V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-03 17:10:34 +02:00
parent a022769093
commit 525e7db19f
38 changed files with 288 additions and 182 deletions
--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -0,0 +1,276 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Setup network.
+# Globals:
+#   DIR_BAK
+#   TARGET
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV4_GW
+#   VAR_FINAL_IPV4_SUBNET
+#   VAR_FINAL_IPV6
+#   VAR_FINAL_NIC
+#   VAR_LINK_IPV6
+#   network_autoconfig_enable
+#   network_choose_interface_auto
+#   network_choose_interface_static
+#   network_hostname
+#   network_static_ipv4address
+#   network_static_ipv4gateway
+#   network_static_ipv4nameserver_0
+#   network_static_ipv4nameserver_1
+#   network_static_ipv4nameserver_2
+#   network_static_ipv4nameserver_fallback_0
+#   network_static_ipv4nameserver_fallback_1
+#   network_static_ipv4netmask
+#   network_static_ipv6address
+#   network_static_ipv6gateway
+#   network_static_ipv6nameserver_0
+#   network_static_ipv6nameserver_1
+#   network_static_ipv6nameserver_2
+#   network_static_ipv6nameserver_fallback_0
+#   network_static_ipv6nameserver_fallback_1
+#   network_static_ipv6netmask
+# Arguments:
+#  None
+# Returns:
+#   0: on success
+#######################################
+installation_network() {
+  do_in_target "${TARGET}" apt-get install -y isc-dhcp-client ifupdown
+  mkdir -p "${TARGET}/etc/network/interfaces/interfaces.d"
+
+  declare var_auto_nic="" var_auto_ipv4_ccidr="" var_auto_ipv4_subnet="" var_auto_ipv4="" var_auto_ipv4_gw="" \
+    var_auto_ipv6_ccidr="" var_auto_ipv6="" var_auto_ipv6_gw="" var_link_ipv4="" var_link_ipv6="" var_auto_fqdn="" ns=""
+  declare -a ary_ipv4_ns=() ary_ipv6_ns=()
+
+
+  ### Create network configuration file header.
+  if [[ -f "${TARGET}/etc/network/interfaces" ]]; then
+    mkdir -p "${DIR_BAK}/etc/network"
+    mv "${TARGET}/etc/network/interfaces" "${DIR_BAK}/etc/network/interfaces.bak"
+    do_log "info" "file_only" "4130() Existing '${TARGET}/etc/network/interfaces' moved."
+  fi
+
+  cat << EOF >| "${TARGET}/etc/network/interfaces"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# This file describes the network interfaces available on your system
+# and how to activate them. For more information, see interfaces(5).
+
+source /etc/network/interfaces.d/*
+
+# The loopback network interface
+auto lo
+iface lo inet loopback
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  chmod 0644 "${TARGET}/etc/network/interfaces"
+  do_log "info" "file_only" "4130() Header '${TARGET}/etc/network/interfaces' created."
+
+  ### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv4.
+  if [[ "${network_autoconfig_enable,,}" == "true" && "${network_choose_interface_auto,,}" == "true" ]]; then
+
+    ### Reminder ###
+    # auto:
+    # For servers or systems with static interfaces that should always be available (e.g., eth0 on a server).
+    # For configurations where the interface should be active regardless of the cable status.
+    # allow-hotplug:
+    # For systems with dynamic or removable network devices (e.g., laptops or USB adapters).
+    # To avoid boot delays when interfaces are unavailable.
+
+    cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The primary network interface IPv4
+auto ${var_auto_nic}
+iface ${var_auto_nic} inet dhcp
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+    chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
+    do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${var_auto_nic}' configured with DHCP."
+
+  elif [[ "${network_autoconfig_enable,,}" == "true" && "${network_choose_interface_auto,,}" == "false" ]]; then
+
+    cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The primary network interface IPv4
+auto ${network_choose_interface_static}
+iface ${network_choose_interface_static} inet dhcp
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+    chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-dhcp"
+    do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${network_choose_interface_static}' configured with DHCP."
+
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "false" ]]; then
+
+    cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-static"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The primary network interface IPv4
+auto ${network_choose_interface_static}
+iface ${network_choose_interface_static} inet static
+    address ${network_static_ipv4address}
+    netmask ${network_static_ipv4netmask}
+    gateway ${network_static_ipv4gateway}
+    dns-nameservers ${ary_ipv4_ns[*]}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+    chmod 0644  "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv4-static"
+    do_log "info" "file_only" "4130() IPv4 on the primary NIC: '${network_choose_interface_static}' configured statically."
+
+  fi
+
+  ### Configure network interfaces based on 'preseed.yaml' and create network configuration files for IPv6.
+  if [[ "${network_autoconfig_enable,,}" == "true" && "${var_link_ipv6,,}" == "true" ]]; then
+
+    cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-dhcp"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The primary network interface IPv6
+auto ${var_auto_nic}
+iface ${var_auto_nic} inet6 dhcp
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+    chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-dhcp"
+    do_log "info" "file_only" "4130() IPv6 on the primary NIC: '${var_auto_nic}' configured with DHCP."
+
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6address}" ]]; then
+
+    cat << EOF >| "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-static"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# The primary network interface IPv6
+auto ${network_choose_interface_static}
+iface ${network_choose_interface_static} inet6 static
+    address ${network_static_ipv6address}/${network_static_ipv6netmask}
+    gateway ${network_static_ipv6gateway}
+    dns-nameservers ${ary_ipv6_ns[*]}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+    chmod 0644 "${TARGET}/etc/network/interfaces/interfaces.d/10-ipv6-static"
+    do_log "info" "file_only" "4130() IPv6 on the primary NIC: '${network_choose_interface_static}' configured statically."
+
+  fi
+
+  ### Ensure Internet Systems Consortium DHCP Client is not overwriting the static nameserver settings.
+  if [[ -f "${TARGET}/etc/dhcp/dhclient.conf" ]]; then
+    mkdir -p "${DIR_BAK}/etc/dhcp"
+    cp "${TARGET}/etc/dhcp/dhclient.conf" "${DIR_BAK}/etc/dhcp/dhclient.conf.bak"
+    do_log "info" "file_only" "4130() Existing '${TARGET}/etc/dhcp/dhclient.conf' saved."
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
+
+    cat << EOF >> "${TARGET}/etc/dhcp/dhclient.conf"
+
+# Custom dhclient config to override DHCP DNS
+EOF
+    declare var_supersede; var_supersede=$(printf "%s, " "${ary_ipv4_ns[@]}")
+    var_supersede="${var_supersede%, }"
+    echo "supersede domain-name-servers ${var_supersede};" >> "${TARGET}/etc/dhcp/dhclient.conf"
+
+    do_log "info" "file_only" "4130() DHCP client configuration for IPv4: '${TARGET}/etc/dhcp/dhclient.conf' configured."
+
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "false" && -n "${network_static_ipv6nameserver_0}" ]]; then
+
+    declare var_supersede_ipv6; var_supersede_ipv6=$(printf "%s, " "${ary_ipv6_ns[@]}")
+    var_supersede_ipv6="${var_supersede_ipv6%, }"
+    echo "supersede domain-name-servers ${var_supersede_ipv6};" >> "${TARGET}/etc/dhcp/dhclient.conf"
+
+    do_log "info" "file_only" "4130() DHCP client configuration for IPv6: '${TARGET}/etc/dhcp/dhclient.conf' configured."
+
+  fi
+
+  if [[ "${network_autoconfig_enable,,}" == "true" && -n "${network_static_ipv4nameserver_0}" ]]; then
+
+    cat << EOF >> "${TARGET}/etc/dhcp/dhclient.conf"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+  fi
+
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4300_network/4310_dropbear_build.sh
+++ b/func/cdi_4300_network/4310_dropbear_build.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Build Ultra Hardened dropbear-2025.88 from sources.
+# Globals:
+#   DIR_TMP
+#   ERR_PATH_NOT_VALID
+#   VAR_SETUP_PATH
+# Arguments:
+#   None
+# Returns:
+#   ERR_PATH_NOT_VALID
+#   0: on success
+#######################################
+dropbear_build() {
+  declare var_dropbear_version="2025.88"
+  declare var_tar="${VAR_SETUP_PATH}/upgrades/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
+  declare var_build_dir="${DIR_TMP}/build/dropbear-${var_dropbear_version}"
+
+  mkdir -p "${DIR_TMP}/build"
+  cp "${var_tar}" "${DIR_TMP}/build"
+  tar xjf "${DIR_TMP}/build/dropbear-${var_dropbear_version}.tar.bz2" -C "${DIR_TMP}/build" || return "${ERR_PATH_NOT_VALID}"
+  cp "${VAR_SETUP_PATH}/upgrades/dropbear/localoptions.h" "${var_build_dir}"
+  cd "${var_build_dir}" || return "${ERR_PATH_NOT_VALID}"
+
+  # Flag Purpose
+  #  -fPIE:               Generate position-independent executable code
+  #  -pie:                Link the executable as PIE (so that ASLR works)
+  #  -static:             Fully statically linked against musl
+  #  -s:                  Strip unnecessary symbols directly during linking
+  #  -Wl,-z,relro,-z,now: Enables full RELRO (symbol resolution at program startup)
+
+  CC=musl-gcc \
+  CFLAGS="-Os -fPIE -Wno-undef -fstack-protector-strong -D_FORTIFY_SOURCE=2" \
+  LDFLAGS="-static -pie -s -Wl,-z,relro,-z,now" \
+  ./configure \
+    --enable-static \
+    --enable-openpty \
+    --disable-pam \
+    --disable-zlib
+
+  # shellcheck disable=2312
+  make -j"$(nproc)"
+
+  do_log "info" "file_only" "Ultra Hardened dropbear-2025.88 build successfully from sources."
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4300_network/4311_dropbear_initramfs.sh
+++ b/func/cdi_4300_network/4311_dropbear_initramfs.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Install Dropbear Initramfs and replace the binaries with the previous Ultra Hardened build.
+# Globals:
+#   DIR_TMP
+#   TARGET
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_initramfs() {
+  declare var_file
+  do_in_target "${TARGET}" apt-get install -y dropbear-initramfs
+  do_in_target "${TARGET}" apt-mark hold -y dropbear dropbear-initramfs
+
+  mv "${TARGET}/usr/sbin/dropbear" "${TARGET}/usr/sbin/dropbear.2022.83"
+  install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/dropbear" "${TARGET}/usr/sbin/"
+
+  for var_file in dbclient dropbearconvert dropbearkey; do
+    mv "${TARGET}/usr/bin/${var_file}" "${TARGET}/usr/bin/${var_file}.2022.83"
+    install -D -m 0755 -o root -g root "${DIR_TMP}/build/dropbear-2025.88/${var_file}" "${TARGET}/usr/bin/"
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -0,0 +1,259 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+# TODO: Implement this update:
+# if [[ "${VAR_NUKE,,}" == "true" && "${var_key,,}" == "/" ]]; then
+#  #write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs,keyscript=/lib/cryptsetup/scripts/unlock_wrapper.sh"
+#  write_crypttab "${var_encryption_label}" "UUID=${var_luks_uuid}" "none" "luks,discard,initramfs"
+#  continue
+#fi
+
+#######################################
+# Setup Dropbear Initramfs Environment.
+# Globals:
+#   HMP_PATH_ENCLABEL
+#   TARGET
+#   VAR_CRYPT_ROOT
+#   VAR_FINAL_FQDN
+#   VAR_FINAL_IPV4
+#   VAR_FINAL_IPV4_GW
+#   VAR_FINAL_IPV4_SUBNET
+#   VAR_FINAL_NIC
+#   VAR_GRUB_CMDLINE_LINUX
+#   VAR_SETUP_PATH
+#   dropbear_dhcp
+#   dropbear_firewall
+#   dropbear_port
+#   network_static_ipv4nameserver_0
+#   network_static_ipv4nameserver_1
+#   ssh_allow_ipv4_0
+#   user_root_ssh_pubkeys_0
+#   user_root_ssh_pubkeys_1
+#   user_root_ssh_pubkeys_2
+#   user_root_ssh_pubkeys_3
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+dropbear_setup() {
+  ### Prepare strong dropbear host keys
+  rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+
+  do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
+  do_in_target "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
+
+  chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+  chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
+
+  ### Prepare dropbear authorized_keys
+  touch "${TARGET}/etc/dropbear/initramfs/authorized_keys" && chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
+  printf "%s\n" "${user_root_sshpubkey}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
+
+  ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
+  if [[ "${dropbear_dhcp,,}" != "true" ]]; then
+    declare network_static_ipv4ntpserver_0="192.53.103.108"
+    ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
+    printf "IP=%s::%s:%s:%s:%s:none:%s:%s:%s\n" \
+      "${VAR_FINAL_IPV4}" \
+      "${VAR_FINAL_IPV4_GW}" \
+      "${VAR_FINAL_IPV4_SUBNET}" \
+      "${VAR_FINAL_FQDN}" \
+      "${VAR_FINAL_NIC}" \
+      "${network_static_ipv4nameserver_0:-135.181.207.105}" \
+      "${network_static_ipv4nameserver_1:-89.58.62.53}" \
+      "${network_static_ipv4ntpserver_0:-192.53.103.104}" \
+      >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
+  else
+    ### "IP=:::::<NIC>:dhcp"
+    printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
+  fi
+
+  ### Generate dropbear configuration file
+  write_dropbear_conf
+
+  ### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
+  # Options in "GRUB_CMDLINE_LINUX" are always effective.
+  # Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
+  grub_extract_current_string
+  declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
+  VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
+  grub_finalize_string
+
+  ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
+    "${TARGET}/includes/initramfs-tools/scripts/init-top/"
+
+  ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
+    "${TARGET}/includes/initramfs-tools/hooks/"
+
+  ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
+    "${TARGET}/includes/initramfs-tools/hooks/"
+
+  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
+    "${TARGET}/usr/lib/cryptsetup/scripts/"
+
+  # TODO: Update preseed.yaml for pgp signing key AND / OR implementation of presigned unlock-wrapper.sh
+  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
+  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
+    "${TARGET}/includes/initramfs-tools/"
+
+  declare var_modules; var_modules=$(grep_nic_driver_modules)
+
+  cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
+### Custom NIC driver
+${var_modules}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  ### Install the script to be called inside initramfs environment for preparing dropbear execution.
+  do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
+
+  ### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
+    "${TARGET}/includes/initramfs-tools/files/dropbear_fw.conf"
+
+  ### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  if [[ "${dropbear_firewall,,}" == "true" && -n "${ssh_allow_ipv4_0}" ]]; then
+
+    sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+    sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+
+    cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+DROPBEAR_PORT=${dropbear_port}
+DROPBEAR_JUMP_SERVER_IP=${ssh_allow_ipv4_0}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  fi
+
+  ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
+  do_in_target "${TARGET}" update-grub
+  do_in_target "${TARGET}" update-initramfs -u -v -k all
+
+  return 0
+}
+
+#######################################
+# Write '/etc/dropbear/initramfs/dropbear.conf'.
+# Globals:
+#   TARGET
+#   ssh_port
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+write_dropbear_conf() {
+  [[ -z "${dropbear_port:-}" ]] && dropbear_port="2222"
+
+  cat << EOF >| "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
+#
+# Configuration options for the dropbear-initramfs boot scripts.
+# Variable assignment follow shell semantics and escaping/quoting rules.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files in the '/etc/dropbear/initramfs' directory).
+
+#
+# Command line options to pass to dropbear(8)
+# Dropbear options for 2025+:
+# -b: Display the contents of bannerfile before user login
+# -E: Log to stderr
+# -I: Idle timeout in seconds
+# -K: Keepalive interval in seconds
+# -p: Specify port (and optionally address)
+# -w: Disable root login (SHOULD NOT be implemented for initramfs)
+DROPBEAR_OPTIONS="-b /etc/dropbear/banner -c /usr/local/bin/unlock_wrapper.sh -E -I 300 -K 60 -p ${dropbear_port}"
+
+#
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#
+#IFDOWN="*"
+
+#
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
+EOF
+
+  do_log "info" "file_only" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
+  return 0
+}
+
+#######################################
+# Collect NIC driver modules for initramfs installation.
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+grep_nic_driver_modules() {
+  ### Collect all ethernet driver names and sort them uniquely.
+  declare -a _mods
+  declare var_nic_module var_nic_modules
+  # shellcheck disable=SC2312
+  readarray -t _mods < <(
+    lspci -k \
+      | grep -A2 -i ethernet \
+      | grep 'Kernel driver in use' \
+      | awk '{print $5}' \
+      | sort -u
+  )
+
+  ### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
+  if [[ "${#_mods[@]}" -eq 1 ]]; then
+    var_nic_module="${_mods[0]}"
+  else
+    var_nic_modules="${_mods[*]}"
+  fi
+
+  if [[ -n "${var_nic_module}" ]]; then
+    echo "${var_nic_module}"
+  else
+    echo "${var_nic_modules}"
+  fi
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh