V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-08 15:00:58 +02:00
parent 267a417c07
commit acbab0d983
17 changed files with 190 additions and 263 deletions
--- a/func/cdi_1000_helper/1081_helper_grub.sh
+++ b/func/cdi_1000_helper/1081_helper_grub.sh
@@ -19,28 +19,6 @@ guard_sourcing
 # Helper module to extract the current GRUB CMDLINE strings.
 # Globals:
 #   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
-#   VAR_ORIG_GRUB_CMDLINE_LINUX
-#   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
-# Arguments:
-#   None
-#######################################
-old_grub_extract_current_string() {
-  # shellcheck disable=SC2155
-  declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E 'GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
-  # shellcheck disable=SC2155
-  declare -gx VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub")
-  # shellcheck disable=SC2155
-  declare -gx VAR_GRUB_CMDLINE_LINUX=$(grep -E 'GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub" | sed 's/.$//')
-  # shellcheck disable=SC2155
-  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E 'GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub" | sed 's/.$//')
-}
-
-#######################################
-# description
-# Globals:
-#   TARGET
 #   VAR_ORIG_GRUB_CMDLINE_LINUX
 #   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
 #   VK_GRUB_CMDLINE_LINUX
@@ -49,6 +27,8 @@ old_grub_extract_current_string() {
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
 #   None
+# Returns:
+#   0: on success
 #######################################
 grub_extract_current_string() {
  ### Declare Arrays, HashMaps, and Variables.
@@ -61,31 +41,19 @@ grub_extract_current_string() {
  VAR_ORIG_GRUB_CMDLINE_LINUX=$(grep -E '^GRUB_CMDLINE_LINUX=' "${TARGET}/etc/default/grub")
  VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT=$(grep -E '^GRUB_CMDLINE_LINUX_DEFAULT=' "${TARGET}/etc/default/grub")

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() Value of VAR_ORIG_GRUB_CMDLINE_LINUX: [${VAR_ORIG_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() Value of VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
+  do_log "debug" "file_only" "1081() VAR_ORIG_GRUB_CMDLINE_LINUX: [${VAR_ORIG_GRUB_CMDLINE_LINUX}]."
+  do_log "debug" "file_only" "1081() VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}]."

  ### Keys (fixed prefixes).
  VK_GRUB_CMDLINE_LINUX='GRUB_CMDLINE_LINUX='
  VK_GRUB_CMDLINE_LINUX_DEFAULT='GRUB_CMDLINE_LINUX_DEFAULT='

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() Value of VK_GRUB_CMDLINE_LINUX: [${VK_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() Value of VK_GRUB_CMDLINE_LINUX_DEFAULT: [${VK_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-
  ### Raw values (with quotes if necessary).
  # shellcheck disable=SC2295
  vv_raw_lin="${VAR_ORIG_GRUB_CMDLINE_LINUX#${VK_GRUB_CMDLINE_LINUX}}"
  # shellcheck disable=SC2295
  vv_raw_lin_def="${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT#${VK_GRUB_CMDLINE_LINUX_DEFAULT}}"

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() Value of vv_raw_lin: [${vv_raw_lin}]."
-  do_log "debug" "file_only" "1081() Value of vv_raw_lin_def: [${vv_raw_lin_def}]."
-  # TODO REMOVE DEBUG LOGGER
-
  ### Remove outer quotes symmetrically.
  if [[ -n ${vv_raw_lin} ]]; then

@@ -124,10 +92,15 @@ grub_extract_current_string() {
  VV_GRUB_CMDLINE_LINUX="${vv_raw_lin}"
  # shellcheck disable=SC2034
  VV_GRUB_CMDLINE_LINUX_DEFAULT="${vv_raw_lin_def}"
+
+  do_log "debug" "file_only" "1081() VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
+  do_log "debug" "file_only" "1081() VV_GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
+
+  return 0
 }

 #######################################
-# description
+# Helper module to finish the modified GRUB CMDLINE strings.
 # Globals:
 #   TARGET
 #   VAR_GRUB_CMDLINE_LINUX
@@ -137,91 +110,50 @@ grub_extract_current_string() {
 #   VV_GRUB_CMDLINE_LINUX
 #   VV_GRUB_CMDLINE_LINUX_DEFAULT
 # Arguments:
-#  None
+#   None
+# Returns:
+#   0: on success
 #######################################
 grub_finalize_string() {
  ### Declare Arrays, HashMaps, and Variables.
-  declare -a  ary_out=()
-  declare     var_file="${TARGET}/etc/default/grub"
-  declare     var_new_lin="${VK_GRUB_CMDLINE_LINUX}'${VV_GRUB_CMDLINE_LINUX}'"
-  declare     var_new_lin_def="${VK_GRUB_CMDLINE_LINUX_DEFAULT}'${VV_GRUB_CMDLINE_LINUX_DEFAULT}'"
-  declare -i  var_found_lin=0 var_found_lin_def=0 var_line=0
+  declare     var_file="${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
+  declare     var_linux="${VV_GRUB_CMDLINE_LINUX//\'/\'\"\'\"\'}"
+  declare     var_linux_default="${VV_GRUB_CMDLINE_LINUX_DEFAULT//\'/\'\"\'\"\'}"
+  declare -gx VAR_GRUB_CMDLINE_LINUX="${VK_GRUB_CMDLINE_LINUX}'${VV_GRUB_CMDLINE_LINUX}'"
+  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT="${VK_GRUB_CMDLINE_LINUX_DEFAULT}'${VV_GRUB_CMDLINE_LINUX_DEFAULT}'"

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() var_new_lin [${var_new_lin}]."
-  do_log "debug" "file_only" "1081() var_new_lin [${var_new_lin_def}]."
-  do_log "debug" "file_only" "1081() Before [mapfile -t ary_lines < ${var_file}]."
-  # TODO REMOVE DEBUG LOGGER
+  mkdir -p "${TARGET}/etc/default/grub.d"

-  ### Read file line by line; robust against missing a final newline.
-  while IFS= read -r var_line || [[ -n "${var_line}" ]]; do
+  cat << EOF >| "${var_file}"
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu

-    case "${var_line}" in
+### Options in "GRUB_CMDLINE_LINUX" are always effective.
+### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).

-      "${VK_GRUB_CMDLINE_LINUX}"*)
+EOF

-        ary_out+=("${var_new_lin}")
-        var_found_lin=1
-        ;;
+  insert_comments "${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"

-      "${VK_GRUB_CMDLINE_LINUX_DEFAULT}"*)
-
-        ary_out+=("${var_new_lin_def}")
-        var_found_lin_def=1
-        ;;
-
-      *)
-        ary_out+=("${var_line}")
-        ;;
-
-    esac
-
-  done < "${var_file}"
-
-  ### If Key is missing in the file, add it at the end (robust against minimal templates).
-  (( var_found_lin == 0 ))      && ary_out+=( "${var_new_lin}" )
-  (( var_found_lin_def == 0 ))  && ary_out+=( "${var_new_lin_def}" )
-
-  ### Write back (without sed/awk, only built-ins).
+  umask 0022
  {
-    for var_line in "${ary_out[@]}"; do
-      printf '%s\n' "${var_line}"
-    done
-  } >| "${var_file}"
+    printf "GRUB_CMDLINE_LINUX='%s'\n" "${var_linux}"
+    printf "GRUB_CMDLINE_LINUX_DEFAULT='%s'\n" "${var_linux_default}"
+    printf "\n"
+    printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh\n"
+  } >> "${var_file}"

-  ### For subsequent use, export the complete lines as well.
-  declare -gx VAR_GRUB_CMDLINE_LINUX="${var_new_lin}"
-  declare -gx VAR_GRUB_CMDLINE_LINUX_DEFAULT="${var_new_lin_def}"
+  do_log "debug" "file_only" "1081() [${VAR_GRUB_CMDLINE_LINUX}]."
+  do_log "debug" "file_only" "1081() [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "1081() VAR_GRUB_CMDLINE_LINUX [${VAR_GRUB_CMDLINE_LINUX}]."
-  do_log "debug" "file_only" "1081() VAR_GRUB_CMDLINE_LINUX_DEFAULT [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-}
-
-
-#######################################
-# Helper module to finish the modified GRUB CMDLINE strings.
-# Globals:
-#   TARGET
-#   VAR_GRUB_CMDLINE_LINUX
-#   VAR_GRUB_CMDLINE_LINUX_DEFAULT
-#   VAR_H
-#   VAR_ORIG_GRUB_CMDLINE_LINUX
-#   VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT
-# Arguments:
-#   None
-#######################################
-old_grub_finalize_string() {
-  declare var_grub_cmdline_linux="" var_grub_cmdline_linux_default=""
-
-  var_grub_cmdline_linux="${VAR_GRUB_CMDLINE_LINUX}${VAR_H}"
-  var_grub_cmdline_linux_default="${VAR_GRUB_CMDLINE_LINUX_DEFAULT}${VAR_H}"
-
-  VAR_GRUB_CMDLINE_LINUX=$(printf '%s' "${var_grub_cmdline_linux}" | sed -e 's/[\/&\$]/\\&/g' )
-  VAR_GRUB_CMDLINE_LINUX_DEFAULT=$(printf '%s' "${var_grub_cmdline_linux_default}" | sed -e 's/[\/&\$]/\\&/g' )
-
-  sed -i "s|${VAR_ORIG_GRUB_CMDLINE_LINUX}|${VAR_GRUB_CMDLINE_LINUX}|" "${TARGET}/etc/default/grub"
-  sed -i "s|${VAR_ORIG_GRUB_CMDLINE_LINUX_DEFAULT}|${VAR_GRUB_CMDLINE_LINUX_DEFAULT}|" "${TARGET}/etc/default/grub"
+  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_1000_helper/1082_helper_modules.sh
+++ b/func/cdi_1000_helper/1082_helper_modules.sh
@@ -70,6 +70,29 @@ grep_nic_driver_modules() {
  return 0
 }

+#######################################
+# Wrapper to insert the metadata field into the specified file.
+# Globals:
+#   VAR_ARCHITECTURE
+#   VAR_CODENAME
+#   VAR_VERSION
+# Arguments:
+#   1: /path/to/file
+# Returns:
+#   0: on success
+#######################################
+insert_comments() {
+  declare file="${1}"
+  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
+\
+# Static file system information: '"${file}"'\
+# Generated by CISS.debian.installer '"${VAR_VERSION}"'\
+# Architecture: '"${VAR_ARCHITECTURE}"'\
+# Distribution: '"${VAR_CODENAME}"'
+' "${file}"
+  return 0
+}
+
 #######################################
 # Helper module for update, full dist-upgrade, autoclean, autopurge and autoremove.
 # Arguments:
--- a/func/cdi_4000_debootstrap/4035_setup_resolv.sh
+++ b/func/cdi_4000_debootstrap/4035_setup_resolv.sh
@@ -57,11 +57,10 @@ setup_resolv() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/resolv.conf                             : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
-
-# Static file system information '/etc/resolv.conf '.
+# Static file system information: /etc/resolv.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 ### Custom DNS IPv4 configuration
 EOF
--- a/func/cdi_4100_base/4100_generate_sources.sh
+++ b/func/cdi_4100_base/4100_generate_sources.sh
@@ -94,9 +94,10 @@ generate_sources() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/apt/sources.list                        : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/apt/sources.list
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 #------------------------------------------------------------------------------------------------------------------------------#
 #                                                     OFFICIAL DEBIAN REPOS                                                    #
--- a/func/cdi_4100_base/4121_installation_initramfs.sh
+++ b/func/cdi_4100_base/4121_installation_initramfs.sh
@@ -34,7 +34,7 @@ installation_initramfs() {
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/initramfs-tools/modules" \
    "${TARGET}/etc/initramfs-tools/"

-  insert_initramfs_comments "${TARGET}/etc/initramfs-tools/modules"
+  insert_comments "${TARGET}/etc/initramfs-tools/modules"

  var_modules=$(grep_nic_driver_modules)

@@ -62,12 +62,13 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/initramfs-tools/conf.d/driver-policy    : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/initramfs-tools/conf.d/driver-policy
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # Driver inclusion policy selected during installation.
-# Note: this setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.
+# Note: This setting overrides the value set in the file '/etc/initramfs-tools/initramfs.conf'.

 MODULES=dep

@@ -76,26 +77,4 @@ EOF

  guard_dir && return 0
 }
-
-#######################################
-# Helper to insert the Metadata field into '/etc/initramfs-tools/modules'.
-# Globals:
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   VAR_VERSION
-# Arguments:
-#   1: /etc/initramfs-tools/modules
-# Returns:
-#   0: on success
-#######################################
-insert_initramfs_comments() {
-  declare file="${1}"
-  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
-\
-# /etc/initramfs-tools/modules                 : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
-# Architecture                                 : '"${VAR_ARCHITECTURE}"'\
-# Distribution                                 : '"${VAR_CODENAME}"'
-' "${file}"
-  return 0
-}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4100_base/4150_installation_chrony.sh
+++ b/func/cdi_4100_base/4150_installation_chrony.sh
@@ -64,7 +64,7 @@ installation_chrony() {

  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/chrony/chrony.cnf" "${TARGET}/etc/chrony/chrony.conf"

-  insert_chrony_comments "${TARGET}/etc/chrony/chrony.conf"
+  insert_comments "${TARGET}/etc/chrony/chrony.conf"

  cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"

@@ -80,26 +80,4 @@ installation_chrony() {

  guard_dir && return 0
 }
-
-#######################################
-# Helper to insert the Metadata field into '/etc/chrony/chrony.conf'.
-# Globals:
-#   VAR_ARCHITECTURE
-#   VAR_CODENAME
-#   VAR_VERSION
-# Arguments:
-#   1: /etc/chrony/chrony.conf
-# Returns:
-#   0: on success
-#######################################
-insert_chrony_comments() {
-  declare file="${1}"
-  sed -i '/^# SPDX-Security-Contact: security@coresecret\.eu$/a\
-\
-# /etc/chrony/conf.d                           : Generated by CISS.debian.installer '"${VAR_VERSION}"'\
-# Architecture                                 : '"${VAR_ARCHITECTURE}"'\
-# Distribution                                 : '"${VAR_CODENAME}"'
-' "${file}"
-  return 0
-}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4200_boot/4200_generate_fstab.sh
+++ b/func/cdi_4200_boot/4200_generate_fstab.sh
@@ -78,12 +78,11 @@ generate_fstab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/fstab                                   : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/fstab
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

-# Static file system information '/etc/fstab'.
-#
 # Use 'blkid' to print the universally unique identifier for a device; this may be used with [UUID=] as a more robust way to
 # name devices that work even if disks are added and removed. See fstab(5).
 #
--- a/func/cdi_4200_boot/4210_generate_crypttab.sh
+++ b/func/cdi_4200_boot/4210_generate_crypttab.sh
@@ -71,12 +71,11 @@ generate_crypttab() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/crypttab                                : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/crypttab
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

-# Static file system information: '/etc/crypttab'.
-#
 # Basic rule: 'discard' / 'nodiscard' are normally only set in '/etc/crypttab' when LUKS/dm-crypt is in use. Options like
 # 'discard=async' or similar are typically only set in '/etc/fstab' (at the file system level). The crypttab determines whether
 # the underlying encrypted device (LUKS/dm-crypt) passes TRIM commands to the physical drive or not. The '/etc/fstab' determines
--- a/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
+++ b/func/cdi_4200_boot/4250_update_grub_bootparameter.sh
@@ -35,13 +35,6 @@ update_grub_bootparameter() {

  grub_extract_current_string

-  # TODO REMOVE DEBUG LOGGER
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() Value of GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() Value of GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-
  # shellcheck disable=SC2034
  for var_param in "${ARY_BOOTPARAM[@]}"; do

@@ -59,43 +52,19 @@ update_grub_bootparameter() {

  done

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX_DEFAULT: [${VV_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  # TODO REMOVE DEBUG LOGGER
-

  if [[ "${VAR_DROPBEAR}" == "true" ]]; then
    var_label="${HMP_PATH_ENCLABEL["/"]}"
    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX:+${VV_GRUB_CMDLINE_LINUX} }cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
-    # TODO REMOVE DEBUG LOGGER
-    do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-    # TODO REMOVE DEBUG LOGGER
  fi

  if [[ "${VAR_NUKE}" == "true" ]]; then
    var_nuke_string="nuke=${VAR_NUKE_HASH}"
    # shellcheck disable=SC2034
    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} ${var_nuke_string}"
-    # TODO REMOVE DEBUG LOGGER
-    do_log "debug" "file_only" "4250() Value of VV_GRUB_CMDLINE_LINUX: [${VV_GRUB_CMDLINE_LINUX}]."
-    # TODO REMOVE DEBUG LOGGER
  fi

-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Calling [grub_finalize_string]."
-  # TODO REMOVE DEBUG LOGGER
  grub_finalize_string
-  # TODO REMOVE DEBUG LOGGER
-  do_log "debug" "file_only" "4250() Back from [grub_finalize_string]."
-  # TODO REMOVE DEBUG LOGGER
-
-  # TODO REMOVE DEBUG LOGGER
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() GRUB_CMDLINE_LINUX: [${VAR_GRUB_CMDLINE_LINUX}]."
-  # shellcheck disable=SC2153
-  do_log "debug" "file_only" "4250() GRUB_CMDLINE_LINUX_DEFAULT: [${VAR_GRUB_CMDLINE_LINUX_DEFAULT}]."
-  sleep 5
-  # TODO REMOVE DEBUG LOGGER

  do_in_target "${TARGET}" update-grub

--- a/func/cdi_4300_network/4300_installation_network.sh
+++ b/func/cdi_4300_network/4300_installation_network.sh
@@ -65,9 +65,10 @@ installation_network() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces                      : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # This file describes the network interfaces available on your system
 # and how to activate them. For more information, see interfaces(5).
@@ -106,9 +107,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces.d/10-ipv4-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -133,9 +135,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces.d/10-ipv4-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-dhcp
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -163,9 +166,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces.d/10-ipv4-static     : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces.d/10-ipv4-static
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # The primary network interface IPv4
 auto ${VAR_FINAL_NIC}
@@ -197,9 +201,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces.d/10-ipv6-dhcp       : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces.d/10-ipv6-dhcp
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # The primary network interface IPv6
 auto ${VAR_FINAL_NIC}
@@ -227,9 +232,10 @@ EOF
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/network/interfaces.d/10-ipv6-static     : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                                 : ${VAR_ARCHITECTURE}
-# Distribution                                 : ${VAR_CODENAME}
+# Static file system information: /etc/network/interfaces.d/10-ipv6-static
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # The primary network interface IPv6
 auto ${VAR_FINAL_NIC}
--- a/func/cdi_4300_network/4312_dropbear_setup.sh
+++ b/func/cdi_4300_network/4312_dropbear_setup.sh
@@ -152,11 +152,10 @@ write_dropbear_conf() {
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu

-# /etc/dropbear/dropbear.conf  : Generated by CISS.debian.installer ${VAR_VERSION}
-# Architecture                 : ${VAR_ARCHITECTURE}
-# Distribution                 : ${VAR_CODENAME}
-
-# Static file system information: '/etc/dropbear/initramfs/dropbear.conf'.
+# Static file system information: /etc/dropbear/dropbear.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}

 # Configuration options for the dropbear-initramfs boot scripts.
 # Variable assignment follow shell semantics and escaping/quoting rules.
--- a/func/cdi_4400_hardening/4400_kernel_modules.sh
+++ b/func/cdi_4400_hardening/4400_kernel_modules.sh
@@ -25,20 +25,41 @@ kernel_modules() {
  ### Entropy collection improvements
  mkdir -p "${TARGET}/usr/lib/modules-load.d"
  cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
-## The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
-## minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
-## physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
-## features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
-## including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
-## entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
-## standards-compliant, and universally applicable entropy source for hardened Linux environments.
-## https://www.whonix.org/wiki/Dev/Entropy
-## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
-## https://forums.whonix.org/t/jitterentropy-rngd/7204
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Static file system information: /usr/lib/modules-load.d/30_security-misc.conf
+# Generated by CISS.debian.installer ${VAR_VERSION}
+# Architecture: ${VAR_ARCHITECTURE}
+# Distribution: ${VAR_CODENAME}
+
+# The jitterentropy_rng kernel module provides a reliable and hardware-independent source of cryptographic entropy by measuring
+# minute variations in CPU execution timing (jitter). These microsecond-level differences are unpredictable and rooted in
+# physical randomness, making them suitable for high-quality entropy generation. Unlike other RNG methods that rely on hardware
+# features like TPMs or Intel's RDRAND, which may not be available or trusted, jitterentropy_rng works across all platforms,
+# including virtual machines and air-gapped systems. It is compliant with NIST SP 800-90B and BSI TR-02102-4, ensuring secure
+# entropy even during early boot stages, such as in initramfs or before full userland is available. It is the most secure,
+# standards-compliant, and universally applicable entropy source for hardened Linux environments.
+# https://www.whonix.org/wiki/Dev/Entropy
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
+# https://forums.whonix.org/t/jitterentropy-rngd/7204
+
 jitterentropy_rng
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
+
  do_log "info" "file_only" "4400() Installed: '/usr/lib/modules-load.d/30_security-misc.conf'."
+
  guard_dir && return 0
 }

@@ -55,7 +76,11 @@ EOF
 kernel_modprobe() {
 install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/modprobe.d/0000_ciss_debian_installer.cnf" \
    "${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
+
+  insert_comments "${TARGET}/etc/modprobe.d/0000_ciss_debian_installer.conf"
+
  do_log "info" "file_only" "4400() Installed: '/etc/modprobe.d/0000_ciss_debian_installer.conf'."
+
  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4410_kernel_sysctl.sh
+++ b/func/cdi_4400_hardening/4410_kernel_sysctl.sh
@@ -25,7 +25,11 @@ guard_sourcing
 kernel_sysctl() {
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/sysctl.d/99_local.hardened" \
    "${TARGET}/etc/sysctl.d/99_local.hardened"
+
+  insert_comments "${TARGET}/etc/sysctl.d/99_local.hardened"
+
  do_log "info" "file_only" "4410() Installed: '/etc/sysctl.d/99_local.hardened'."
+
  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/func/cdi_4400_hardening/4420_installation_ssh.sh
+++ b/func/cdi_4400_hardening/4420_installation_ssh.sh
@@ -34,13 +34,13 @@ installation_ssh() {
  ### Declare Arrays, HashMaps, and Variables.
  declare -a ary_user=()
  declare -i i=0
-  declare    var_auth="" var_name=""
+  declare    var_auth="" var_name="" var_ca=""

  do_in_target "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh

  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
-  do_log "info" "file_only" "4420() Installed SSH banner and motd to '${TARGET}/etc/'."
+  do_log "info" "file_only" "4420() Installed SSH '/etc/banner' and '/etc/motd'."

  ### Only process those for which both *_name and *_authentication_access_ssh are set.
  for ((i = 0; i <= VAR_USER_MAX; i++)); do
@@ -59,39 +59,56 @@ installation_ssh() {
  #shellcheck disable=SC2312
  do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"

-  mkdir -p "${DIR_BAK}/etc/ssh"
-  cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
-  chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
-  cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
-  chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
-
+  mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
+  cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
+  cp "${TARGET}/etc/ssh/ssh_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/ssh_config.bak"
  rm -f "${TARGET}/etc/ssh/sshd_config"

  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
  chmod 0600 "${TARGET}/etc/ssh/ssh_config"

+  insert_comments "${TARGET}/etc/ssh/sshd_config"
+
  # shellcheck disable=SC2153
-  sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
+  #sed -i -E "s|^\s*ListenAddress\s+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV4}")|" "${TARGET}/etc/ssh/sshd_config"

  if [[ -n "${VAR_FINAL_IPV6}" ]]; then
-    sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-30s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
+    #sed -i -E "s|^\s*ListenAddress\s+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^[[:space:]]*ListenAddress[[:space:]]+::.*$|$(printf '%-29s%s' 'ListenAddress' "${VAR_FINAL_IPV6}")|" "${TARGET}/etc/ssh/sshd_config"
  else
-    sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
+    #sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
+    sed -i "/^[[:space:]]*ListenAddress[[:space:]]*::/d" "${TARGET}/etc/ssh/sshd_config"
  fi

-  sed -i -E "s|^\s*Port\s+.*$|$(printf '%-30s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
+  #sed -i -E "s|^\s*Port\s+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"
+  sed -i -E "s|^[[:space:]]*Port[[:space:]]+.*$|$(printf '%-29s%s' 'Port' "${ssh_port}")|" "${TARGET}/etc/ssh/sshd_config"

  if (( ${#ary_user[@]} > 0 )); then
-    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-30s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*AllowUsers\s+.*$|$(printf '%-29s%s' 'AllowUsers' "root ${ary_user[*]}")|" "${TARGET}/etc/ssh/sshd_config"
  fi

  if [[ -n "${ssh_root_ca}" ]]; then
+    var_ca="${ssh_root_ca##*/}"
    install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${ssh_root_ca}" "${TARGET}/etc/ssh/"
-     sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-30s%s' 'TrustedUserCAKeys' "/etc/ssh/${ssh_root_ca}")|" "${TARGET}/etc/ssh/sshd_config"
+    sed -i -E "s|^\s*TrustedUserCAKeys\s+.*$|$(printf '%-29s%s' 'TrustedUserCAKeys' "/etc/ssh/${var_ca}")|" "${TARGET}/etc/ssh/sshd_config"
  fi

-  do_in_target_script "${TARGET}" "sshd -T >| /root/.ciss/cdi/log/sshd_config.log"
-  do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/ssh.log"
+  ### Preparing the test environment in chroot.
+  do_in_target "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
+
+  ### Syntax test (hard).
+  if ! do_in_target_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
+    do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
+    return "${ERR_CONF_VALIDATION}"
+  fi
+
+  ### Effective configuration (soft, purely informative).
+  if ! do_in_target_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
+    do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
+  fi
+
+  do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"

  ###########################################################################################
  # The file /etc/profile.d/idle-users.sh is created to set two read-only                   #