() {
         ;;
     esac
   fi
-  printf "\e[91m❌ Error: %s\e[0m\n" "${1}" >&2
+  printf "%s❌ Error: '%s'. %s%s" "${C_RED}" "${1}" "${C_RES}" "${NL}" >&2
   read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
   exit "${ERR_ARG_MISMATCH}"
 }

lib/0101_arg_sanitizer.sh

@@ -10,10 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Argument Check Wrapper.
 # Arguments:
-#   $1: "$@" of ./setup.sh
+#   1: "$@" of ./setup.sh
 #######################################
 arg_check() {
   declare a
@@ -27,10 +29,14 @@ arg_check() {
 #######################################
 # Function to sanitize a single argument
 # Globals:
+#   C_RED
+#   C_RES
 #   ERR_UNSAFE_CHARACTER
 #   LOG_ERROR
+#   NL
+#   VAR_IN_DIALOG_WR
 # Arguments:
-#   $1: Argument to check
+#   1: Argument to be sanitized.
 #######################################
 sanitize_arg() {
   declare input="${1}"
@@ -40,18 +46,18 @@ sanitize_arg() {
     disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
       | while read -r c; do printf "%02X " "'$c"; done)
     {
-      printf "❌ Control character   : '%s'. \n" "${disallowed_ctrl}"
-      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
-      printf "\n"
+      printf "❌ Control character   : '%s'. %s" "${disallowed_ctrl}" "${NL}"
+      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
+      printf "%s" "${NL}"
     } >> "${LOG_ERROR}"
     case "${VAR_IN_DIALOG_WR}" in
       box   ) dialog_box_cleaner   ;;
       gauge ) dialog_gauge_cleaner ;;
     esac
-    printf "\e[91m❌ Control character   : '%s'. \e[0m\n" "${disallowed_ctrl}" >&2
-    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "%s❌ Control character   : '%s'. %s%s" "${C_RED}" "${disallowed_ctrl}" "${C_RES}" "${NL}" >&2
+    printf "%s❌         in argument : '%s'. %s%s" "${C_RED}" "${input}" "${C_RES}" "${NL}" >&2
+    printf "%s❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
     # shellcheck disable=SC2162
     read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
     exit "${ERR_UNSAFE_CHARACTER}"
@@ -64,18 +70,18 @@ sanitize_arg() {
   disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
   if [[ -n ${disallowed} ]]; then
     {
-      printf "❌ Invalid character   : '%s'. \n" "${disallowed//?/& }"
-      printf "❌         in argument : '%s'. \n" "${input}"
-      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \n"
-      printf "\n"
+      printf "❌ Invalid character   : '%s'. %s" "${disallowed//?/& }" "${NL}"
+      printf "❌         in argument : '%s'. %s" "${input}" "${NL}"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s" "${NL}"
+      printf "%s" "${NL}"
     } >> "${LOG_ERROR}"
     case "${VAR_IN_DIALOG_WR}" in
       box   ) dialog_box_cleaner   ;;
       gauge ) dialog_gauge_cleaner ;;
     esac
-    printf "\e[91m❌ Invalid character   : '%s'. \e[0m\n" "${disallowed//?/& }" >&2
-    printf "\e[91m❌         in argument : '%s'. \e[0m\n" "${input}" >&2
-    printf "\e[91m❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' \e[0m\n" >&2
+    printf "%s❌ Invalid character   : '%s'. %s%s" "${C_RED}" "${disallowed//?/& }" "${C_RES}" "${NL}" >&2
+    printf "%s❌         in argument : '%s'. %s%s" "${C_RED}" "${input}" "${C_RES}" "${NL}" >&2
+    printf "%s❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
     # shellcheck disable=SC2162
     read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
     exit "${ERR_UNSAFE_CHARACTER}"
@@ -83,5 +89,4 @@ sanitize_arg() {
     printf '%s' "${input}"
   fi
 }
-
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/0102_arg_parser.sh

@@ -10,9 +10,12 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Argument Parser
 # Globals:
+#   DEFAULT_LOG_LEVEL
 #   VAR_AUTO_INSTALL
 #   VAR_IN_DIALOG_WR
 #   VAR_PRIORITY

lib/0103_arg_priority_check.sh

@@ -10,9 +10,14 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+guard_sourcing
+
 #######################################
 # Check and setup Script Priorities
 # Globals:
+#   C_GRE
+#   C_RES
+#   NL
 #   VAR_PRIORITY
 #   VAR_REIONICE_CLASS
 #   VAR_REIONICE_PRIORITY
@@ -25,14 +30,14 @@ arg_priority_check() {
   if [[ -n ${VAR_PRIORITY} ]]; then
     renice "${VAR_PRIORITY}" -p "$$"
     var=$(ps -o ni= -p $$) > /dev/null 2>&1
-    printf "\e[92m✅ New renice value: %s\e[0m\n" "${var}"
+    printf "%s✅ New renice value: '%s'. %s%s" "${C_GRE}" "${var}" "${C_RES}" "${NL}"
   fi
 
   # Check if ionice PRIORITY is set and adjust ionice priority.
   if [[ -n ${VAR_REIONICE_CLASS} ]]; then
     ionice -c"${VAR_REIONICE_CLASS:-2}" -n"${VAR_REIONICE_PRIORITY:-4}" -p "$$"
     var=$(ionice -p $$) > /dev/null 2>&1
-    printf "\e[92m✅ New ionice value: %s\e[0m\n" "${var}"
+    printf "%s✅ New ionice value: '%s'. %s%s" "${C_GRE}" "${var}" "${C_RES}" "${NL}"
   fi
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/0104_arg_nuke_converter.sh

@@ -0,0 +1,111 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+
+          declare pw_file="${2}"
+          if [[ -z "${pw_file}" ]]; then
+            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            printf "%s❌ Error: --root-password-file missing password file path argument.%s%s" "${C_RED}" "${C_RES}" "${NL}" >&2
+            # shellcheck disable=SC2162
+            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s' ${C_GRE}" "${C_RES}"
+            exit "${ERR_MISS_PWD_P}"
+          fi
+
+          if [[ ! -f "${pw_file}" ]]; then
+            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            printf "%s❌ Error: --root-password-file password file '%s' does not exist.%s%s" "${pw_file}" >&2
+            # shellcheck disable=SC2162
+            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
+            exit "${ERR_MISS_PWD_F}"
+          fi
+
+          declare owner
+          owner=$(stat -c '%U:%G' "${pw_file}")
+          if [[ "${owner}" != "root:root" ]]; then
+            chown root:root "${pw_file}" || {
+              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              printf "%s❌ Error: --root-password-file failed to set owner root:root on '%s'.%s%s" "${pw_file}" >&2
+              # shellcheck disable=SC2162
+              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
+              exit "${ERR_OWNS_PWD_F}"
+            }
+          fi
+
+          declare perms
+          perms=$(stat -c '%a' "${pw_file}")
+          if [[ "${perms}" -ne 400 ]]; then
+            chmod 400 "${pw_file}" || {
+              if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+              printf "%s❌ Error: --root-password-file failed to set permissions 0400 on '%s'.%s%s" "${pw_file}" >&2
+              # shellcheck disable=SC2162
+              read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
+              exit "${ERR_RGHT_PWD_F}"
+            }
+          fi
+
+          declare plaintext_pw
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          if ! IFS= read -r plaintext_pw < "${pw_file}"; then
+            :
+          fi
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
+          declare pw_length
+          pw_length=${#plaintext_pw}
+          if (( pw_length < 20 || pw_length > 64 )); then
+            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            printf "%s❌ Error: --root-password-file password MUST be between 20 and 64 characters (got %d).%s%s" "${pw_length}" >&2
+            # shellcheck disable=SC2162
+            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
+            exit "${ERR_PASS_LENGH}"
+          fi
+
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          if [[ "${plaintext_pw}" == *\"* ]]; then
+            [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+            if ! $VAR_HANDLER_AUTOBUILD; then boot_screen_cleaner; fi
+            printf "%s❌ Error: --root-password-file password MUST NOT contain double quotes (\").%s%s" >&2
+            # shellcheck disable=SC2162
+            read -p  $'%s✅ Press \'ENTER\' to exit the script ... %s'
+            exit "${ERR_PASS_PLICY}"
+          fi
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
+          declare salt
+          set +o pipefail
+          while :; do
+            salt=$(tr -dc 'A-Za-z0-9' </dev/random | head -c 16)
+            [[ ${#salt} -eq 16 ]] && break
+          done
+          set -o pipefail
+
+          declare hash_temp
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x # No tracing for security reasons
+          hash_temp=$(mkpasswd --method=sha-512 --salt="${salt}" --rounds=8388608 "${plaintext_pw}")
+          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x # Turn on tracing again
+
+          declare -g VAR_HASHED_PWD="${hash_temp}"
+          unset hash_temp plaintext_pw
+
+          sync
+          if shred -vfzu -n 5 "${pw_file}" > /dev/null 2>&1; then
+            printf "%s✅ Password file '%s': shred -vfzu -n 5 >> done. %s%s" "${pw_file}" > /dev/null 2>&1
+          else
+            printf "%s❌ Password file '%s': shred -vfzu -n 5 >> NOT successful. %s%s" "${pw_file}" > /dev/null 2>&1
+          fi
+          sync
+
+
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

meta_loader_early.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+. ./var/colors.var.sh
+. ./var/errors.var.sh
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

var/colors.var.sh

@@ -19,5 +19,6 @@ declare -grx C_MAG='\e[95m' # Super gay magenta.
 declare -grx C_CYA='\e[96m' # Lovely cyan.
 declare -grx C_WHI='\e[97m' # Fantastic color mix.
 declare -grx C_RES='\e[0m'  # Forget everything.
+declare -grx NL='\n'        # Print a crystal clear new line.
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh