82 lines
3.5 KiB
Bash
82 lines
3.5 KiB
Bash
#!/bin/bash
|
|
# SPDX-Version: 3.0
|
|
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
# SPDX-FileType: SOURCE
|
|
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
|
# SPDX-PackageName: CISS.debian.installer
|
|
# SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
guard_sourcing
|
|
|
|
#######################################
|
|
# Notes Textbox.
|
|
# Arguments:
|
|
# None
|
|
#######################################
|
|
dialog_notes() {
|
|
clear
|
|
cat << EOF >| "${VAR_NOTES}"
|
|
CISS.debian.installer
|
|
Build: ${VAR_VERSION}
|
|
|
|
Press 'EXIT' to return to the CISS.debian.installer.
|
|
|
|
CISS.debian.installer [CDI] - Hardened & Deterministic Debian Installation Framework
|
|
|
|
The CISS.debian.installer is a custom, security-focused installation framework built from scratch,
|
|
with profound modifications aimed at deterministic behaviour, cryptographic integrity, and minimal
|
|
attack surface throughout the entire installation process.
|
|
|
|
Unlike the stock Debian Installer, which prioritizes broad compatibility and modularity, CDI places
|
|
emphasis on strict reproducibility, fine-grained control, and maximal hardening even during early
|
|
bootstrapping. Every installation is driven by a pre-seeded, YAML-based configuration model,
|
|
eliminating interactive ambiguity and reducing the risk of misconfiguration.
|
|
|
|
Key features include:
|
|
|
|
- Full-Disk Encryption (FDE) by default, including encrypted [/boot], using LUKS2 with Argon2id KDF,
|
|
optional two-factor unlocking, and dm-integrity support.
|
|
- Dropbear SSH integration in the initramfs, enabling remote unlocking of encrypted volumes over a
|
|
secured channel with full key-based authentication and hardened SSHD configuration.
|
|
- Secure Boot integration using user-managed Platform Keys (PK/KEK/DB) and signed GRUB/kernel
|
|
binaries without relying on Microsofts root certificates.
|
|
- Modular architecture with trap-based error handling, differential runtime tracing, and strict Bash
|
|
safety flags [set -Ceuo pipefail] enforced across all sourced modules.
|
|
- Btrfs-native RAID1/RAID6 layout support with post-install volume extensions, snapshot orchestration,
|
|
and separate ephemeral volumes for [/tmp] and [SWAP].
|
|
|
|
All components are validated using static analysis and runtime verification. A deterministic runtime
|
|
model ensures that the system state post-install is both reproducible and audit-ready.
|
|
|
|
CDI avoids [LVM] to reduce architectural complexity, instead relying on dm-crypt, GPT partitioning,
|
|
and direct volume mapping. Secure Boot compliant GRUB installation, including fallback paths under
|
|
default [/EFI/BOOT/].
|
|
|
|
With a rigorous security baseline, hardened defaults, and strict validation checkpoints, the new
|
|
CISS.debian.installer is designed for high-assurance environments, air-gapped deployments, and
|
|
scenarios where control, auditability, and long-term reproducibility are paramount.
|
|
EOF
|
|
|
|
declare -gx VAR_IN_DIALOG_WR="text"
|
|
|
|
dialog --no-collapse \
|
|
--ascii-lines \
|
|
--clear \
|
|
--backtitle "CISS.debian.installer" \
|
|
--title "Important Notes" \
|
|
--scrollbar \
|
|
--textbox "${VAR_NOTES}" 32 128
|
|
clear
|
|
|
|
declare -gx VAR_IN_DIALOG_WR="false"
|
|
# shellcheck disable=SC2312
|
|
cat "${VAR_DIALOG}" | tail -n 64
|
|
|
|
return 0
|
|
}
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|