V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-17 22:05:53 +02:00
parent 4ac221fddc
commit ad083796f1
10 changed files with 364 additions and 279 deletions
--- a/.archive/func/4195_setup_dropbear.sh
+++ b/.archive/func/4195_setup_dropbear.sh
@@ -10,270 +10,28 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
+### Remarks
 # lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
 # readelf -h /bin/busybox | grep Type
 # command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 ...
 # /usr/share/initramfs-tools/scripts/init-premount
 # /dev/sdaN: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
 # GRUB_CMDLINE_LINUX="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
 # declare var_nic_module; var_nic_module=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
 # echo "${var_nic_module}"
 ### Nuke Hints
 # /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
 # Before (Default)
 # ASKPASS=/lib/cryptsetup/askpass
 # After
 # ASKPASS=/lib/cryptsetup/askpass.cryptsetup
-# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
+# apt-get cryptsetup-nuke-password
-# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
+# dpkg-reconfigure cryptsetup-nuke-password
-
+#debconf-set-selections << END
-
+#cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
-
+#cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
-command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root
+#END
-
+#sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
 /usr/share/initramfs-tools/scripts/init-premount
 ***
 run.coresecret.dev
 /dev/sda5: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
 echo "IP=65.21.249.232::172.31.1.1:255.255.255.255:run.coresecret.dev:enp1s0:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
 GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
 ***
 /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
 # Vorher (Standard)
 ASKPASS=/lib/cryptsetup/askpass
 # Danach
 ASKPASS=/lib/cryptsetup/askpass.cryptsetup
 apt-get cryptsetup-nuke-password
 dpkg-reconfigure cryptsetup-nuke-password
 debconf-set-selections << END
 cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
 cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
 END
 sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
 apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
 rm -f /etc/dropbear/initramfs/dropbear*key
 dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
 dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
 chmod 600 /etc/dropbear/initramfs/dropbear*key
 chown root:root /etc/dropbear/initramfs/dropbear*key
 cp -af ~/.ssh/authorized_keys /etc/dropbear/initramfs
 echo "IP=152.53.110.40::152.53.108.1:255.255.252.0:git.coresecret.dev:ens3:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
 sed -i 's|#DROPBEAR_OPTIONS=""|DROPBEAR_OPTIONS="-p 37768 -s -j -k -I 300 -c coresecret.sh"|g' /etc/dropbear/initramfs/dropbear.conf
 GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root"
 update-initramfs -u -v -k all
 NIC_MODULE=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
 echo "$NIC_MODULE"
 grep_nic_driver_modules() {
  # Alle Treibernamen sammeln und unique sortieren
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )
  # Wenn nur ein Eintrag übrig bleibt, in NIC_MODULE speichern,
  # sonst alternativ alle Module in NIC_MODULES
  if [ "${#_mods[@]}" -eq 1 ]; then
    NIC_MODULE="${_mods[0]}"
  else
    NIC_MODULES="${_mods[*]}"
  fi
  # Ausgabe zur Kontrolle
  if [ -n "$NIC_MODULE" ]; then
    echo "Einzelnes Modul: $NIC_MODULE"
  else
    echo "Mehrere Module: $NIC_MODULES"
  fi
 }
 ###########################################################################################
 # Installation of the specified kernel incl. dropbear SSH, LUKS Nuke.
 # Globals:
 #   MODULE_ERR
 #   MODULE_TXT
 #   TARGET
 #   kernel
 # Arguments:
 #   None
 ###########################################################################################
 3_7_7_functions_installation_kernel() {
  declare -g -x MODULE_ERR="3_7_7_functions_installation_kernel"
  declare -g -x MODULE_TXT="Install kernel: '${kernel}'"
  do_show_header "${MODULE_TXT}"
  # Installing the chosen Kernel Image according to preseed.yaml
  do_in_target "${TARGET}" apt-get install -y "${kernel}"
  if [[ ${accounts_dropbear_ssh,,} == "true" ]]; then
    do_in_target "${TARGET}" apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
     echo "DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300\"" > "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
    cat > "${TARGET}/etc/dropbear/initramfs/authorized_keys" << EOF
 command="/bin/security-rescue-shell",no-port-forwarding,no-pty,no-X11-forwarding ${accounts_dropbear_pubkey}
 EOF
    chmod 0644 "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
    chown root:root "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
    chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
    chown root:root "${TARGET}/etc/dropbear/initramfs/authorized_keys"
    do_log "info" "true" "Command: 'echo \"DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300 -K curve25519-sha256 -c aes256-gcm@openssh.com -m hmac-sha2-256,hmac-sha2-512\" > ${TARGET}/etc/dropbear/initramfs/dropbear.conf' executed in: '${TARGET}'."
    do_log "info" "true" "Command: 'echo ${accounts_dropbear_pubkey} > ${TARGET}/etc/dropbear/initramfs/authorized_keys' executed in: '${TARGET}'."
    # Network-Pre-Script for initramfs DHCP
    cat > "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network" << 'EOF'
 #!/bin/sh
 # ^^ no bash in initramfs environment, only BusyBox
 PREREQ=""
 prereqs() { echo "${PREREQ}"; }
 case $1 in
  prereqs) prereqs; exit 0 ;;
 esac
 # NIC without ":" and VLAN-Suffix
 iface=$(grep -E '^(eth|en)[^:.]*$' /sys/class/net | head -n1)
 [ -n "${iface}" ] || exit 0
 # Setup Link and dhclient or udhcpc
 ip link set "${iface}" up
 if command -v dhclient >/dev/null 2>&1; then
  dhclient "${iface}"
 else
  udhcpc -i "${iface}"
 fi
 exit 0
 EOF
    chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network"
    do_log "info" "true" "Generated: '${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network: '${TARGET}'."
    cat > "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw" << EOF
 #!/bin/sh
 # ^^ no bash in initramfs environment, only BusyBox
 if command -v iptables >/dev/null 2>&1; then
  iptables -F
  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP
  iptables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv4}" -j ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
 fi
 if command -v ip6tables >/dev/null 2>&1; then
  ip6tables -F
  ip6tables -P INPUT DROP
  ip6tables -P OUTPUT ACCEPT
  ip6tables -P FORWARD DROP
  ip6tables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv6}" -j ACCEPT
  ip6tables -A INPUT -i lo -j ACCEPT
 fi
 EOF
    chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw"
    cat > "${TARGET}/bin/remote-nuke.sh" << EOF
 #!/bin/sh
 # ^^ no bash in initramfs environment, only BusyBox
 # remote-nuke.sh – to be executed at the end of Initramfs
 PREREQ="local-bottom"
 prereqs() { echo "${PREREQ}"; }
 case $1 in
  prereqs) prereqs; exit 0 ;;
 esac
 message() {
  if [ ${#*} -lt 76 ]; then
    echo "$*" 1>&2
  else
    # use busybox's fold(1) and sed(1) at initramfs stage
    echo "$*" | fold -s | sed '1! s/^/    /' 1>&2
  fi
  return 0
 }
 . /scripts/functions    # delivers log_* und ASKPASS
 # Brief break, to ensure all devices are mapped
 sleep 1
 readonly MAX_RETRIES=5
 for DEV in /dev/sd*[0-9]; do
  [ -b "${DEV}" ] || continue
  DEV_NAME=$(basename "${DEV}" | tr -cs 'a-zA-Z0-9' '_')
  NUKE_MAP="nuke_${DEV_NAME}"
  TRY_MAP="try_${DEV_NAME}"
  ASKPASS=/usr/bin/ssh-askpass
  password="$(${ASKPASS} "Enter LUKS passphrase: ")"
  message "Checking ${DEV} ..."
  if ! cryptsetup isLuks "${DEV}" 2>/dev/null; then
    message "${DEV} is not a LUKS-Container – skipped."
    continue
  fi
  # Verify, if LUKS Key Slot #31 exists
  if cryptsetup luksDump "${DEV}" 2>/dev/null | grep -q '^Key Slot 31: *ENABLED'; then
    has_slot31="yes"
  else
    has_slot31="no"
  fi
  attempt=1
  while [ ${attempt} -le ${MAX_RETRIES} ]; do
    message "Attempt '${attempt}/${MAX_RETRIES}' for opening ${DEV} ..."
    if [ "${has_slot31}" = yes ]; then
      if echo "${password}" | cryptsetup open --test-passphrase --key-slot 31 "${DEV}" "${NUKE_MAP}" 2>/dev/null; then
        echo YES | cryptsetup erase "${DEV}"
        message "Slot 31 of ${DEV} exists. Cleaning OK successful."
        break
      fi
    fi
    if echo "$((password))" | cryptsetup open "${DEV}" "crypt_${NAME}" 2>/dev/null; then
      decrypted_any=yes
      break
    fi
    # 2) Normales Entschlüsseln (jeder Slot)
    echo "$password" | cryptsetup open \
      --test-passphrase \
      "$DEV" nuke_tmp 2>/dev/null
    if [ $? -eq 0 ]; then
      log_success_msg "Normales Test-Passphrase erfolgreich"
      cryptsetup erase "$DEV" && \
        log_success_msg "LUKS-Header von $DEV gelöscht"
      break
    else
      log_warning_msg "Normales Test-Passphrase fehlgeschlagen"
    fi
    attempt=$((attempt + 1))
    if [ $attempt -le $MAX_RETRIES ]; then
      log_begin_msg "Warte 1s vor erneutem Versuch für $DEV…"
      sleep 1
    else
      log_error_msg "Maximale Versuche für $DEV erreicht – überspringe"
    fi
  done
  # Aufräumen: falls ein Mapper existiert, schließen
  if [ -e /dev/mapper/nuke_tmp ]; then
    cryptsetup close nuke_tmp
  fi
 done
 log_end_msg 0
 exit 0
 EOF
    chmod +x "${TARGET}/bin/security-rescue-shell"
    # Regenerate Initramfs incl. Dropbear SSH, Scripts and Keys
    do_in_target "${TARGET}" update-initramfs -u
  fi
  do_log "info" "true" "Dropbear SSH in initramfs des Targets installiert und konfiguriert (Port: ${accounts_ssh_port}, CA aktiviert, RateLimit & Nuke-Key)."
  do_show_footer "${MODULE_TXT}"
 }
--- a/.preseed/preseed.yaml
+++ b/.preseed/preseed.yaml
@@ -372,13 +372,20 @@ ntp:
 ################################################################################################################################
 user:
  allow_policies: true         # For additional hardening of SSH connections '/etc/hosts.allow'.
-                               # If "allow_policies" = "true", at least one IP MUST be provided:
+                               # If "allow_policies" = "true", at least one 'bastion_ipv4' MUST be provided.
-  allow_ipv4:
+                               # One or multiple Domains could be provided as well 'allow_domain'.
  bastion_enable: false        # In case 'bastion_ipv4' and 'bastion_ipv6' are SSH Bastion IPs set this to "true".
                               # If these are Jump Server and / or static VPN-Exit-Nodes, set this to "false".
  bastion_ipv4:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4.
    - 202.61.246.50
-  allow_ipv6:
+  bastion_ipv6:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6.
    - 2a03:4000:53:f:abcd:9494:0:2
  allow_domain:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes Domains.
    - vpn00.x448.eu
  dropbear_boot: true          # Dropbear initramfs integration.
  dropbear_dhcp: true          # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP.
  dropbear_fw: true            # Additional ultra hardening of the dropbear initramfs environment via firewall.
                               # The "bastion_ipv4" MUST be provided.
  ssh_port: 42137              # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
  ssh_rootca: "/.preseed/ssh_root_ca.pub"
--- a/func/4195_setup_dropbear.sh
+++ b/func/4195_setup_dropbear.sh
@@ -15,12 +15,15 @@ guard_sourcing
 #######################################
 # Setup Dropbear Initramfs Environment.
 # Globals:
 #   HMP_PATH_ENCLABEL
 #   TARGET
 #   VAR_CRYPT_ROOT
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV4_GW
 #   VAR_FINAL_IPV4_SUBNET
 #   VAR_FINAL_NIC
 #   VAR_GRUB_CMDLINE_LINUX
 #   VAR_SETUP_PATH
 #   network_static_ipv4nameserver_0
 #   network_static_ipv4nameserver_1
@@ -35,6 +38,7 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_dropbear() {
  ### Prepare strong dropbear host keys
  rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
  do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
@@ -43,6 +47,7 @@ setup_dropbear() {
  chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
  chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
  ### Prepare dropbear authorized_keys
  declare -a ary_user=()
  ary_user+=("${user_root_ssh_pubkeys_0}")
  [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
@@ -53,6 +58,7 @@ setup_dropbear() {
  printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
  ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
  if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
    declare network_static_ipv4ntpserver_0="192.53.103.108"
    ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
@@ -71,27 +77,83 @@ setup_dropbear() {
    printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
  fi
  ### Generate dropbear configuration file
  write_dropbear_conf
-  ### Options in "GRUB_CMDLINE_LINUX" are always effective.
+  ### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
-  ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
+  # Options in "GRUB_CMDLINE_LINUX" are always effective.
  # Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
  grub_extract_current_string
  declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
  VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
  grub_finalize_string
  ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
    "${TARGET}/includes/initramfs-tools/scripts/init-top/"
  ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
    "${TARGET}/includes/initramfs-tools/hooks/"
  ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
    "${TARGET}/includes/initramfs-tools/hooks/"
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \
+  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
-    "${TARGET}/includes/initramfs-tools/hooks/"
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
    "${TARGET}/includes/initramfs-tools/files/"
  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
    "${TARGET}/includes/initramfs-tools/files/"
  ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
    "${TARGET}/includes/initramfs-tools/"
  declare var_modules; var_modules=$(grep_nic_driver_modules)
  cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
 ### Custom NIC driver
 ${var_modules}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  ### Install the script to be called inside initramfs environment for preparing dropbear execution.
  do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
    "${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
  ### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
    "${TARGET}/includes/initramfs-tools/files/"
  ### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
    "${TARGET}/includes/initramfs-tools/files/"
  if [[ "${user_dropbear_fw,,}" == "true" && -n "${user_bastion_ipv4_0}" ]]; then
    sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
    sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
    cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
 DROPBEAR_PORT=${user_ssh_port}
 DROPBEAR_JUMP_SERVER_IP=${user_bastion_ipv4_0}
 DROPBEAR_BASTION_ENABLE=${user_bastion_enable}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
 EOF
  fi
  ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
  do_in_target "${TARGET}" update-grub
  do_in_target "${TARGET}" update-initramfs -u -v -k all
  return 0
 }
@@ -151,4 +213,39 @@ EOF
  do_log "info" "true" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
  return 0
 }
 #######################################
 # Collect NIC driver modules for initramfs installation.
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 grep_nic_driver_modules() {
  ### Collect all ethernet driver names and sort them uniquely.
  declare -a _mods
  declare var_nic_module var_nic_modules
  readarray -t _mods < <(
    lspci -k \
      | grep -A2 -i ethernet \
      | grep 'Kernel driver in use' \
      | awk '{print $5}' \
      | sort -u
  )
  ### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
  if [[ "${#_mods[@]}" -eq 1 ]]; then
    var_nic_module="${_mods[0]}"
  else
    var_nic_modules="${_mods[*]}"
  fi
  if [[ -n "$var_nic_module" ]]; then
    echo "${var_nic_module}"
  else
    echo "${var_nic_modules}"
  fi
  return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/initramfs-tools/files/dropbear_fw.cnf
+++ b/includes/initramfs-tools/files/dropbear_fw.cnf
@@ -0,0 +1,14 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 DROPBEAR_FIREWALL_ENABLED=0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/initramfs-tools/files/dropbear_fw.sh
+++ b/includes/initramfs-tools/files/dropbear_fw.sh
@@ -0,0 +1,81 @@
 #!/bin/sh
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # Firewall script for Dropbear SSH inside initramfs.
 # This script runs at the "init-bottom" stage of the early boot process.
 #
 # It configures basic iptables rules to restrict SSH access to Dropbear
 # while the system is in the pre-boot phase (before root is decrypted).
 #
 # IPv6 is not supported in initramfs at this stage due to complexity.
 # Only trusted IPv4 addresses are allowed.
 #
 # ┌─────────────────────────────────────────────────────────────┐
 # │ ACCESS LOGIC:                                               │
 # │                                                             │
 # │ - If is_jump_host = true:                                   │
 # │     then allow all IPv4 connections to the Dropbear port    │
 # │                                                             │
 # │ - If is_jump_host = false:                                  │
 # │     then allow only the bastion/jump-server IPv4 address    │
 # └─────────────────────────────────────────────────────────────┘
 PREREQ="dropbear"
 prereqs() { echo "$PREREQ"; }
 case "$1" in
  prereqs) prereqs; exit 0 ;;
 esac
 ### Check if the firewall is enabled via the config file.
 DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
 if [ -f "${DROPBEAR_FW_CONF}" ]; then
  # shellcheck disable=SC1090
  . "${DROPBEAR_FW_CONF}"
 fi
 ### Abort if the firewall flag is not set or disabled.
 if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
  echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
  exit 0
 fi
 ### Ensure iptables is available.
 if command -v iptables >/dev/null 2>&1; then
  ### Reset any existing rules.
  iptables -F
  iptables -X
  ### Default policy: block everything unless explicitly allowed.
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
  ### Allow local loopback.
  iptables -A INPUT -i lo -j ACCEPT
  ### Access control based on the host role.
  if [ "${DROPBEAR_BASTION_ENABLE}" = true ]; then
    ### SSH Bastion Host: allow any source IP on the dropbear SSH port.
    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -j ACCEPT
  else
    ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
  fi
 fi
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/initramfs-tools/files/unlock_wrapper.sh
+++ b/includes/initramfs-tools/files/unlock_wrapper.sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 IFS=$(printf ' \n\t')
 # shellcheck disable=SC2155
--- a/includes/initramfs-tools/hooks/custom-initramfs.sh
+++ b/includes/initramfs-tools/hooks/custom-initramfs.sh
@@ -20,15 +20,19 @@ esac
 . /usr/share/initramfs-tools/hook-functions
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/dropbear/initramfs" "${DESTDIR}/etc/keys"
+# Ensure directory structure in initramfs
 mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
 mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
 mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
 ### Include Bash
 copy_exec /usr/bin/bash /usr/bin
 ### Include Busybox
 copy_exec /usr/bin/busybox /usr/bin
 copy_exec /usr/bin/busybox /bin
 ### Include Bash
 copy_exec /usr/bin/bash /usr/bin
 ### Include lsblk (block device info tool)
 copy_exec /usr/bin/lsblk /usr/bin
@@ -42,11 +46,18 @@ copy_exec /usr/bin/sha384sum /usr/bin
 ### Include Signature-Verifier
 copy_exec /usr/bin/gpgv /usr/bin
 ### Link busybox applets for compatibility
 for dir in bin usr/bin; do
  ln -sf busybox "${DESTDIR}/${dir}/cat"
  ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 ### Install Dropbear firewall configuration
 install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
 ### Install Dropbear configuration
 install -m 0444 /etc/initramfs-tools/files/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"
--- a/includes/initramfs-tools/modules
+++ b/includes/initramfs-tools/modules
@@ -0,0 +1,64 @@
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 # List of modules that you want to include in your initramfs.
 # They will be loaded at boot time in the order below.
 #
 # Syntax:  module_name [args ...]
 #
 # You must run update-initramfs(8) to effect this change.
 #
 # Examples:
 #
 # raid1
 # sd_mod
 ### QEMU Bochs-compatible virtual machine support
 bochs
 ### Device-mapper core module (required for all dm_* features)
 dm_mod
 ### Device-mapper integrity target (provides integrity checking)
 dm-integrity
 ### Device-mapper crypt target (provides disk encryption)
 dm-crypt
 ### Generic AES block cipher implementation (used by dm-crypt)
 aes_generic
 ### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
 sha256_generic
 ### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
 sha384_generic
 ### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
 sha512_generic
 ### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
 crc32c_generic
 ### Main btrfs filesystem module
 btrfs
 ### Zstandard compression support for btrfs
 zstd_compress
 ### XOR parity implementation for RAID functionality
 xor
 ### RAID6 parity generation module
 raid6_pq
 ### Combined RAID4/5/6 support module
 raid456
--- a/includes/initramfs-tools/scripts/init-top/fixpath.sh
+++ b/includes/initramfs-tools/scripts/init-top/fixpath.sh
@@ -10,6 +10,9 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
-export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH"
+set -e
 ### Make sure /usr/local/bin is in front of 'PATH'.
 export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear
+++ b/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear
@@ -0,0 +1,50 @@
 #!/bin/sh
 PREREQ="udev"
 prereqs() {
    echo "$PREREQ"
 }
 case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
 esac
 [ -x /sbin/dropbear ] || exit 0
 run_dropbear() {
    # Remove old flags for dropbear version 2022.83
    # only accepts flags from /etc/dropbear/dropbear.conf
    #local flags="Fs"
    #[ "$debug" != y ] || flags="E$flags" # log to standard error
    # always run configure_networking() before dropbear(8); on NFS
    # mounts this has been done already
    [ "$BOOT" = nfs ] || configure_networking
    log_begin_msg "Starting dropbear"
    # using exec and keeping dropbear in the foreground enables the
    # init-bottom script to kill the remaining ipconfig processes if
    # someone unlocks the rootfs from the console while the network is
    # being configured
    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
 }
 if [ -e /etc/dropbear/dropbear.conf ]; then
    . /etc/dropbear/dropbear.conf
 fi
 . /scripts/functions
 # On NFS mounts, wait until the network is configured.  On local mounts,
 # configure the network in the background (in run_dropbear()) so someone
 # with console access can enter the passphrase immediately.  (With the
 # default ip=dhcp, configure_networking hangs for 5mins or so when the
 # network is unavailable, for instance.)
 [ "$BOOT" != nfs ] || configure_networking
 run_dropbear &
 echo $! >/run/dropbear.pid