V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/func/4195_setup_dropbear.sh

@@ -10,270 +10,28 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
+### Remarks
+# lsinitramfs /boot/initrd.img-"$(uname -r)" | grep -E 'bin/(bash|sha|reboot|sync|sleep|sh)'
+# readelf -h /bin/busybox | grep Type
+# command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 ...
+# /usr/share/initramfs-tools/scripts/init-premount
+# /dev/sdaN: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
+# GRUB_CMDLINE_LINUX="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
+# declare var_nic_module; var_nic_module=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
+# echo "${var_nic_module}"
 
+### Nuke Hints
+# /usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
+# Before (Default)
+# ASKPASS=/lib/cryptsetup/askpass
+# After
+# ASKPASS=/lib/cryptsetup/askpass.cryptsetup
 
-# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
-# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
+# apt-get cryptsetup-nuke-password
+# dpkg-reconfigure cryptsetup-nuke-password
 
-
-
-
-command="/usr/local/bin/coresecret.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICp+6S+qM87lLWUtvTGBV/GFNvYyvZ992X4/AcuraKwm 2025_run.coresecret.dev_root
-
-/usr/share/initramfs-tools/scripts/init-premount
-***
-run.coresecret.dev
-/dev/sda5: UUID="468ad656-0e2f-4fff-9501-c691bab9f553" TYPE="crypto_LUKS" PARTLABEL="crypt_system" PARTUUID="78c0f711-f84f-425e-9455-a46430f40794"
-echo "IP=65.21.249.232::172.31.1.1:255.255.255.255:run.coresecret.dev:enp1s0:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
-GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=468ad656-0e2f-4fff-9501-c691bab9f553:cryptroot root=/dev/mapper/vg_system-root"
-***
-
-/usr/share/cryptsetup/initramfs/bin/cryptroot-unlock
-# Vorher (Standard)
-ASKPASS=/lib/cryptsetup/askpass
-
-# Danach
-ASKPASS=/lib/cryptsetup/askpass.cryptsetup
-
-apt-get cryptsetup-nuke-password
-dpkg-reconfigure cryptsetup-nuke-password
-
-debconf-set-selections << END
-cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
-cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
-END
-sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password
-
-apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
-rm -f /etc/dropbear/initramfs/dropbear*key
-dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
-dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
-chmod 600 /etc/dropbear/initramfs/dropbear*key
-chown root:root /etc/dropbear/initramfs/dropbear*key
-cp -af ~/.ssh/authorized_keys /etc/dropbear/initramfs
-echo "IP=152.53.110.40::152.53.108.1:255.255.252.0:git.coresecret.dev:ens3:none:135.181.207.105:89.58.62.53:192.53.103.108" >| /etc/initramfs-tools/conf.d/ip
-sed -i 's|#DROPBEAR_OPTIONS=""|DROPBEAR_OPTIONS="-p 37768 -s -j -k -I 300 -c coresecret.sh"|g' /etc/dropbear/initramfs/dropbear.conf
-
-GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root"
-update-initramfs -u -v -k all
-
-NIC_MODULE=$(lspci -k | grep -A2 -i ethernet | grep 'Kernel driver in use' | awk '{print $5}')
-echo "$NIC_MODULE"
-
-grep_nic_driver_modules() {
-  # Alle Treibernamen sammeln und unique sortieren
-  readarray -t _mods < <(
-    lspci -k \
-      | grep -A2 -i ethernet \
-      | grep 'Kernel driver in use' \
-      | awk '{print $5}' \
-      | sort -u
-  )
-
-  # Wenn nur ein Eintrag übrig bleibt, in NIC_MODULE speichern,
-  # sonst alternativ alle Module in NIC_MODULES
-  if [ "${#_mods[@]}" -eq 1 ]; then
-    NIC_MODULE="${_mods[0]}"
-  else
-    NIC_MODULES="${_mods[*]}"
-  fi
-
-  # Ausgabe zur Kontrolle
-  if [ -n "$NIC_MODULE" ]; then
-    echo "Einzelnes Modul: $NIC_MODULE"
-  else
-    echo "Mehrere Module: $NIC_MODULES"
-  fi
-}
-
-###########################################################################################
-# Installation of the specified kernel incl. dropbear SSH, LUKS Nuke.
-# Globals:
-#   MODULE_ERR
-#   MODULE_TXT
-#   TARGET
-#   kernel
-# Arguments:
-#   None
-###########################################################################################
-3_7_7_functions_installation_kernel() {
-  declare -g -x MODULE_ERR="3_7_7_functions_installation_kernel"
-  declare -g -x MODULE_TXT="Install kernel: '${kernel}'"
-  do_show_header "${MODULE_TXT}"
-
-  # Installing the chosen Kernel Image according to preseed.yaml
-  do_in_target "${TARGET}" apt-get install -y "${kernel}"
-
-  if [[ ${accounts_dropbear_ssh,,} == "true" ]]; then
-
-    do_in_target "${TARGET}" apt-get install -y busybox cryptsetup-initramfs dropbear-initramfs initramfs-tools
-
-     echo "DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300\"" > "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-    cat > "${TARGET}/etc/dropbear/initramfs/authorized_keys" << EOF
-command="/bin/security-rescue-shell",no-port-forwarding,no-pty,no-X11-forwarding ${accounts_dropbear_pubkey}
-EOF
-    chmod 0644 "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-    chown root:root "${TARGET}/etc/dropbear/initramfs/dropbear.conf"
-    chmod 0600 "${TARGET}/etc/dropbear/initramfs/authorized_keys"
-    chown root:root "${TARGET}/etc/dropbear/initramfs/authorized_keys"
-    do_log "info" "true" "Command: 'echo \"DROPBEAR_OPTIONS=\"-p ${accounts_ssh_port} -s -j -k -I 300 -K curve25519-sha256 -c aes256-gcm@openssh.com -m hmac-sha2-256,hmac-sha2-512\" > ${TARGET}/etc/dropbear/initramfs/dropbear.conf' executed in: '${TARGET}'."
-    do_log "info" "true" "Command: 'echo ${accounts_dropbear_pubkey} > ${TARGET}/etc/dropbear/initramfs/authorized_keys' executed in: '${TARGET}'."
-
-    # Network-Pre-Script for initramfs DHCP
-    cat > "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network" << 'EOF'
-#!/bin/sh
-# ^^ no bash in initramfs environment, only BusyBox
-PREREQ=""
-prereqs() { echo "${PREREQ}"; }
-case $1 in
-  prereqs) prereqs; exit 0 ;;
-esac
-
-# NIC without ":" and VLAN-Suffix
-iface=$(grep -E '^(eth|en)[^:.]*$' /sys/class/net | head -n1)
-[ -n "${iface}" ] || exit 0
-
-# Setup Link and dhclient or udhcpc
-ip link set "${iface}" up
-if command -v dhclient >/dev/null 2>&1; then
-  dhclient "${iface}"
-else
-  udhcpc -i "${iface}"
-fi
-
-exit 0
-EOF
-    chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network"
-    do_log "info" "true" "Generated: '${TARGET}/etc/initramfs-tools/scripts/init-premount/dhcp-network: '${TARGET}'."
-
-    cat > "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw" << EOF
-#!/bin/sh
-# ^^ no bash in initramfs environment, only BusyBox
-if command -v iptables >/dev/null 2>&1; then
-  iptables -F
-  iptables -P INPUT DROP
-  iptables -P OUTPUT ACCEPT
-  iptables -P FORWARD DROP
-  iptables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv4}" -j ACCEPT
-  iptables -A INPUT -i lo -j ACCEPT
-fi
-
-if command -v ip6tables >/dev/null 2>&1; then
-  ip6tables -F
-  ip6tables -P INPUT DROP
-  ip6tables -P OUTPUT ACCEPT
-  ip6tables -P FORWARD DROP
-  ip6tables -A INPUT -p tcp --dport "${accounts_ssh_port}" -s "${accounts_bastion_vpn_ipv6}" -j ACCEPT
-  ip6tables -A INPUT -i lo -j ACCEPT
-fi
-EOF
-    chmod +x "${TARGET}/etc/initramfs-tools/scripts/init-bottom/dropbear_fw"
-
-    cat > "${TARGET}/bin/remote-nuke.sh" << EOF
-#!/bin/sh
-# ^^ no bash in initramfs environment, only BusyBox
-# remote-nuke.sh – to be executed at the end of Initramfs
-
-PREREQ="local-bottom"
-prereqs() { echo "${PREREQ}"; }
-case $1 in
-  prereqs) prereqs; exit 0 ;;
-esac
-
-message() {
-  if [ ${#*} -lt 76 ]; then
-    echo "$*" 1>&2
-  else
-    # use busybox's fold(1) and sed(1) at initramfs stage
-    echo "$*" | fold -s | sed '1! s/^/    /' 1>&2
-  fi
-  return 0
-}
-
-. /scripts/functions    # delivers log_* und ASKPASS
-
-# Brief break, to ensure all devices are mapped
-sleep 1
-
-readonly MAX_RETRIES=5
-
-for DEV in /dev/sd*[0-9]; do
-  [ -b "${DEV}" ] || continue
-  DEV_NAME=$(basename "${DEV}" | tr -cs 'a-zA-Z0-9' '_')
-  NUKE_MAP="nuke_${DEV_NAME}"
-  TRY_MAP="try_${DEV_NAME}"
-
-  ASKPASS=/usr/bin/ssh-askpass
-  password="$(${ASKPASS} "Enter LUKS passphrase: ")"
-
-  message "Checking ${DEV} ..."
-  if ! cryptsetup isLuks "${DEV}" 2>/dev/null; then
-    message "${DEV} is not a LUKS-Container – skipped."
-    continue
-  fi
-
-  # Verify, if LUKS Key Slot #31 exists
-  if cryptsetup luksDump "${DEV}" 2>/dev/null | grep -q '^Key Slot 31: *ENABLED'; then
-    has_slot31="yes"
-  else
-    has_slot31="no"
-  fi
-
-  attempt=1
-  while [ ${attempt} -le ${MAX_RETRIES} ]; do
-    message "Attempt '${attempt}/${MAX_RETRIES}' for opening ${DEV} ..."
-
-    if [ "${has_slot31}" = yes ]; then
-      if echo "${password}" | cryptsetup open --test-passphrase --key-slot 31 "${DEV}" "${NUKE_MAP}" 2>/dev/null; then
-        echo YES | cryptsetup erase "${DEV}"
-        message "Slot 31 of ${DEV} exists. Cleaning OK successful."
-        break
-      fi
-    fi
-
-    if echo "$((password))" | cryptsetup open "${DEV}" "crypt_${NAME}" 2>/dev/null; then
-
-      decrypted_any=yes
-      break
-    fi
-    # 2) Normales Entschlüsseln (jeder Slot)
-    echo "$password" | cryptsetup open \
-      --test-passphrase \
-      "$DEV" nuke_tmp 2>/dev/null
-    if [ $? -eq 0 ]; then
-      log_success_msg "Normales Test-Passphrase erfolgreich"
-      cryptsetup erase "$DEV" && \
-        log_success_msg "LUKS-Header von $DEV gelöscht"
-      break
-    else
-      log_warning_msg "Normales Test-Passphrase fehlgeschlagen"
-    fi
-
-    attempt=$((attempt + 1))
-    if [ $attempt -le $MAX_RETRIES ]; then
-      log_begin_msg "Warte 1s vor erneutem Versuch für $DEV…"
-      sleep 1
-    else
-      log_error_msg "Maximale Versuche für $DEV erreicht – überspringe"
-    fi
-  done
-
-  # Aufräumen: falls ein Mapper existiert, schließen
-  if [ -e /dev/mapper/nuke_tmp ]; then
-    cryptsetup close nuke_tmp
-  fi
-done
-
-log_end_msg 0
-exit 0
-EOF
-    chmod +x "${TARGET}/bin/security-rescue-shell"
-
-    # Regenerate Initramfs incl. Dropbear SSH, Scripts and Keys
-    do_in_target "${TARGET}" update-initramfs -u
-  fi
-
-  do_log "info" "true" "Dropbear SSH in initramfs des Targets installiert und konfiguriert (Port: ${accounts_ssh_port}, CA aktiviert, RateLimit & Nuke-Key)."
-  do_show_footer "${MODULE_TXT}"
-}
+#debconf-set-selections << END
+#cryptsetup-nuke-password cryptsetup-nuke-password/password string Th3Pa$$w0rd
+#cryptsetup-nuke-password cryptsetup-nuke-password/password-again string Th3Pa$$w0rd
+#END
+#sudo dpkg-reconfigure -f noninteractive cryptsetup-nuke-password

.preseed/preseed.yaml

@@ -372,13 +372,20 @@ ntp:
 ################################################################################################################################
 user:
   allow_policies: true         # For additional hardening of SSH connections '/etc/hosts.allow'.
-                               # If "allow_policies" = "true", at least one IP MUST be provided:
-  allow_ipv4:
+                               # If "allow_policies" = "true", at least one 'bastion_ipv4' MUST be provided.
+                               # One or multiple Domains could be provided as well 'allow_domain'.
+  bastion_enable: false        # In case 'bastion_ipv4' and 'bastion_ipv6' are SSH Bastion IPs set this to "true".
+                               # If these are Jump Server and / or static VPN-Exit-Nodes, set this to "false".
+  bastion_ipv4:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv4.
     - 202.61.246.50
-  allow_ipv6:
+  bastion_ipv6:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes IPv6.
     - 2a03:4000:53:f:abcd:9494:0:2
+  allow_domain:                # Provide Bastion / Jump-Server / static VPN-Exit-Nodes Domains.
+    - vpn00.x448.eu
   dropbear_boot: true          # Dropbear initramfs integration.
   dropbear_dhcp: true          # Whether the '/etc/initramfs-tools/conf.d/ip' file should be configured statically or via DHCP.
+  dropbear_fw: true            # Additional ultra hardening of the dropbear initramfs environment via firewall.
+                               # The "bastion_ipv4" MUST be provided.
   ssh_port: 42137              # SSH Port. In case "dropbear_boot" = "true" the same SSH Port will be used.
   ssh_rootca: "/.preseed/ssh_root_ca.pub"
 

func/4195_setup_dropbear.sh

@@ -15,12 +15,15 @@ guard_sourcing
 #######################################
 # Setup Dropbear Initramfs Environment.
 # Globals:
+#   HMP_PATH_ENCLABEL
 #   TARGET
+#   VAR_CRYPT_ROOT
 #   VAR_FINAL_FQDN
 #   VAR_FINAL_IPV4
 #   VAR_FINAL_IPV4_GW
 #   VAR_FINAL_IPV4_SUBNET
 #   VAR_FINAL_NIC
+#   VAR_GRUB_CMDLINE_LINUX
 #   VAR_SETUP_PATH
 #   network_static_ipv4nameserver_0
 #   network_static_ipv4nameserver_1
@@ -35,6 +38,7 @@ guard_sourcing
 #   0: on success
 #######################################
 setup_dropbear() {
+  ### Prepare strong dropbear host keys
   rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
 
   do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
@@ -43,6 +47,7 @@ setup_dropbear() {
   chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
   chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
 
+  ### Prepare dropbear authorized_keys
   declare -a ary_user=()
   ary_user+=("${user_root_ssh_pubkeys_0}")
   [[ -n "${user_root_ssh_pubkeys_1}" ]] && ary_user+=("${user_root_ssh_pubkeys_1}")
@@ -53,6 +58,7 @@ setup_dropbear() {
   printf "%s\n" "${ary_user[@]}" > "${TARGET}/etc/dropbear/initramfs/authorized_keys"
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/etc/banner" "${TARGET}/etc/dropbear/initramfs/"
 
+  ### Check for initramfs "IP"-variable: static or dynamic configuration vai dhcp.
   if [[ "${user_dropbear_dhcp,,}" != "true" ]]; then
     declare network_static_ipv4ntpserver_0="192.53.103.108"
     ### "IP=<HOST IP>::<GATEWAY IP>:<SUBNET MASK>:<FQDN>:<NIC>:none:<DNS 0 IP>:<DNS 1 IP>:<NTP IP>"
@@ -71,27 +77,83 @@ setup_dropbear() {
     printf "IP=:::::%s:dhcp\n" "${VAR_FINAL_NIC}" >| "${TARGET}/etc/initramfs-tools/conf.d/ip"
   fi
 
+  ### Generate dropbear configuration file
   write_dropbear_conf
 
-  ### Options in "GRUB_CMDLINE_LINUX" are always effective.
-  ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
+  ### Prepare Grub Bootparameter for LUKS decryption of '/root' and '/recovery'.
+  # Options in "GRUB_CMDLINE_LINUX" are always effective.
+  # Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
   grub_extract_current_string
   declare var_label="${HMP_PATH_ENCLABEL["LABEL_/"]}"
   VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cryptdevice=${VAR_CRYPT_ROOT}:cryptroot root=/dev/mapper/${var_label}"
   grub_finalize_string
 
+  ### Install the script to be called by 'update-initramfs' for updating 'PATH'-variable inside initramfs.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/scripts/init-top/fixpath.sh" \
     "${TARGET}/includes/initramfs-tools/scripts/init-top/"
 
+  ### Install the script to be called by 'update-initramfs' for customizing dropbear inside initramfs.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-initramfs.sh" \
+    "${TARGET}/includes/initramfs-tools/hooks/"
+
+  ### Install the script to be called by 'update-initramfs' for customizing prompt inside initramfs environment.
   install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/custom-prompt.sh" \
     "${TARGET}/includes/initramfs-tools/hooks/"
 
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/hooks/dropbear.sh" \
-    "${TARGET}/includes/initramfs-tools/hooks/"
-
-  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock-wrapper.sh" \
+  ### Install the script to be called inside initramfs environment for unlocking LUKS and NUKE Devices.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper.sh" \
     "${TARGET}/includes/initramfs-tools/files/"
 
+  ### Install the script to be called inside Host environment for signing 'unlock_wrapper.sh'-script.
+  install -D -m 0700 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/unlock_wrapper_signer.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  ### Install the script to be called by 'update-initramfs' for installing the necessary modules to load into initramfs environment.
+  install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/modules" \
+    "${TARGET}/includes/initramfs-tools/"
+
+  declare var_modules; var_modules=$(grep_nic_driver_modules)
+
+  cat << EOF >> "${TARGET}/includes/initramfs-tools/modules"
+### Custom NIC driver
+${var_modules}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  ### Install the script to be called inside initramfs environment for preparing dropbear execution.
+  do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
+    "${TARGET}/includes/usr/share/initramfs-tools/scripts/init-premount/"
+
+  ### Install the variable file to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0600 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.cnf" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  ### Install the firewall script to be called inside initramfs environment for setting up dropbear firewall.
+  install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/initramfs-tools/files/dropbear_fw.sh" \
+    "${TARGET}/includes/initramfs-tools/files/"
+
+  if [[ "${user_dropbear_fw,,}" == "true" && -n "${user_bastion_ipv4_0}" ]]; then
+
+    sed -i 's/^DROPBEAR_FIREWALL_ENABLED=0$/DROPBEAR_FIREWALL_ENABLED=1/' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+    sed -i '/^# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh$/d' "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+
+    cat << EOF >> "${TARGET}/includes/initramfs-tools/files/dropbear_fw.cnf"
+DROPBEAR_PORT=${user_ssh_port}
+DROPBEAR_JUMP_SERVER_IP=${user_bastion_ipv4_0}
+DROPBEAR_BASTION_ENABLE=${user_bastion_enable}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
+EOF
+
+  fi
+
+
+  ### Finally, deploy all changes done via 'update-grub' and 'update-initramfs'.
+  do_in_target "${TARGET}" update-grub
+  do_in_target "${TARGET}" update-initramfs -u -v -k all
+
   return 0
 }
 
@@ -151,4 +213,39 @@ EOF
   do_log "info" "true" "Written: '${TARGET}/etc/dropbear/initramfs/dropbear.conf'."
   return 0
 }
+
+#######################################
+# Collect NIC driver modules for initramfs installation.
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+grep_nic_driver_modules() {
+  ### Collect all ethernet driver names and sort them uniquely.
+  declare -a _mods
+  declare var_nic_module var_nic_modules
+  readarray -t _mods < <(
+    lspci -k \
+      | grep -A2 -i ethernet \
+      | grep 'Kernel driver in use' \
+      | awk '{print $5}' \
+      | sort -u
+  )
+
+  ### If only one entry remains, save it in 'var_nic_module', otherwise save all modules in 'var_nic_modules'.
+  if [[ "${#_mods[@]}" -eq 1 ]]; then
+    var_nic_module="${_mods[0]}"
+  else
+    var_nic_modules="${_mods[*]}"
+  fi
+
+  if [[ -n "$var_nic_module" ]]; then
+    echo "${var_nic_module}"
+  else
+    echo "${var_nic_modules}"
+  fi
+
+  return 0
+}
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/dropbear_fw.cnf

@@ -0,0 +1,14 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+DROPBEAR_FIREWALL_ENABLED=0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/dropbear_fw.sh

@@ -0,0 +1,81 @@
+#!/bin/sh
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; ZIMNOL, Andre H.; <git.cs@physnet.eu>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Firewall script for Dropbear SSH inside initramfs.
+# This script runs at the "init-bottom" stage of the early boot process.
+#
+# It configures basic iptables rules to restrict SSH access to Dropbear
+# while the system is in the pre-boot phase (before root is decrypted).
+#
+# IPv6 is not supported in initramfs at this stage due to complexity.
+# Only trusted IPv4 addresses are allowed.
+#
+# ┌─────────────────────────────────────────────────────────────┐
+# │ ACCESS LOGIC:                                               │
+# │                                                             │
+# │ - If is_jump_host = true:                                   │
+# │     then allow all IPv4 connections to the Dropbear port    │
+# │                                                             │
+# │ - If is_jump_host = false:                                  │
+# │     then allow only the bastion/jump-server IPv4 address    │
+# └─────────────────────────────────────────────────────────────┘
+
+PREREQ="dropbear"
+
+prereqs() { echo "$PREREQ"; }
+
+case "$1" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+### Check if the firewall is enabled via the config file.
+DROPBEAR_FW_CONF="/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+if [ -f "${DROPBEAR_FW_CONF}" ]; then
+  # shellcheck disable=SC1090
+  . "${DROPBEAR_FW_CONF}"
+fi
+
+### Abort if the firewall flag is not set or disabled.
+if [ "${DROPBEAR_FIREWALL_ENABLED}" != "1" ]; then
+  echo "Dropbear firewall disabled by 'dropbear_fw.cnf'."
+  exit 0
+fi
+
+### Ensure iptables is available.
+if command -v iptables >/dev/null 2>&1; then
+
+  ### Reset any existing rules.
+  iptables -F
+  iptables -X
+
+  ### Default policy: block everything unless explicitly allowed.
+  iptables -P INPUT DROP
+  iptables -P FORWARD DROP
+  iptables -P OUTPUT ACCEPT
+
+  ### Allow local loopback.
+  iptables -A INPUT -i lo -j ACCEPT
+
+  ### Access control based on the host role.
+  if [ "${DROPBEAR_BASTION_ENABLE}" = true ]; then
+
+    ### SSH Bastion Host: allow any source IP on the dropbear SSH port.
+    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -j ACCEPT
+
+  else
+
+    ### Infrastructure host / Jump-Server / VPN-Exit-Node: only allow SSH from the specified IPv4.
+    iptables -A INPUT -p tcp --dport "${DROPBEAR_PORT}" -s "${DROPBEAR_JUMP_SERVER_IP}" -j ACCEPT
+  fi
+
+fi
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/initramfs-tools/files/unlock_wrapper.sh

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 # SPDX-Comment: unlock_wrapper.sh to be executed after dropbear SSH login as forced command
 
-set -C -e -u -o pipefail
+set -Ceuo pipefail
 IFS=$(printf ' \n\t')
 
 # shellcheck disable=SC2155

includes/initramfs-tools/hooks/custom-initramfs.sh

@@ -20,15 +20,19 @@ esac
 
 . /usr/share/initramfs-tools/hook-functions
 
-mkdir -p "${DESTDIR}/bin" "${DESTDIR}/usr/bin" "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/dropbear/initramfs" "${DESTDIR}/etc/keys"
+# Ensure directory structure in initramfs
+mkdir -p "${DESTDIR}/etc/dropbear/initramfs"
+mkdir -p "${DESTDIR}/usr/local/bin" "${DESTDIR}/etc/keys"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+mkdir -p "${DESTDIR}/etc/initramfs-tools/conf.d"
+
+### Include Bash
+copy_exec /usr/bin/bash /usr/bin
 
 ### Include Busybox
 copy_exec /usr/bin/busybox /usr/bin
 copy_exec /usr/bin/busybox /bin
 
-### Include Bash
-copy_exec /usr/bin/bash /usr/bin
-
 ### Include lsblk (block device info tool)
 copy_exec /usr/bin/lsblk /usr/bin
 
@@ -42,11 +46,18 @@ copy_exec /usr/bin/sha384sum /usr/bin
 ### Include Signature-Verifier
 copy_exec /usr/bin/gpgv /usr/bin
 
+### Link busybox applets for compatibility
 for dir in bin usr/bin; do
   ln -sf busybox "${DESTDIR}/${dir}/cat"
   ln -sf busybox "${DESTDIR}/${dir}/sleep"
 done
 
+### Install Dropbear firewall configuration
+install -m 0444 /etc/initramfs-tools/files/dropbear_fw.cnf "${DESTDIR}/etc/initramfs-tools/conf.d/dropbear_fw.cnf"
+
+### Install Dropbear configuration
+install -m 0444 /etc/initramfs-tools/files/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
+
 install -m 0555 /etc/initramfs-tools/files/unlock-wrapper.sh "${DESTDIR}/usr/local/bin/unlock-wrapper.sh"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha384 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha384"
 install -m 0444 /etc/initramfs-tools/files/unlock-wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock-wrapper.sh.sha512"

includes/initramfs-tools/modules

@@ -0,0 +1,64 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# List of modules that you want to include in your initramfs.
+# They will be loaded at boot time in the order below.
+#
+# Syntax:  module_name [args ...]
+#
+# You must run update-initramfs(8) to effect this change.
+#
+# Examples:
+#
+# raid1
+# sd_mod
+
+### QEMU Bochs-compatible virtual machine support
+bochs
+
+### Device-mapper core module (required for all dm_* features)
+dm_mod
+
+### Device-mapper integrity target (provides integrity checking)
+dm-integrity
+
+### Device-mapper crypt target (provides disk encryption)
+dm-crypt
+
+### Generic AES block cipher implementation (used by dm-crypt)
+aes_generic
+
+### Generic SHA-256 hashing algorithm (used by various crypto and integrity targets)
+sha256_generic
+
+### Generic SHA-384 hashing algorithm (used by various crypto and integrity targets)
+sha384_generic
+
+### Generic SHA-512 hashing algorithm (used by various crypto and integrity targets)
+sha512_generic
+
+### Generic CRC32C checksum implementation (used by btrfs and other filesystems)
+crc32c_generic
+
+### Main btrfs filesystem module
+btrfs
+
+### Zstandard compression support for btrfs
+zstd_compress
+
+### XOR parity implementation for RAID functionality
+xor
+
+### RAID6 parity generation module
+raid6_pq
+
+### Combined RAID4/5/6 support module
+raid456

includes/initramfs-tools/scripts/init-top/fixpath.sh

@@ -10,6 +10,9 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
-export PATH="/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:$PATH"
+set -e
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:${PATH:-/sbin:/usr/sbin:/bin:/usr/bin}"
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

includes/usr/share/initramfs-tools/scripts/init-premount/dropbear

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+PREREQ="udev"
+
+prereqs() {
+    echo "$PREREQ"
+}
+
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+[ -x /sbin/dropbear ] || exit 0
+
+
+run_dropbear() {
+    # Remove old flags for dropbear version 2022.83
+    # only accepts flags from /etc/dropbear/dropbear.conf
+    #local flags="Fs"
+    #[ "$debug" != y ] || flags="E$flags" # log to standard error
+
+    # always run configure_networking() before dropbear(8); on NFS
+    # mounts this has been done already
+    [ "$BOOT" = nfs ] || configure_networking
+
+    log_begin_msg "Starting dropbear"
+    # using exec and keeping dropbear in the foreground enables the
+    # init-bottom script to kill the remaining ipconfig processes if
+    # someone unlocks the rootfs from the console while the network is
+    # being configured
+    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
+}
+
+if [ -e /etc/dropbear/dropbear.conf ]; then
+    . /etc/dropbear/dropbear.conf
+fi
+. /scripts/functions
+
+# On NFS mounts, wait until the network is configured.  On local mounts,
+# configure the network in the background (in run_dropbear()) so someone
+# with console access can enter the passphrase immediately.  (With the
+# default ip=dhcp, configure_networking hangs for 5mins or so when the
+# network is unavailable, for instance.)
+[ "$BOOT" != nfs ] || configure_networking
+
+run_dropbear &
+echo $! >/run/dropbear.pid