V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/target/etc/initramfs-tools/files/dropbear_fw.cnf

@@ -0,0 +1,14 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+DROPBEAR_FIREWALL_ENABLED=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/files/dropbear_fw.sh

@@ -0,0 +1,66 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# shellcheck shell=sh
+
+# Firewall script for Dropbear SSH inside initramfs.
+# This script runs at the "init-bottom" stage of the early boot process.
+#
+# It configures basic iptables rules to restrict SSH access to Dropbear
+# while the system is in the pre-boot phase (before root is decrypted).
+#
+# IPv6 is not supported in initramfs at this stage due to complexity.
+# Only trusted IPv4 addresses are allowed.
+
+PREREQ="dropbear"
+
+prereqs() { echo "${PREREQ}"; }
+
+case "$1" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Check if the firewall is enabled via the config file.
+DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+if [ -f "${DROPBEAR_FW_CONF}" ]; then
+  # shellcheck disable=SC1090
+  . "${DROPBEAR_FW_CONF}"
+else
+  DROPBEAR_FIREWALL_ENABLED=0
+fi
+
+### Abort if the firewall flag is not set or disabled.
+if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
+  echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
+  exit 0
+fi
+
+### Ensure iptables is available.
+if command -v iptables >/dev/null 2>&1; then
+
+  ### Reset any existing rules.
+  iptables -F
+  iptables -X
+
+  ### Default policy: block everything unless explicitly allowed.
+  iptables -P INPUT DROP
+  iptables -P FORWARD DROP
+  iptables -P OUTPUT ACCEPT
+
+  ### Allow local loopback.
+  iptables -A INPUT -i lo -j ACCEPT
+
+  ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
+  iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
+
+fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -0,0 +1,396 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
+
+set -Ceuo pipefail
+
+#######################################
+# Variable declaration
+#######################################
+declare -r ASKPASS='/lib/cryptsetup/askpass'
+declare -r REGEX='^\$[a-z0-9]+\$[./A-Za-z0-9]+\$[./A-Za-z0-9]+$'
+# shellcheck disable=SC2155
+declare -r CURRENTDATE=$(date +"%F %T")
+declare -r GRE='\e[0;92m'
+declare -r MAG='\e[0;95m'
+declare -r RED='\e[0;91m'
+declare -r RES='\e[0m'
+declare -r NL='\n'
+declare -g NUKE_ENABLED='false'
+declare -g NUKE_HASH=''
+declare -g PASSPHRASE=''
+
+#######################################
+# Print-colored text.
+# Arguments:
+#   1: Color code.
+#   *: Text to print.
+#######################################
+color_echo() { declare c="$1"; shift; declare msg="${*}"; printf "%s%s %s%s" "${c}" "${msg}" "${RES}" "${NL}"; }
+
+#######################################
+# Die helper: print and exit hard.
+# Globals:
+#   NC
+#   RED
+# Arguments:
+#   1: Message string to print.
+#######################################
+die() { printf "%s✘ %s %s%s" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
+
+#######################################
+# Drop to bash environment.
+# Arguments:
+#   None
+#######################################
+drop_bash() { stty echo; prompt_string; exec /bin/bash -i; }
+
+#######################################
+# Extract the 'nuke='-parameter from '/proc/cmdline'.
+# Globals:
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   RED
+# Arguments:
+#   None
+# Returns:
+#   0: if 'nuke=' was found and extracted.
+#   1: if not found.
+#######################################
+extract_nuke_hash() {
+  declare ARG="" CMDLINE=""
+
+  ### Read '/proc/cmdline' into a single line safely.
+  read -r CMDLINE < /proc/cmdline
+  for ARG in ${CMDLINE}; do
+    case "${ARG}" in
+      nuke=*)
+        NUKE_HASH="${ARG#nuke=}"
+        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
+          NUKE_ENABLED="true"
+          return 0
+        else
+          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
+          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]." >&2
+          color_echo "${RED}" "✘ Dropping to bash ...:" >&2
+          drop_bash
+        fi
+      ;;
+    esac
+  done
+  ### No 'nuke=HASH' entry found.
+  return 1
+}
+
+#######################################
+# Gather information of all LUKS Devices available on the system.
+# Arguments:
+#   None
+#######################################
+gather_luks_devices() {
+  declare prev=() curr=()
+  declare -i tries=0
+
+  while ((tries < 10)); do
+    # shellcheck disable=SC2312
+    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | sort)
+
+    if cmp <(printf '%s\n' "${curr[@]}") <(printf '%s\n' "${prev[@]}") >/dev/null; then
+      break
+    fi
+
+    prev=("${curr[@]}")
+    tries=$((tries + 1))
+    sleep 1
+
+  done
+
+  printf '%s\n' "${curr[@]}"
+}
+
+#######################################
+# Erase LUKS headers on all LUKS devices and shutdown system.
+# Globals:
+#   DEVICES_LUKS
+#   RED
+# Arguments:
+#   None
+#######################################
+nuke() {
+  declare dev=""
+  for dev in "${DEVICES_LUKS[@]}"; do
+    cryptsetup erase --batch-mode "${dev}" || true
+    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
+  done
+  secure_unset_pass
+  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
+  power_off 16
+}
+
+#######################################
+# Unified power-off routine.
+# Arguments:
+#   1: Sleep time before power-off in seconds (Default to 0 seconds).
+#######################################
+power_off() {
+  declare -r wait="${1:-0}"
+  sleep "${wait}"
+  sync
+  echo 1 >| /proc/sys/kernel/sysrq
+  echo o >| /proc/sysrq-trigger
+  ### The System powers off immediately; no further code is executed.
+}
+
+#######################################
+# Print Error Message for Trap on 'ERR' on Terminal.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+print_scr_err() {
+  declare -r scr_err_errcode="$1"
+  declare -r scr_err_errscrt="$2"
+  declare -r scr_err_errline="$3"
+  declare -r scr_err_errfunc="$4"
+  declare -r scr_err_errcmmd="$5"
+  printf "%s" "${NL}"
+  color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
+  printf "%s" "${NL}"
+  color_echo "${RED}" "✘ Error               : [${scr_err_errcode}]" >&2
+  color_echo "${RED}" "✘ Line                : [${scr_err_errline}]" >&2
+  color_echo "${RED}" "✘ Script              : [${scr_err_errscrt}]" >&2
+  color_echo "${RED}" "✘ Function            : [${scr_err_errfunc}]" >&2
+  color_echo "${RED}" "✘ Command             : [${scr_err_errcmmd}]" >&2
+  printf "%s" "${NL}"
+}
+
+#######################################
+# Print Error Message for '0'-Exit-Code on Terminal.
+# Globals:
+#   GRE
+# Arguments:
+#   None
+#######################################
+print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; }
+
+#######################################
+# Generates informative shell prompt.
+# Globals:
+#   PS1
+# Arguments:
+#   None
+#######################################
+prompt_string() {
+  declare -gx PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+  # Show exit status in green if zero
+  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+else \
+  # Show exit status in red otherwise
+  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+fi)\
+|~\$ "
+}
+
+#######################################
+# Read Passphrase interactively.
+# Globals:
+#   ASKPASS
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   PASSPHRASE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+read_passphrase() {
+  declare -a METHODS=("sha512crypt" "yescrypt" "scrypt" "bcrypt")
+  declare METHOD="" SALT=""
+
+  PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
+
+  if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
+    ### Validate NUKE_HASH format (e.g., $id$salt$hash)
+    if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
+      SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+      for METHOD in "${METHODS[@]}"; do
+        if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
+          nuke
+        fi
+      done
+    fi
+  fi
+
+  return 0
+}
+
+#######################################
+# Securely unset the passphrase variable.
+# Globals:
+#   PASSPHRASE
+# Arguments:
+#   None
+#######################################
+secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; }
+
+#######################################
+# Trap function to be called on 'ERR'.
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+trap_on_err() {
+  declare -r errcode="$1"
+  declare -r errscrt="$2"
+  declare -r errline="$3"
+  declare -r errfunc="$4"
+  declare -r errcmmd="$5"
+  trap - ERR INT TERM
+  stty echo
+  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
+  power_off 16
+}
+
+#######################################
+# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   None
+#######################################
+trap_on_term() {
+  trap - ERR INT TERM
+  stty echo
+  printf "%s" "${NL}"
+  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds." >&2
+  power_off 3
+}
+
+#######################################
+# Check the integrity and authenticity of this script itself.
+# Globals:
+#   GRE
+#   MAG
+#   RED
+# Arguments:
+#   0: Script Name
+#######################################
+verify_script() {
+  declare dir
+  # shellcheck disable=SC2312
+  dir="$(dirname "$(readlink -f "${0}")")"
+  declare script; script="$(basename "${0}")"
+  declare -a algo=("sha512" "sha384")
+  declare cmd="" computed="" expected="" hashfile="" item="" sigfile=""
+
+  for item in "${algo[@]}"; do
+    hashfile="${dir}/${script}.${item}"
+    sigfile="${hashfile}.sig"
+    cmd="${item}sum"
+
+    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
+    gpgv --keyring /etc/keys/pubring.gpg "${sigfile}" "${hashfile}" || {
+      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
+      color_echo "${RED}" "✘ System Power Off in 3 seconds ...."
+      power_off 3
+    }
+    color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
+
+    color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
+    computed=$(${cmd} "${dir}/${script}" | awk '{print $1}')
+    expected=$(cat "${hashfile}")
+
+    if [[ "${computed}" != "${expected}" ]]; then
+      color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]" >&2
+      color_echo "${RED}" "✘ System Power Off in 3 seconds ...." >&2
+      power_off 3
+    fi
+    color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
+  done
+
+  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
+}
+
+#######################################
+# Main Program Sequence
+# Globals:
+#   CURRENTDATE
+#   DEVICES_LUKS
+#   GRE
+#   MAG
+#   NL
+#   PASSPHRASE
+#   RED
+# Arguments:
+#   None
+#######################################
+main() {
+  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+  trap 'trap_on_term' INT TERM
+
+  color_echo "${RED}" "Coresecret Connection established."
+  color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
+  color_echo "${MAG}" "Integrity self-check ..."
+  printf "%s" "${NL}"
+
+  verify_script
+
+  ### Read newline-separated output into an array.
+  color_echo "${MAG}" "Scanning for LUKS devices ..."
+  printf "%s" "${NL}"
+  # shellcheck disable=SC2312
+  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
+
+  ### If there are no LUKS devices at all, drop to bash.
+  if (( ${#DEVICES_LUKS[@]} == 0 )); then
+    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
+    drop_bash
+  fi
+
+  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
+  extract_nuke_hash
+
+  ### Read passphrase interactively.
+  read_passphrase
+
+  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
+
+    secure_unset_pass
+    exit 0
+
+  else
+
+    printf "%s" "${NL}"
+    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
+    color_echo "${GRE}" "✘ No LUKS operations performed. Dropping to bash ..."
+    color_echo "${GRE}" "✘ To unlock 'root' partition, and maybe others like 'swap', run 'cryptroot-unlock'."
+    drop_bash
+
+  fi
+}
+
+main "${@}"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/files/unlock_wrapper_signer.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
+
+set -Ceuo pipefail
+
+### Paths
+declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
+declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
+declare -r GNUPGHOME="/root/.ciss/gnupg"
+
+### Output Files
+declare -r HASH384="${SCRIPT}.sha384"
+declare -r HASH512="${SCRIPT}.sha512"
+declare -r SIG384="${HASH384}.sig"
+declare -r SIG512="${HASH512}.sig"
+
+### Ensure GNUPGHOME exists with secure permissions
+mkdir -p "${GNUPGHOME}"
+chmod 0700 "${GNUPGHOME}"
+
+### Import private key only if not already present
+if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
+  printf "\e[0;92m✅ Importing private key ... \e[0m\n"
+  gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
+else
+  printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
+fi
+
+### Extract fingerprint of the first secret key
+# shellcheck disable=SC2155
+declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
+
+if [[ -z "${FPR}" ]]; then
+  printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
+  exit 1
+fi
+
+printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
+
+### Hashing (only the hash value, no filename)
+printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
+
+if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
+fi
+
+if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
+fi
+
+printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
+
+### Signing Hashes
+printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
+fi
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
+fi
+
+printf "\e[0;92m🔑 Signing hashes done.  \e[0m\n"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/hooks/custom-initramfs.sh

@@ -0,0 +1,87 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: Hook script (initramfs) for setting up the CISS.debian.installer hardened dropbear environment, incl. Luks Nuke.
+
+set -e
+
+PREREQ=""
+prereqs() { echo "$PREREQ"; }
+case $1 in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+if [ ! -e /etc/initramfs-tools/files/unlock-wrapper.sh ]; then
+  echo "Missing unlock-wrapper.sh in /etc/initramfs-tools/files/"
+  exit 1
+fi
+
+### Ensure directory structure in initramfs
+mkdir -p "${DESTDIR}/etc/dropbear"
+mkdir -p "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/usr/local/bin"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+
+### Include Bash
+copy_exec /usr/bin/bash /usr/bin
+
+### Include Busybox
+copy_exec /usr/bin/busybox /usr/bin
+copy_exec /usr/bin/busybox /bin
+
+### Include lsblk (block device info tool)
+copy_exec /usr/bin/lsblk /usr/bin
+
+### Include mkpasswd
+copy_exec /usr/bin/mkpasswd /usr/bin
+
+### Include udevadm (udev management tool)
+copy_exec /usr/bin/udevadm /usr/bin
+
+### Include sha512sum e.g.
+copy_exec /usr/bin/sha512sum /usr/bin
+copy_exec /usr/bin/sha384sum /usr/bin
+
+### Include Signature-Verifier
+copy_exec /usr/bin/gpgv /usr/bin
+
+### Include Whois
+copy_exec /usr/bin/whois /usr/bin
+
+### Link busybox applets for compatibility
+for dir in bin usr/bin; do
+  ln -sf busybox "${DESTDIR}/${dir}/cat"
+  ln -sf busybox "${DESTDIR}/${dir}/sleep"
+done
+
+### Install Dropbear firewall configuration
+install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+
+### Install Dropbear configuration
+install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
+
+### Install Dropbear Cryptroot Unlock Wrapper
+install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
+install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
+install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
+install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384.sig"
+install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512.sig"
+
+### Install PGP Signing Keys
+install -m 0444 /root/.ciss/keys/pubring.gpg "${DESTDIR}/etc/keys/pubring.gpg"
+
+### Install Dropbear Banner
+install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/hooks/custom-prompt.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+PREREQ=""
+prereqs() { echo "$PREREQ"; }
+case $1 in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+mkdir -p "${DESTDIR}/etc"
+
+cat >| "${DESTDIR}/etc/profile" << 'EOF'
+export PS1='$( STATUS=$?; \
+  if [ "${STATUS}" -eq 0 ]; then \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  else \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  fi; ) '
+EOF
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/target/etc/initramfs-tools/modules

@@ -0,0 +1,64 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# List of modules that you want to include in your initramfs.
+# They will be loaded at boot time in the order below.
+#
+# Syntax:  module_name [args ...]
+#
+# You must run update-initramfs(8) to effect this change.
+#
+# Examples:
+#
+# raid1
+# sd_mod
+
+### QEMU Bochs-compatible virtual machine support
+bochs
+
+### Device-mapper core module (required for all dm_* features)
+dm_mod
+
+### Device-mapper integrity target (provides integrity checking)
+dm-integrity
+
+### Device-mapper crypt target (provides disk encryption)
+dm-crypt
+
+### Generic AES block cipher implementation (used by dm-crypt)
+aes_generic
+
+### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
+sha256_generic
+
+### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
+sha384_generic
+
+### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
+sha512_generic
+
+### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
+crc32c_generic
+
+### Main btrfs filesystem module
+btrfs
+
+### Zstandard compression support for btrfs
+zstd_compress
+
+### XOR parity implementation for RAID functionality
+xor
+
+### RAID6 parity generation module
+raid6_pq
+
+### Combined RAID4/5/6 support module
+raid456

includes/target/etc/initramfs-tools/scripts/init-top/fixpath.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh