V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -762,7 +762,7 @@ ssh:
 user:
   mfa:
     info: "totp:v1"
-    salt: "CISS:CDI:OTP"          # + (Server_FQDN/Username)
+    salt: "CISS:CDI:OTP"       # + (Server_FQDN/Username)
   ##############################################################################################################################
   # root – Superuser account (normally disabled for direct login)
   ##############################################################################################################################

func/cdi_1000_helper/1081_helper_grub.sh

@@ -124,30 +124,19 @@ grub_finalize_string() {
 
   mkdir -p "${TARGET}/etc/default/grub.d"
 
-  cat << EOF >| "${var_file}"
+  insert_header   "${var_file}"
-# SPDX-Version: 3.0
+  insert_comments "${var_file}"
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+  cat << EOF >>   "${var_file}"
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
 ### Options in "GRUB_CMDLINE_LINUX" are always effective.
 ### Options in "GRUB_CMDLINE_LINUX_DEFAULT" are effective ONLY during normal boot (NOT during recovery mode).
 
 EOF
 
-  insert_comments "${TARGET}/etc/default/grub.d/99-ciss-cmdline.cfg"
-
   umask 0022
   {
-    printf "GRUB_CMDLINE_LINUX='%s'\n" "${var_linux}"
+    printf 'GRUB_CMDLINE_LINUX="%s"\n' "${var_linux}"
     printf "\n"
-    printf "GRUB_CMDLINE_LINUX_DEFAULT='%s'\n" "${var_linux_default}"
+    printf 'GRUB_CMDLINE_LINUX_DEFAULT="%s"\n' "${var_linux_default}"
     printf "\n"
     printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh\n"
   } >> "${var_file}"

func/cdi_4200_boot/4230_installation_grub.sh

@@ -118,14 +118,11 @@ EOF
     if [[ "${grub_background_enable}" == "true" ]]; then
 
       var_background=$(basename "${grub_background_path}")
-      #install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
       mkdir -p "${TARGET}/boot/grub"
-      #install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/etc/default/grub.d/${var_background}"
       install -m 0640 -o root -g root "${VAR_SETUP_PATH}${grub_background_path}" "${TARGET}/boot/grub/${var_background}"
 
       cat << EOF >> "${TARGET}/etc/default/grub"
 # Enable boot menu background.
-#GRUB_BACKGROUND="/etc/default/grub.d/${var_background}"
 GRUB_BACKGROUND="/boot/grub/${var_background}"
 
 # The resolution used on graphical terminal

func/cdi_4200_boot/4250_update_grub_bootparameter.sh

@@ -31,7 +31,7 @@ guard_sourcing
 #######################################
 update_grub_bootparameter() {
   ### Declare Arrays, HashMaps, and Variables.
-  declare     var_nuke_string="" var_param="" var_label=""
+  declare     var_nuke_string="" var_param="" var_label="" var_nuke_esc=""
 
   grub_extract_current_string
 
@@ -59,9 +59,14 @@ update_grub_bootparameter() {
   fi
 
   if [[ "${VAR_NUKE}" == "true" ]]; then
-    var_nuke_string="nuke=${VAR_NUKE_HASH}"
+    ### 1) Escape every '$' so GRUB won't expand it.
-    # shellcheck disable=SC2034
+    var_nuke_esc="${VAR_NUKE_HASH//$/\\$}"
-    VV_GRUB_CMDLINE_LINUX="${VV_GRUB_CMDLINE_LINUX} ${var_nuke_string}"
+
+    ### 2) Wrap the value in single quotes, so the dollar signs survive GRUB parsing.
+    var_nuke_string="nuke='${var_nuke_esc}'"
+
+    ### 3) Append to accumulating cmdline variable. Space-prefix ensures clean concatenation.
+    VV_GRUB_CMDLINE_LINUX+=" ${var_nuke_string}"
   fi
 
   grub_finalize_string