V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.preseed/preseed.yaml

@@ -155,15 +155,15 @@ grub_parameter:
   - "iommu=force"
 
   ##############################################################################################################################
-  # Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to access stale data contents.                                                             #
+  # Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to access stale data contents.
   # iommu.passthrough=0
   # Prevents devices from operating in identity-mapped passthrough mode. Without this parameter (or with =1), devices could be
   # passed through without being monitored by the IOMMU in a truly restrictive manner. From a security standpoint,
-  # iommu.passthrough=0 is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices.                                                                                #
+  # iommu.passthrough=0 is an important step toward DMA isolation for all devices, especially for untrusted PCI(e) devices.
   # iommu.strict=1
   # Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated synchronously). Without this parameter, the
   # kernel often runs in lazy mode, where mapping caches are used.
-  # Performance vs. security: strict=1= more secure, but potentially slower, especially with many small DMA transfers.                                                          #
+  # Performance vs. security: strict=1= more secure, but potentially slower, especially with many small DMA transfers.
   # https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
   # Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
   ##############################################################################################################################
@@ -171,7 +171,7 @@ grub_parameter:
   - "iommu.strict=1"
 
   ##############################################################################################################################
-  # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.                                                                                  #
+  # Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in IOMMU.
   # https://mjg59.dreamwidth.org/54433.html
   # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
   ##############################################################################################################################
@@ -244,7 +244,7 @@ grub_parameter:
   # Automatically adjusted: Depending on CPU family, stepping, microcode.
   # Consistency guaranteed: No contradictions between flags possible
   # (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off).
-  # Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.                                            #
+  # Future-proof: Even new features (e.g., bhi=flush or srbds) are automatically activated without having to know about them.
   ##############################################################################################################################
   - "mitigations=auto,nosmt"
 
@@ -268,21 +268,21 @@ grub_parameter:
 
   ##############################################################################################################################
   # If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
-  # Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush runtime control.                                                                    #
+  # Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush runtime control.
   # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
   ##############################################################################################################################
   #- "l1tf=full,force"
 
   ##############################################################################################################################
   # If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
-  # Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.                                                                      #
+  # Enable mitigations for the MDS vulnerability through clearing buffer cache and disabling SMT.
   # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
   ##############################################################################################################################
   #- "mds=full,nosmt"
 
   ##############################################################################################################################
   # If mitigations=auto,nosmt is set, see before, then these flags should not be set individually because they are redundant.
-  # Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async Abort along with disabling SMT.                                                         #
+  # Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async Abort along with disabling SMT.
   # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
   ##############################################################################################################################
   #- "tsx=off"
@@ -295,7 +295,7 @@ grub_parameter:
   - "kvm.nx_huge_pages=force"
 
   ##############################################################################################################################
-  # Force disable SMT as it has caused numerous CPU vulnerabilities. The only full mitigation of cross-HT attacks is disabling.                        #
+  # Force disable SMT as it has caused numerous CPU vulnerabilities. The only full mitigation of cross-HT attacks is disabling.
   # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
   ##############################################################################################################################
   - "nosmt=force"
@@ -312,7 +312,7 @@ grub_parameter:
   # mmio_stale_data=full       All known measures active
   # mmio_stale_data=full,nosmt Full mitigation + SMT disabling
   # mmio_stale_data=auto       Activated depending on CPU/microcode
-  # mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not affected.                                                  #
+  # mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not affected.
   # https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
   ##############################################################################################################################
   - "mmio_stale_data=full,force"
@@ -332,7 +332,7 @@ grub_parameter:
   # users (such as root) have limited access to kernel data and debug mechanisms.
   # 'confidentiality': Maximum restriction to ensure the security and integrity of the system. This prevents direct access to
   # hardware and debug interfaces, for example. Useful for highly secure environments as it reduces the attack surface to kernel
-  # data. However, some applications that require debugging or hardware access may have problems.                                                      #
+  # data. However, some applications that require debugging or hardware access may have problems.
   # https://blog.cloudflare.com/de-de/linux-kernel-hardening/
   # https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode
   ##############################################################################################################################
@@ -341,7 +341,7 @@ grub_parameter:
   ##############################################################################################################################
   # Enables 'Read-Only Data Protection', which implements read-only memory areas for kernel data structures. This protects the
   # kernel from certain types of exploit (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only.
-  # https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html                #
+  # https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html
   ##############################################################################################################################
   - "rodata=on"
 
@@ -382,7 +382,7 @@ grub_parameter:
   ##############################################################################################################################
   # Checks every copy_to_user() / copy_from_user()operation. Prevents kernels from accidentally copying unallocated memory to
   # userspace. Stop exploits that trigger buffer overflows or use-after-free via copy_*_user(), for example. Effect: Detects
-  # heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is detected.                                                                               #
+  # heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is detected.
   ##############################################################################################################################
   - "hardened_usercopy=1"
 

ciss_debian_installer.sh

@@ -62,6 +62,9 @@ for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./meta_loader_cuv.sh; usa
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./meta_loader_cuv.sh; version; exit 0;; esac; done
 
 ### SOURCING MUST SET EARLY VARIABLES. SOURCING COLOR_ECHO() AND GUARD_SOURCING().
+declare -grx VAR_PARAM_COUNT="$#"
+declare -grx VAR_PARAM_STRNG="$*"
+declare -ag  ARY_PARAM_ARRAY=("$@")
 . ./lib/0010_guard_sourcing.sh
 . ./lib/0010_source_guard.sh
 source_guard "./var/color.var.sh"
@@ -136,7 +139,7 @@ if ! "${VAR_AUTO_INSTALL}"; then . ./lib/0200_dialog_helper.sh && dialog_box; fi
 echo "ARGUMENT CHECKS..."
 arg_check "$@"
 declare -ar ARY_ARG_SANITIZED=("$@")
-declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
+declare -gr VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"
 
 ### ARGUMENT PARSING.
 echo "ARGUMENT PARSING..."
@@ -149,7 +152,7 @@ arg_priority_check
 ### HASHING PASSWORDS.
 echo "HASHING PASSWORDS..."
 nuke_passphrase
-# TODO: Implement func() for other passwords.
+# TODO: Implement loop_pass() for other passwords.
 
 ### MAIN PROGRAM SEQUENCE
 echo "MAIN PROGRAM SEQUENCE: yaml_parser()"

func/helper/1250_yaml_parser.sh

@@ -66,6 +66,9 @@ yaml_parser() {
   ### Wrap each key=value by '' e.g., key='value'
   sed -i -E "s/^(.*)=([^'\"]+)$/\1='\2'/" "${VAR_PRESEED}"
 
+  # shellcheck disable=SC1090
+  . "${VAR_PRESEED}"
+
   return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/helper/1251_yaml_reader.sh

@@ -114,7 +114,7 @@ END { print max }
   done < <(grep -E "^recipe_${VAR_RECIPE_STRING}_dev_" "${var_if}")
 
   for var_device in "${!HMP_RECIPE_DEV_PARTITIONS[@]}"; do
-    do_log "info" "file_only" "Highest number of partitions for ${var_device}: ${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}"
+    do_log "info" "file_only" "Highest number of partitions: [${var_device}:${HMP_RECIPE_DEV_PARTITIONS[${var_device}]}]."
   done
 
   ### Extract architecture

includes/initramfs-tools/files/dropbear_fw.sh

@@ -10,6 +10,8 @@
 # SPDX-PackageName: CISS.debian.installer
 # SPDX-Security-Contact: security@coresecret.eu
 
+# shellcheck shell=sh
+
 # Firewall script for Dropbear SSH inside initramfs.
 # This script runs at the "init-bottom" stage of the early boot process.
 #
@@ -21,7 +23,7 @@
 
 PREREQ="dropbear"
 
-prereqs() { echo "$PREREQ"; }
+prereqs() { echo "${PREREQ}"; }
 
 case "$1" in
   prereqs) prereqs; exit 0 ;;

lib/0060_trap_err.sh

@@ -176,6 +176,7 @@ print_stacktrace() {
       printf "%b❌   ↳ %s() at: [%s:%s] %b%b" "${RED}" "${FUNCNAME[i]}" "${BASH_SOURCE[i]}" "${BASH_LINENO[i-1]:-?}" "${RES}" "${NL}"
     fi
   done
+  printf "%b" "${NL}"
 }
 
 #######################################

var/early.var.sh

@@ -14,9 +14,6 @@ guard_sourcing
 
 ### Definition of MUST set early variables.
 
-declare -ag ARY_PARAM_ARRAY=("$@")
-declare -grx VAR_PARAM_COUNT="$#"
-declare -grx VAR_PARAM_STRNG="$*"
 declare -grx VAR_CONTACT="security@coresecret.eu"
 declare -grx VAR_VERSION="Master V8.00.000.2025.06.17"
 # shellcheck disable=SC2155