#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.installer # SPDX-Security-Contact: security@coresecret.eu guard_sourcing || return "${ERR_GUARD_SOURCE}" ####################################### # Notes Textbox. # Arguments: # None ####################################### dialog_notes() { clear cat << EOF >| "${VAR_NOTES}" CISS.debian.installer Build: ${VAR_VERSION} Press 'EXIT' to return to the CISS.debian.installer. CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework The CISS.debian.installer is a custom, security-focused installation framework built from scratch, with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal attack surface throughout the entire installation process. Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model, eliminating interactive ambiguity and reducing the risk of misconfiguration. Key features include: - Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF, optional two-factor unlocking, and dm-integrity support. - Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a secured channel with full key-based authentication and hardened SSHD configuration. - Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel binaries without relying on Microsofts root certificates. - Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash safety flags [set -Ceuo pipefail] enforced across all sourced modules. - Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration, and separate ephemeral volumes for [/tmp] and [SWAP]. All components are validated using static analysis and runtime verification. A deterministic runtime model ensures that the system state post-install is both reproducible and audit-ready. CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning, and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under default [/EFI/BOOT/]. With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and scenarios where control, auditability, and long-term reproducibility are paramount. EOF declare -gx VAR_IN_DIALOG_WR="text" dialog --no-collapse \ --ascii-lines \ --clear \ --backtitle "CISS.debian.installer" \ --title "Important Notes" \ --scrollbar \ --textbox "${VAR_NOTES}" 32 128 clear declare -gx VAR_IN_DIALOG_WR="false" # shellcheck disable=SC2312 cat "${VAR_DIALOG}" | tail -n 64 return 0 } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh