V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/0022-ciss-overlay-tmpfs

@@ -0,0 +1,52 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Phase  : premount (executed by live-boot inside the initramfs).
+
+_SAVED_SET_OPTS="$(set +o)"
+
+set -eu
+
+sleep 3
+
+printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
+
+### Declare variables ----------------------------------------------------------------------------------------------------------
+OVERLAY_BASE="/run/live/overlay"
+UPPER="${OVERLAY_BASE}/upper"
+WORK="${OVERLAY_BASE}/work"
+
+### Size policy: hard ceiling to mitigate RAM-filling DoS; tune to your ISO profile. -------------------------------------------
+: "${CDLB_OVERLAY_TMPFS_SIZE:=70%}"
+
+### Create a base dir with restrictive perms. ----------------------------------------------------------------------------------
+# shellcheck disable=SC2174
+mkdir -p -m 0700 "${OVERLAY_BASE}"
+
+### Mount dedicated tmpfs with strict flags; 'noexec' here blocks accidental execs from the raw tmpfs path. --------------------
+mount -t tmpfs -o "size=${CDLB_OVERLAY_TMPFS_SIZE},mode=0700,nosuid,nodev,noexec" tmpfs "${OVERLAY_BASE}"
+printf "\e[92m[INFO] Command              : [mount -t tmpfs -o \"size=%s,mode=0700,nosuid,nodev,noexec\" tmpfs %s] \n\e[0m" "${CDLB_OVERLAY_TMPFS_SIZE}" "${OVERLAY_BASE}"
+
+### Prepare upper  /work with tight perms. -------------------------------------------------------------------------------------
+# shellcheck disable=SC2174
+mkdir -p -m 0700 "${UPPER}" "${WORK}"
+
+eval "${_SAVED_SET_OPTS}"
+
+printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0024-ciss-crypt-squash

@@ -43,8 +43,6 @@ ask_pass_console() {
   ### Non-canonical mode, no echo, 1 byte at a time.
   stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
 
-  printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
-
   cr=$(printf '\r')
   bs=$(printf '\b')
   del=$(printf '\177')
@@ -67,13 +65,13 @@ ask_pass_console() {
     case "${c}" in
 
       "${cr}")
-        ### Enter: finish input.
+      ### Enter: finish input.
         printf '\n' > /dev/console
         break
         ;;
 
       "${bs}"|"${del}")
-        ### Backspace, delete: delete one character, if available.
+      ### Backspace, delete: delete one character, if available.
         if [ -n "${PASSPHRASE}" ]; then
 
           PASSPHRASE=${PASSPHRASE%?}
@@ -83,7 +81,7 @@ ask_pass_console() {
         ;;
 
       *)
-        ### Normal character: append and mask output.
+      ### Normal character: append and mask output.
         PASSPHRASE="${PASSPHRASE}${c}"
         printf '*' > /dev/console
         ;;
@@ -120,6 +118,7 @@ export CDLB_ISO_LABEL="CISS.debian.live"
 export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
 export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
+export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
 CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 MNT_MEDIUM="/run/live/medium"
 MNT_ROOTFS="/run/live/rootfs"
@@ -282,6 +281,8 @@ PID_BROKER="$!"
   set +e
 
   PASS=""
+  PASS_SENT=0
+  WAIT_LOOP=0
 
   while :; do
 
@@ -291,12 +292,38 @@ PID_BROKER="$!"
 
     fi
 
-    # shellcheck disable=SC2310
+    if [ "${PASS_SENT}" -eq 0 ]; then
-    PASS="$(ask_pass_console)" || continue
 
-    printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
+
+      # shellcheck disable=SC2310
+      PASS="$(ask_pass_console)" || continue
+
+      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+
+      PASS_SENT=1
+      WAIT_LOOP=0
+
+    else
+
+      WAIT_LOOP=$((WAIT_LOOP + 1))
+
+      if [ "${WAIT_LOOP}" -ge 160 ]; then
+
+        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
+
+        PASS_SENT=0
+        WAIT_LOOP=0
+
+      fi
+
+    fi
+
+    sleep 0.1
 
   done
+
+  return 0
 ) &
 PID_PROMPT="$!"
 
@@ -337,14 +364,57 @@ kill "${PID_PROMPT}" 2>/dev/null || true
 wait "${PID_BROKER}" 2>/dev/null || true
 rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 
-printf "\e[92m[INFO] LUKS mapper          : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
+printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
+
+### Mount the decrypted root device to use as the PLAIN_ROOT artifact in '9990-main.sh'. ---------------------------------------
+if ! mount -t squashfs -o ro "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"; then
+
+  log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${CDLB_LUKS_ROOTFS_MNT}]"
+  printf "\e[91m[WARN] CISS LUKS decryption  : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
+  exit 42
+
+else
+
+  printf "\e[92m[INFO] CISS LUKS decryption  : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_LUKS_ROOTFS_MNT}"
+
+fi
 
 ### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
-echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
+cat << EOF >| /run/ciss-rootdev
+export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
+export CDLB_LUKS_FS=${CDLB_LUKS_FS}
+export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
+export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
+export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
+MNT_MEDIUM="/run/live/medium"
+MNT_ROOTFS="/run/live/rootfs"
+EOF
+
 chmod 0644 /run/ciss-rootdev 2>/dev/null || true
 export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
 export CISS_ROOT_DIR=""
 
+# TODO: Remove Debug
+if [ -e /conf/param.conf ]; then
+  printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
+  cat /conf/param.conf >/dev/console 2>&1 || :
+  {
+    printf '\n'
+    printf 'PLAIN_ROOT=1\n'
+    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
+  } >> /conf/param.conf 2>/dev/null || true
+else
+  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
+  {
+    printf '\n'
+    printf 'PLAIN_ROOT=1\n'
+    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
+  } >| /conf/param.conf 2>/dev/null || true
+fi
+
+printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
+cat /conf/param.conf >/dev/console 2>&1 || :
+
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
 

.archive/0026-ciss-early-sysctl

@@ -0,0 +1,39 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Purpose: Enforce early sysctls before services start.
+# Phase  : premount (executed by live-boot inside the initramfs).
+
+_SAVED_SET_OPTS="$(set +o)"
+
+set -eu
+
+printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
+
+echo 2 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
+echo 1 > /proc/sys/kernel/unprivileged_bpf_disabled 2>/dev/null || true
+echo 0 > /proc/sys/fs/suid_dumpable 2>/dev/null || true
+echo 1 > /proc/sys/kernel/kexec_load_disabled 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_symlinks 2>/dev/null || true
+echo 1 > /proc/sys/fs/protected_hardlinks 2>/dev/null || true
+echo 2 > /proc/sys/fs/protected_regular 2>/dev/null || true
+echo 2 > /proc/sys/kernel/kptr_restrict 2>/dev/null || true
+
+eval "${_SAVED_SET_OPTS}"
+
+printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/0026-ciss-early-sysctl.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0030-ciss-verify-checksums

@@ -0,0 +1,335 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Modified Version of the original file:
+### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
+### In case of successful verification of the offered checksum, proceed with booting; otherwise panic.
+
+#######################################
+# Modified checksum-integrity and authenticity-verification-script depending on pinned GPG FPR for boot process verification.
+# Globals:
+#   LIVE_BOOT_CMDLINE
+#   _TTY
+# Arguments:
+#   1: _MOUNTPOINT
+# Returns:
+#   0 : Successful verification
+#######################################
+Verify_checksums() {
+  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0030-ciss-verify-checksums] \n\e[0m"
+
+  ### Declare variables --------------------------------------------------------------------------------------------------------
+
+  ### Will be replaced at build time:
+  export CDLB_EXP_FPR="@EXP_FPR@"
+  export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
+
+  ### Declare functions --------------------------------------------------------------------------------------------------------
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
+
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
+
+  #######################################
+  # Helper for colored text output on stdout.
+  # Globals:
+  #   None
+  # Arguments:
+  #   *: String to print
+  #######################################
+  log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
+
+  _MOUNTPOINT="${1}"
+
+  _PARAMETER=""
+
+  _TTY="/dev/tty8"
+
+  LIVE_VERIFY_CHECKSUMS_DIGESTS="${LIVE_VERIFY_CHECKSUMS_DIGESTS:-sha512 sha384 sha256}"
+
+  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
+
+  _KEYFILE=""
+
+  _MP=""
+
+  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
+  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do
+
+    case "${_PARAMETER}" in
+
+      live-boot.verify-checksums=* | verify-checksums=*)
+
+        LIVE_VERIFY_CHECKSUMS="true"
+        LIVE_VERIFY_CHECKSUMS_DIGESTS="${_PARAMETER#*verify-checksums=}"
+        ;;
+
+      live-boot.verify-checksums | verify-checksums)
+
+        LIVE_VERIFY_CHECKSUMS="true"
+        ;;
+
+      live-boot.verify-checksums-signatures | verify-checksums-signatures)
+
+        LIVE_VERIFY_CHECKSUMS_SIGNATURES="true"
+        ;;
+
+    esac
+
+  done
+
+  ### Check if the function should be skipped ----------------------------------------------------------------------------------
+  case "${LIVE_VERIFY_CHECKSUMS}" in
+
+    true)
+      :
+      ;;
+
+    *)
+      return 0
+      ;;
+
+  esac
+
+  ### Check GPG pubkey file correct path ---------------------------------------------------------------------------------------
+  for _MP in /lib/live/mount/medium /run/live/medium /cdrom /; do
+
+    if [ -e "${_MP}/${CDLB_EXP_FPR}.gpg" ]; then
+
+      _KEYFILE="${_MP}/${CDLB_EXP_FPR}.gpg"
+
+      if [ -e "${_MP}/${CDLB_EXP_CA_FPR}.gpg" ]; then
+
+        _CA_KEYFILE="${_MP}/${CDLB_EXP_CA_FPR}.gpg"
+
+      fi
+
+      break
+
+    fi
+
+  done
+
+  # shellcheck disable=SC2164
+  cd "${_MOUNTPOINT}"
+
+
+  ### CDLB verification of script integrity itself -----------------------------------------------------------------------------
+  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
+
+    log_begin_msg "Verifying integrity of: [0030-ciss-verify-checksums]"
+    printf "\n"
+
+    _CAND=""
+    CDLB_SCRIPT_SELF=""  CDLB_CMD="" CDLB_COMPUTED="" CDLB_EXPECTED="" CDLB_HASHFILE="" CDLB_SIG_FILE=""
+
+    CDLB_CMD="/usr/bin/sha512sum"
+    CDLB_SHA="sha512"
+
+    for _CAND in /scripts/live-bottom/0030-ciss-verify-checksums /usr/lib/live/boot/0030-ciss-verify-checksums ; do
+
+      [ -e "${_CAND}" ] && { CDLB_SCRIPT_SELF="${_CAND}"; break; }
+
+    done
+
+    CDLB_SCRIPT_FILE="${CDLB_SCRIPT_SELF##*/}"
+    CDLB_SCRIPT_PATH="${CDLB_SCRIPT_SELF%/*}"
+    CDLB_SCRIPT_FULL="${CDLB_SCRIPT_PATH%/}/${CDLB_SCRIPT_FILE}"
+    CDLB_HASHFILE="/etc/ciss/hashes/${CDLB_SCRIPT_FILE}.${CDLB_SHA}sum.txt"
+    CDLB_SIG_FILE="${CDLB_HASHFILE}.sig"
+
+    _STATUS="$(/usr/bin/gpgv --no-default-keyring --keyring "${_KEYFILE}" --status-fd 1 --verify "${CDLB_SIG_FILE}" "${CDLB_SCRIPT_FULL}" 2>/dev/null)"
+
+    _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
+
+    ### Compare against pinned and expected fingerprint.
+    if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
+
+      log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+
+    else
+
+      log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
+      sleep 8
+      panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
+
+    fi
+
+    ### Script self-integrity and authenticity checks --------------------------------------------------------------------------
+    ### Assumption: initramfs itself is not altered.
+    log_in "Verifying signature of: [${CDLB_SIG_FILE}] ..."
+
+    if ! /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${CDLB_SIG_FILE}" "${CDLB_HASHFILE}"; then
+
+      log_er "Verifying signature of: [${CDLB_SIG_FILE}] failed."
+      sleep 8
+      panic  "[FATAL] Verifying signature of: [${CDLB_SIG_FILE}] failed."
+
+    else
+
+      log_ok "Verifying signature of: [${CDLB_SIG_FILE}] successful."
+
+    fi
+
+    log_in "Recomputing hash for: [${CDLB_SHA}] ..."
+
+    CDLB_COMPUTED=$("${CDLB_CMD}" "${CDLB_SCRIPT_FULL}" | { read -r first _ || exit 1; printf '%s\n' "${first}"; })
+    IFS=' ' read -r CDLB_EXPECTED _ < "${CDLB_HASHFILE}"
+
+    if [ "${CDLB_COMPUTED}" != "${CDLB_EXPECTED}" ]; then
+
+      log_er "Recomputing hash for: [${CDLB_SHA}] failed."
+      sleep 8
+      panic  "[FATAL] Recomputing hash for: [${CDLB_SHA}] failed."
+
+    fi
+
+    log_ok "Recomputing hash for: [${CDLB_SHA}] successful."
+    log_ok "Verification of authenticity and integrity of [${CDLB_SCRIPT_FULL}] successfully completed."
+    log_end_msg
+    printf "\n"
+
+  fi
+
+  ### Checksum and checksum signature verification -----------------------------------------------------------------------------
+  log_begin_msg "Verifying checksums"
+  printf "\n"
+  log_in "Verifying checksums ..."
+
+  # shellcheck disable=SC2001
+  for _DIGEST in $(echo "${LIVE_VERIFY_CHECKSUMS_DIGESTS}" | sed -e 's|,| |g'); do
+
+    # shellcheck disable=SC2060
+    _CHECKSUMS="$(echo "${_DIGEST}" | tr [a-z] [A-Z])SUMS ${_DIGEST}sum.txt"
+
+    for _CHECKSUM in ${_CHECKSUMS}; do
+
+      if [ -e "${_CHECKSUM}" ]; then
+
+        log_in "Found: [${_CHECKSUM}] ..."
+
+        if [ -e "/usr/bin/${_DIGEST}sum" ]; then
+
+          log_in "Found: [/usr/bin/${_DIGEST}sum] ..."
+
+          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
+
+            log_in "Checking signature of: [${_CHECKSUM}] ..."
+
+            _CHECKSUM_SIGNATURE="${_CHECKSUM}.sig"
+
+            if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
+
+              _RETURN_PGP="${?}"
+              log_in "Checking signature of: [${_CHECKSUM}] successful."
+
+            else
+
+              _RETURN_PGP="${?}"
+              log_er "Checking signature of: [${_CHECKSUM}] failed."
+
+            fi
+
+          else
+
+            _RETURN_PGP="na"
+
+          fi
+
+          # shellcheck disable=SC2312
+          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
+
+            _RETURN_SHA="${?}"
+            log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
+
+          else
+
+            _RETURN_SHA="${?}"
+            log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
+
+          fi
+
+          # Stop after the first verification.
+          break 2
+
+        else
+
+          _RETURN_SHA="255"
+          log_er "NOT Found [/usr/bin/${_DIGEST}sum]."
+
+        fi
+
+      fi
+
+    done
+
+  done
+
+  log_end_msg
+  printf "\n"
+
+  case "${_RETURN_PGP},${_RETURN_SHA}" in
+
+    "0,0")
+      log_ok "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of [GPG signature] and [sha checksum] file successful; continuing booting in 8 seconds."
+      sleep 8
+      return 0
+      ;;
+
+    "na,0")
+      log_ok "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
+      log_success_msg "Verification of [sha checksum] file successful; continuing booting in 8 seconds."
+      sleep 8
+      return 0
+      ;;
+
+    "0,"*)
+      log_er "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      sleep 8
+      panic  "Verification of [GPG signature] file successful, while verification of [sha checksum] file failed."
+      ;;
+
+    *",0")
+      log_er "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
+      sleep 8
+      panic  "Verification of [GPG signature] file failed, while verification of [sha checksum] file successful."
+      ;;
+
+    "na,"*)
+      log_er "Verification of [sha checksum] file failed."
+      sleep 8
+      panic  "Verification of [sha checksum] file failed."
+      ;;
+
+  esac
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/9990-main.sh

@@ -0,0 +1,259 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Modified Version of the original file:
+### https://salsa.debian.org/live-team/live-boot 'components/9990-main.shh'
+### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
+
+# set -e
+
+printf "\e[95m[INFO] Sourcing             : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
+
+Live ()
+{
+  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/9990-main.sh] \n\e[0m"
+
+  if [ -x /scripts/local-top/cryptroot ]
+  then
+    /scripts/local-top/cryptroot
+  fi
+
+  exec 6>&1
+  exec 7>&2
+  exec > boot.log
+  exec 2>&1
+  tail -f boot.log >&7 &
+  tailpid="${!}"
+
+  # shellcheck disable=SC2034
+  LIVE_BOOT_CMDLINE="${LIVE_BOOT_CMDLINE:-$(cat /proc/cmdline)}"
+  Cmdline_old
+
+  Debug
+
+  Read_only
+
+  Select_eth_device
+
+  if [ -e /conf/param.conf ]
+  then
+    . /conf/param.conf
+  fi
+
+  # Needed here too because some things (*cough* udev *cough*)
+  # change the timeout
+
+  printf "\e[93m[DEBUG] live(): Before do_netmount() pp. \e[0m\n"
+  if [ -n "${NETBOOT}" ] || [ -n "${FETCH}" ] || [ -n "${HTTPFS}" ] || [ -n "${FTPFS}" ]
+  then
+    if do_netmount
+    then
+      printf "\e[93m[DEBUG] live(): [livefs_root=%s] \e[0m\n" "${mountpoint?}"
+      livefs_root="${mountpoint?}"
+    else
+      panic "Unable to find a live file system on the network"
+    fi
+  else
+    if [ -n "${ISCSI_PORTAL}" ]
+    then
+      printf "\e[93m[DEBUG] live(): [do_iscsi && livefs_root=%s] \e[0m\n" "${mountpoint?}"
+      do_iscsi && livefs_root="${mountpoint}"
+    elif [ -n "${PLAIN_ROOT}" ] && [ -n "${ROOT}" ]
+    then
+      # Do a local boot from hd
+      printf "\e[93m[DEBUG] live(): Do a local boot from hd [livefs_root=%s] \e[0m\n" "${ROOT?}"
+      livefs_root=${ROOT}
+    else
+      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] starting ... \e[0m\n"
+      Setup_Memdisk
+      printf "\e[93m[DEBUG] live(): [Setup_Memdisk] finished. \e[0m\n"
+
+      # If the live media location is given via command line and access to it
+      # involves LVM volumes, the corresponding volumes need to be activated.
+      IFS=','
+      # shellcheck disable=SC2116
+      for dev in $(echo "${LIVE_MEDIA}")
+      do
+        printf "\e[93m[DEBUG] live(): [%s] -> dev \e[0m\n" "${dev}"
+        case "${dev}" in
+          /dev/mapper/*)
+            # shellcheck disable=SC2046,SC2312
+            eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
+            # shellcheck disable=SC2244
+            if [ "${DM_VG_NAME}" ] && [ "${DM_LV_NAME}" ]
+            then
+              lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${DM_VG_NAME}/${DM_LV_NAME}"
+            fi
+            ;;
+          /dev/*/*)
+          # Could be /dev/VG/LV; use lvs to check
+            if lvm lvs -- "${dev}" >/dev/null 2>&1
+            then
+              lvm lvchange -aay -y --sysinit --ignoreskippedcluster "${dev}"
+            fi
+            ;;
+        esac
+      done
+      unset IFS
+
+      # Scan local devices for the image
+      i=0
+      while [ "${i}" -lt 60 ]
+      do
+        # shellcheck disable=SC2086
+        livefs_root=$(find_livefs ${i})
+
+        if [ -n "${livefs_root}" ]
+        then
+          break
+        fi
+
+        sleep 1
+        i=$((i + 1))
+      done
+    fi
+  fi
+
+  printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
+  if [ -z "${livefs_root}" ]
+  then
+    panic "Unable to find a medium containing a live file system"
+  fi
+
+  printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
+  Verify_checksums "${livefs_root}"
+
+  # shellcheck disable=SC2244
+  if [ "${TORAM}" ]
+  then
+    live_dest="ram"
+  elif [ "${TODISK}" ]
+  then
+    live_dest="${TODISK}"
+  fi
+
+  # shellcheck disable=SC2244
+  if [ "${live_dest}" ]
+  then
+    log_begin_msg "Copying live media to ${live_dest}"
+    copy_live_to "${livefs_root}" "${live_dest}"
+    log_end_msg
+  fi
+
+  # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
+  # because the mountpoint is left behind in /proc/mounts, so let's get
+  # rid of it when running from RAM
+  # shellcheck disable=SC2244
+  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
+  then
+    losetup -d /dev/loop0
+
+    if is_mountpoint /run/live/fromiso
+    then
+      umount /run/live/fromiso
+      rmdir --ignore-fail-on-non-empty /run/live/fromiso \
+        >/dev/null 2>&1 || true
+    fi
+  fi
+
+  printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
+  printf "\e[93m[DBG] Live(): MODULETORAMFILE=%s PLAIN_ROOT=%s \e[0m\n" "${MODULETORAMFILE}" "${PLAIN_ROOT}"
+  if [ -n "${MODULETORAMFILE}" ] || [ -n "${PLAIN_ROOT}" ]
+  then
+    printf "\e[93m[DBG] Live(): setup_unionfs livefs_root=%s rootmnt=%s \e[0m\n" "${livefs_root}" "${rootmnt?}"
+    setup_unionfs "${livefs_root}" "${rootmnt?}"
+  else
+    mac="$(get_mac)"
+    mac="$(echo "${mac}" | sed 's/-//g')"
+    printf "\e[93m[DBG] Live(): mount_images_in_directory livefs_root=%s rootmnt=%s mac=%s \e[0m\n" "${livefs_root}" "${rootmnt}" "${mac}"
+    mount_images_in_directory "${livefs_root}" "${rootmnt}" "${mac}"
+  fi
+
+  if [ -n "${ROOT_PID}" ]
+  then
+    echo "${ROOT_PID}" > "${rootmnt}"/lib/live/root.pid
+  fi
+
+  log_end_msg
+
+  # aufs2 in kernel versions around 2.6.33 has a regression:
+  # directories can't be accessed when read for the first time,
+  # causing a failure, for example, when accessing /var/lib/fai
+  # when booting FAI, this simple workaround solves it
+  ls /root/* >/dev/null 2>&1
+
+  # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
+  # because the mountpoint is left behind in /proc/mounts, so let's get
+  # rid of it when running from RAM
+  # shellcheck disable=SC2244
+  if [ -n "${FINDISO}" ] && [ "${TORAM}" ]
+  then
+    losetup -d /dev/loop0
+
+    if is_mountpoint /run/live/findiso
+    then
+      umount /run/live/findiso
+      rmdir --ignore-fail-on-non-empty /run/live/findiso \
+        >/dev/null 2>&1 || true
+    fi
+  fi
+
+  if [ -f /etc/hostname ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${rootmnt}/etc/hostname"
+  then
+    log_begin_msg "Copying /etc/hostname to ${rootmnt}/etc/hostname"
+    cp -v /etc/hostname "${rootmnt}/etc/hostname"
+    log_end_msg
+  fi
+
+  if [ -f /etc/hosts ] && ! grep -E -q -v '^[[:space:]]*(#|$|(127.0.0.1|::1|ff02::[12])[[:space:]])' "${rootmnt}/etc/hosts"
+  then
+    log_begin_msg "Copying /etc/hosts to ${rootmnt}/etc/hosts"
+    cp -v /etc/hosts "${rootmnt}/etc/hosts"
+    log_end_msg
+  fi
+
+  if [ -L /root/etc/resolv.conf ] ; then
+    # assume we have resolvconf
+    DNSFILE="${rootmnt}/etc/resolvconf/resolv.conf.d/base"
+  else
+    DNSFILE="${rootmnt}/etc/resolv.conf"
+  fi
+  if [ -f /etc/resolv.conf ] && ! grep -E -q -v '^[[:space:]]*(#|$)' "${DNSFILE}"
+  then
+    log_begin_msg "Copying /etc/resolv.conf to ${DNSFILE}"
+    cp -v /etc/resolv.conf "${DNSFILE}"
+    log_end_msg
+  fi
+
+  if ! [ -d "/lib/live/boot" ]
+  then
+    panic "A wrong rootfs was mounted."
+  fi
+
+  Fstab
+  Netbase
+
+  Swap
+
+  exec 1>&6 6>&-
+  exec 2>&7 7>&-
+  kill "${tailpid}"
+  [ -w "${rootmnt}/var/log/" ] && mkdir -p "${rootmnt}/var/log/live" && ( \
+    cp boot.log "${rootmnt}/var/log/live" 2>/dev/null; \
+    cp fsck.log "${rootmnt}/var/log/live" 2>/dev/null )
+
+  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-main.sh] ... \n\e[0m"
+}

.archive/9990-overlay.sh

@@ -0,0 +1,499 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck disable=SC2249
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+### Modified Version of the original file:
+### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+### Change behavior to mount already opened ciss_rootfs.crypt (0024-ciss-crypt-squash).
+
+#set -e
+
+printf "\e[95m[INFO] Sourcing             : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
+
+setup_unionfs ()
+{
+  printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/9990-overlay.sh] \n\e[0m"
+
+  image_directory="${1}"
+  rootmnt="${2}"
+  addimage_directory="${3}"
+
+  ### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
+  if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
+
+    CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
+
+  fi
+
+  if [ -n "${CISS_ROOT_DEV:-}" ]; then
+
+    ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
+    PLAIN_ROOT=1
+    image_directory="${CISS_ROOT_DEV}"
+
+  elif [ -n "${CISS_ROOT_DIR:-}" ]; then
+
+    ### Alternative: explicitly provided root directory.
+    PLAIN_ROOT=1
+    image_directory="${CISS_ROOT_DIR}"
+
+  fi
+  ### --------------------------------------------------------------------------------------------------------------------------
+
+  # shellcheck disable=SC2086
+  modprobe -q -b ${UNIONTYPE}
+
+  if ! cut -f2 /proc/filesystems | grep -q "^${UNIONTYPE}\$"
+  then
+    panic "${UNIONTYPE} not available."
+  fi
+
+  croot="/run/live/rootfs"
+
+  # Let's just mount the read-only file systems first
+  rootfslist=""
+
+  if [ -z "${PLAIN_ROOT}" ]
+  then
+    # Read image names from ${MODULE}.module if it exists
+    # shellcheck disable=SC2153
+    if [ -e "${image_directory}/filesystem.${MODULE}.module" ]
+    then
+      # shellcheck disable=SC2013,SC2086
+      for IMAGE in $(cat ${image_directory}/filesystem.${MODULE}.module)
+      do
+        image_string="${image_string} ${image_directory}/${IMAGE}"
+      done
+    elif [ -e "${image_directory}/${MODULE}.module" ]
+    then
+      # shellcheck disable=SC2013,SC2086
+      for IMAGE in $(cat ${image_directory}/${MODULE}.module)
+      do
+        image_string="${image_string} ${image_directory}/${IMAGE}"
+      done
+    else
+      # ${MODULE}.module does not exist, create a list of images
+      for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
+      do
+        for IMAGE in "${image_directory}"/*."${FILESYSTEM}"
+        do
+          if [ -e "${IMAGE}" ]
+          then
+            image_string="${image_string} ${IMAGE}"
+          fi
+        done
+      done
+
+      if [ -n "${addimage_directory}" ] && [ -d "${addimage_directory}" ]
+      then
+        for FILESYSTEM in squashfs ext2 ext3 ext4 xfs jffs2 dir
+        do
+          for IMAGE in "${addimage_directory}"/*."${FILESYSTEM}"
+          do
+            if [ -e "${IMAGE}" ]
+            then
+              image_string="${image_string} ${IMAGE}"
+            fi
+          done
+        done
+      fi
+
+      # Now sort the list
+      # shellcheck disable=SC2086
+      image_string="$(echo ${image_string} | sed -e 's/ /\n/g' | sort )"
+    fi
+
+    # shellcheck disable=SC2086
+    [ -n "${MODULETORAMFILE}" ] && image_string="${image_directory}/$(basename ${MODULETORAMFILE})"
+
+    mkdir -p "${croot}"
+
+    for image in ${image_string}
+    do
+      imagename=$(basename "${image}")
+
+      export image devname
+      maybe_break live-realpremount
+      log_begin_msg "Running /scripts/live-realpremount"
+      run_scripts /scripts/live-realpremount
+      log_end_msg
+
+      if [ -d "${image}" ]
+      then
+        # It is a plain directory: do nothing
+        rootfslist="${image} ${rootfslist}"
+      elif [ -f "${image}" ]
+      then
+        if losetup --help 2>&1 | grep -q -- "-r\b"
+        then
+          backdev=$(get_backing_device "${image}" "-r")
+        else
+          backdev=$(get_backing_device "${image}")
+        fi
+        fstype=$(get_fstype "${backdev}")
+
+        case "${fstype}" in
+          unknown)
+            panic "Unknown file system type on ${backdev} (${image})"
+            ;;
+
+          "")
+            fstype="${imagename##*.}"
+            log_warning_msg "Unknown file system type on ${backdev} (${image}), assuming ${fstype}."
+            ;;
+        esac
+
+        mpoint=$(trim_path "${croot}/${imagename}")
+        rootfslist="${mpoint} ${rootfslist}"
+        mount_options=""
+
+        # Setup dm-verity support if a device has it supported
+        hash_device="${image}.verity"
+        # shellcheck disable=SC2086
+        if [ -f ${hash_device} ]
+        then
+          log_begin_msg "Start parsing dm-verity options for ${image}"
+          backdev_roothash=$(get_backing_device ${hash_device})
+          verity_mount_options="-o verity.hashdevice=${backdev_roothash}"
+          root_hash=$(get_dm_verity_hash ${imagename} ${DM_VERITY_ROOT_HASH})
+          valid_config="true"
+          case $(mount --version) in
+            *verity*)
+              ;;
+            *)
+              valid_config="false"
+              log_warning_msg "mount does not have support for dm-verity. Ignoring mount options"
+              ;;
+          esac
+          if [ -n "${root_hash}" ]
+          then
+            verity_mount_options="${verity_mount_options} -o verity.roothash=${root_hash}"
+            # Check if the root hash is saved on disk
+          elif [ -f "${image}.roothash" ]
+          then
+            verity_mount_options="${verity_mount_options} -o verity.roothashfile=${image}.roothash"
+          else
+            valid_config="false"
+            log_warning_msg "'${image}' has a dm-verity hash table, but no root hash was specified ignoring"
+          fi
+
+          fec="${image}.fec"
+          fec_roots="${image}.fec.roots"
+          if [ -f ${fec} ] && [ -f ${fec_roots} ]
+          then
+            backdev_fec=$(get_backing_device ${fec})
+            roots=$(cat ${fec_roots})
+            verity_mount_options="${verity_mount_options} -o verity.fecdevice=${backdev_fec} -o verity.fecroots=${roots}"
+          fi
+
+          signature="${image}.roothash.p7s"
+          if [ -f "${signature}" ]
+          then
+            verity_mount_options="${verity_mount_options} -o verity.roothashsig=${signature}"
+          elif [ "${DM_VERITY_ENFORCE_ROOT_HASH_SIG}" = "true" ]
+          then
+            panic "dm-verity signature checking was enforced but no signature could be found for ${image}!"
+          fi
+
+
+          if [ -n "${DM_VERITY_ONCORRUPTION}" ]
+          then
+            if is_in_space_sep_list "${DM_VERITY_ONCORRUPTION}" "ignore panic restart"
+            then
+              verity_mount_options="${verity_mount_options} -o verity.oncorruption=${DM_VERITY_ONCORRUPTION}"
+            else
+              log_warning_msg "For dm-verity on corruption '${DM_VERITY_ONCORRUPTION}' was specified, but only ignore, panic or restart are supported!"
+              log_warning_msg "Ignoring setting"
+            fi
+          fi
+          if [ "${valid_config}" = "true" ]
+          then
+            mount_options="${mount_options} ${verity_mount_options}"
+          fi
+          log_end_msg "Finished parsing dm-verity options for ${image}"
+        fi
+
+        mkdir -p "${mpoint}"
+        log_begin_msg "Mounting \"${image}\" on \"${mpoint}\" via \"${backdev}\""
+        # shellcheck disable=SC2086
+        mount -t "${fstype}" -o ro,noatime ${mount_options} "${backdev}" "${mpoint}" || panic "Can not mount ${backdev} (${image}) on ${mpoint}"
+        log_end_msg
+      else
+        log_warning_msg "Could not find image '${image}'. Most likely it is listed in a .module file, perhaps by mistake."
+      fi
+    done
+  else
+    # We have a plain root system
+    mkdir -p "${croot}/filesystem"
+    log_begin_msg "Mounting \"${image_directory}\" on \"${croot}/filesystem\""
+    # shellcheck disable=SC2046,SC2312
+    mount -t $(get_fstype "${image_directory}") -o ro,noatime "${image_directory}" "${croot}/filesystem" || \
+      panic "Can not mount ${image_directory} on ${croot}/filesystem" && \
+      rootfslist="${croot}/filesystem ${rootfslist}"
+    # Probably broken:
+    # shellcheck disable=SC2086,SC2250
+    mount -o bind ${croot}/filesystem $mountpoint
+    log_end_msg
+  fi
+
+  # tmpfs file systems
+  touch /etc/fstab
+  mkdir -p /run/live/overlay
+
+  # Looking for persistence devices or files
+  if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
+  then
+
+    if [ -z "${QUICKUSBMODULES}" ]
+    then
+      # Load USB modules
+      # shellcheck disable=SC2012
+      num_block=$(ls -l /sys/block | wc -l)
+      for module in sd_mod uhci-hcd ehci-hcd ohci-hcd usb-storage
+      do
+        # shellcheck disable=SC2086
+        modprobe -q -b ${module}
+      done
+
+      udevadm trigger
+      udevadm settle
+
+      # For some reason, udevsettle does not block in this scenario,
+      # so we sleep for a little while.
+      #
+      # See https://bugs.launchpad.net/ubuntu/+source/casper/+bug/84591
+      # shellcheck disable=SC2034
+      for timeout in 5 4 3 2 1
+      do
+        sleep 1
+
+        # shellcheck disable=SC2012,SC2046,SC2086,SC2312
+        if [ $(ls -l /sys/block | wc -l) -gt ${num_block} ]
+        then
+          break
+        fi
+      done
+    fi
+
+    # shellcheck disable=SC3043
+    local whitelistdev
+    whitelistdev=""
+    if [ -n "${PERSISTENCE_MEDIA}" ]
+    then
+      case "${PERSISTENCE_MEDIA}" in
+        removable)
+          whitelistdev="$(removable_dev)"
+          ;;
+
+        removable-usb)
+          whitelistdev="$(removable_usb_dev)"
+          ;;
+      esac
+      if [ -z "${whitelistdev}" ]
+      then
+        whitelistdev="ignore_all_devices"
+      fi
+    fi
+
+    # shellcheck disable=SC2086
+    if is_in_comma_sep_list overlay ${PERSISTENCE_METHOD}
+    then
+      overlays="${custom_overlay_label}"
+    fi
+
+    # shellcheck disable=SC3043
+    local overlay_devices
+    overlay_devices=""
+    if [ "${whitelistdev}" != "ignore_all_devices" ]
+    then
+      for media in $(find_persistence_media "${overlays}" "${whitelistdev}")
+      do
+        # shellcheck disable=SC2086
+        media="$(echo ${media} | tr ":" " ")"
+
+        for overlay_label in ${custom_overlay_label}
+        do
+          case ${media} in
+            ${overlay_label}=*)
+              device="${media#*=}"
+              overlay_devices="${overlay_devices} ${device}"
+              ;;
+          esac
+        done
+      done
+    fi
+  elif [ -n "${NFS_COW}" ] && [ -z "${NOPERSISTENCE}" ]
+  then
+    # Check if there are any nfs options
+    # shellcheck disable=SC2086
+    if echo ${NFS_COW} | grep -q ','
+    then
+      # shellcheck disable=SC2086
+      nfs_cow_opts="-o nolock,$(echo ${NFS_COW}|cut -d, -f2-)"
+      nfs_cow=$(echo ${NFS_COW}|cut -d, -f1)
+    else
+      nfs_cow_opts="-o nolock"
+      nfs_cow=${NFS_COW}
+    fi
+
+    if [ -n "${PERSISTENCE_READONLY}" ]
+    then
+      nfs_cow_opts="${nfs_cow_opts},nocto,ro"
+    fi
+
+    mac="$(get_mac)"
+    if [ -n "${mac}" ]
+    then
+      # shellcheck disable=SC2086
+      cowdevice=$(echo ${nfs_cow} | sed "s/client_mac_address/${mac}/")
+      cow_fstype="nfs"
+    else
+      panic "unable to determine mac address"
+    fi
+  fi
+
+  if [ -z "${cowdevice}" ]
+  then
+    cowdevice="tmpfs"
+    cow_fstype="tmpfs"
+    cow_mountopt="rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%}"
+  fi
+
+  if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
+  then
+    # shellcheck disable=SC2086
+    mount -t tmpfs -o rw,noatime,mode=755,size=${OVERLAY_SIZE:-50%} tmpfs "/run/live/overlay"
+    # shellcheck disable=SC2086
+    root_backing="/run/live/persistence/$(basename ${cowdevice})-root"
+    # shellcheck disable=SC2086
+    mkdir -p ${root_backing}
+  else
+    root_backing="/run/live/overlay"
+  fi
+
+  if [ "${cow_fstype}" = "nfs" ]
+  then
+    log_begin_msg \
+      "Trying nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing}"
+    # shellcheck disable=SC2086
+    nfsmount ${nfs_cow_opts} ${cowdevice} ${root_backing} || \
+      panic "Can not mount ${cowdevice} (n: ${cow_fstype}) on ${root_backing}"
+  else
+    # shellcheck disable=SC2086
+    mount -t ${cow_fstype} -o ${cow_mountopt} ${cowdevice} ${root_backing} || \
+      panic "Can not mount ${cowdevice} (o: ${cow_fstype}) on ${root_backing}"
+  fi
+
+  # shellcheck disable=SC2086
+  rootfscount=$(echo ${rootfslist} |wc -w)
+
+  rootfs=${rootfslist%% }
+
+  if [ -n "${EXPOSED_ROOT}" ]
+  then
+    # shellcheck disable=SC2086
+    if [ ${rootfscount} -ne 1 ]
+    then
+      panic "only one RO file system supported with exposedroot: ${rootfslist}"
+    fi
+
+    # shellcheck disable=SC2086
+    mount -o bind ${rootfs} ${rootmnt} || \
+      panic "bind mount of ${rootfs} failed"
+
+    if [ -z "${SKIP_UNION_MOUNTS}" ]
+    then
+      cow_dirs='/var/tmp /var/lock /var/run /var/log /var/spool /home /var/lib/live'
+    else
+      cow_dirs=''
+    fi
+  else
+    cow_dirs="/"
+  fi
+
+  for dir in ${cow_dirs}; do
+    unionmountpoint=$(trim_path "${rootmnt}${dir}")
+    # shellcheck disable=SC2086
+    mkdir -p ${unionmountpoint}
+    cow_dir=$(trim_path "/run/live/overlay${dir}")
+    rootfs_dir="${rootfs}${dir}"
+    # shellcheck disable=SC2086
+    mkdir -p ${cow_dir}
+    if [ -n "${PERSISTENCE_READONLY}" ] && [ "${cowdevice}" != "tmpfs" ]
+    then
+      # shellcheck disable=SC2086
+      do_union ${unionmountpoint} ${cow_dir} ${root_backing} ${rootfs_dir}
+    else
+      # shellcheck disable=SC2086
+      do_union ${unionmountpoint} ${cow_dir} ${rootfs_dir}
+    fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
+  done
+
+  # Remove persistence depending on boot parameter
+  Remove_persistence
+
+  # Correct the permissions of /:
+  chmod 0755 "${rootmnt}"
+
+  # Correct the permission of /tmp:
+  if [ -d "${rootmnt}/tmp" ]
+  then
+    chmod 1777 "${rootmnt}"/tmp
+  fi
+
+  # Correct the permission of /var/tmp:
+  if [ -d "${rootmnt}/var/tmp" ]
+  then
+    chmod 1777 "${rootmnt}"/var/tmp
+  fi
+
+  # Adding custom persistence
+  if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
+  then
+    # shellcheck disable=SC3043
+    local custom_mounts
+    custom_mounts="/tmp/custom_mounts.list"
+    # shellcheck disable=SC2086
+    rm -f ${custom_mounts}
+
+    # Gather information about custom mounts from devices detected as overlays
+    # shellcheck disable=SC2086
+    get_custom_mounts ${custom_mounts} ${overlay_devices}
+
+    # shellcheck disable=SC2086
+    [ -n "${LIVE_BOOT_DEBUG}" ] && cp ${custom_mounts} "/run/live/persistence"
+
+    # Now we do the actual mounting (and symlinking)
+    # shellcheck disable=SC3043
+    local used_overlays
+    used_overlays=""
+    # shellcheck disable=SC2086
+    used_overlays=$(activate_custom_mounts ${custom_mounts})
+    # shellcheck disable=SC2086
+    rm -f ${custom_mounts}
+
+    # Close unused overlays (e.g., due to missing $persistence_list)
+    for overlay in ${overlay_devices}
+    do
+      # shellcheck disable=SC2086
+      if echo ${used_overlays} | grep -qve "^\(.* \)\?${overlay}\( .*\)\?$"
+      then
+        close_persistence_media ${overlay}
+      fi
+    done
+  fi
+
+  printf "\e[92m[INFO] Successfully applied : [/usr/lib/live/boot/9990-overlay.sh] ... \n\e[0m"
+}

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -116,11 +116,12 @@ log() {
 ### Declare variables. ---------------------------------------------------------------------------------------------------------
 export CDLB_ISO_LABEL="CISS.debian.live"
 export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
+export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
 export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
-CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
+export CDLB_MNT_MEDIUM="/run/live/medium"
-MNT_MEDIUM="/run/live/medium"
+export CDLB_MNT_ROOTFS="/run/live/rootfs"
-MNT_ROOTFS="/run/live/rootfs"
+export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
 
@@ -141,22 +142,22 @@ done
 printf "\e[92m[INFO] CDLB_LUKS_FS         : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
 printf "\e[92m[INFO] CDLB_ISO_LABEL       : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
 
-mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
+mkdir -p /conf "${CDLB_MNT_MEDIUM}" "${CDLB_MNT_ROOTFS}"
 
 ### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
   if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
 
-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
       || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
 
   fi
 
 fi
 
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
   ### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
   for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
@@ -165,13 +166,13 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
     [ -b "${_dev}" ] || continue
 
     ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
 
-      mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
 
     else
 
-      umount "${MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
 
     fi
 
@@ -179,29 +180,38 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
 
 fi
 
-if ! mountpoint -q "${MNT_MEDIUM}"; then
+if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
 
-  log "No live medium mounted, defer to default live-boot path."
   printf "\e[91m[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path. \n\e[0m"
-  exit 42
+  sleep 60
+  log   "[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path."
+  panic "[FATAL] Boot failure        : No live medium mounted, defer to default live-boot path."
 
 fi
 
-printf "\e[92m[INFO] MNT_MEDIUM           : [%s] \n\e[0m" "${MNT_MEDIUM}"
+printf "\e[92m[INFO] MNT_MEDIUM           : [%s] \n\e[0m" "${CDLB_MNT_MEDIUM}"
 
 ### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
-if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
+if [ ! -f "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
 
-  log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
+  printf "\e[91m[FATAL] Boot failure        : Encrypted root not found at: [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
-  printf "\e[91m[FATAL] Boot failure        : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
+  sleep 60
-  exit 42
+  log   "[FATAL] Boot failure        : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
+  panic "[FATAL] Boot failure        : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
 
 fi
 
-printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
+printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
-LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
+if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
+
+  printf "\e[91m[FATAL] Boot failure        : losetup failed \n\e[0m"
+  sleep 60
+  log   "[FATAL] Boot failure        : losetup failed "
+  panic "[FATAL] Boot failure        : losetup failed "
+
+fi
 
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"
 
@@ -225,8 +235,10 @@ fi
 
 if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
 
-  printf "\e[92m[WARN] Boot failure         : Failed to create /lib/cryptsetup/passfifo \n\e[0m"
+  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
-  exit 42
+  sleep 60
+  log   "[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo]"
+  panic "[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo]"
 
 fi
 
@@ -355,7 +367,9 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
   kill "${PID_PROMPT}" 2>/dev/null || true
   kill "${PID_BROKER}" 2>/dev/null || true
   rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
-  exit 42
+  sleep 60
+  log   "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
+  panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
 
 fi
 
@@ -365,45 +379,42 @@ rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
 
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
 
-### Mount the decrypted root device ready to use als PLAIN_ROOT artifact in '9990-main.sh'. ------------------------------------
+### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
-if ! mount -r -t squashfs "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"; then
+cat << EOF >| /run/ciss-rootdev
+export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
+export CDLB_LUKS_FS=${CDLB_LUKS_FS}
+export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
+export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
+export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
+export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
+export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
+export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
+EOF
+chmod 0444 /run/ciss-rootdev 2>/dev/null || true
 
-  log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${MNT_ROOTFS}]"
+### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
-  printf "\e[91m[WARN] CISS LUKS decryption  : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
+if [ ! -e /conf/param.conf ]; then
-  exit 42
 
-else
+  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
-
+  : >| /conf/param.conf
-  printf "\e[92m[INFO] CISS LUKS decryption  : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
 
 fi
 
-### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
-echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
+
-chmod 0644 /run/ciss-rootdev 2>/dev/null || true
+  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
-export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
+
-export CISS_ROOT_DIR=""
+fi
+
+if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+
+  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
 
-# TODO: Remove Debug
-if [ -e /conf/param.conf ]; then
-  printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
-  cat /conf/param.conf >/dev/console 2>&1 || :
-  {
-    printf '\n'
-    printf 'PLAIN_ROOT=1\n'
-    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
-  } >> /conf/param.conf 2>/dev/null || true
-else
-  printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
-  {
-    printf '\n'
-    printf 'PLAIN_ROOT=1\n'
-    printf 'ROOT=%s\n' "${MNT_ROOTFS}"
-  } >| /conf/param.conf 2>/dev/null || true
 fi
 
 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
 cat /conf/param.conf >/dev/console 2>&1 || :
+sleep 8
 
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -411,9 +422,10 @@ printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/
 ### Final sanity check. --------------------------------------------------------------------------------------------------------
 if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 
-  log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
   printf "\e[91m[WARN] Failed unlock        : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
-  exit 42
+  sleep 60
+  log   "[WARN] Failed unlock        : [${CDLB_LUKS_FS}] via dropbear and console."
+  panic "[WARN] Failed unlock        : [${CDLB_LUKS_FS}] via dropbear and console."
 
 fi
 

config/includes.chroot/usr/lib/live/boot/9990-main.sh

@@ -128,45 +128,53 @@ Live ()
   fi
 
   printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
-  if [ -z "${livefs_root}" ]
+  if [ -z "${livefs_root}" ]; then
-  then
+
-    panic "Unable to find a medium containing a live file system"
+    printf "\e[91m[FATAL] live()              : Unable to find a medium containing a live file system. \e[0m\n"
+    sleep 60
+    log   "[FATAL] live()              : Unable to find a medium containing a live file system."
+    panic "[FATAL] live()              : Unable to find a medium containing a live file system."
+
   fi
 
   printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
   Verify_checksums "${livefs_root}"
 
   # shellcheck disable=SC2244
-  if [ "${TORAM}" ]
+  if [ "${TORAM}" ]; then
-  then
+
     live_dest="ram"
-  elif [ "${TODISK}" ]
+
-  then
+  elif [ "${TODISK}" ]; then
+
     live_dest="${TODISK}"
+
   fi
 
   # shellcheck disable=SC2244
-  if [ "${live_dest}" ]
+  if [ "${live_dest}" ]; then
-  then
+
     log_begin_msg "Copying live media to ${live_dest}"
     copy_live_to "${livefs_root}" "${live_dest}"
     log_end_msg
+
   fi
 
   # if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
   # because the mountpoint is left behind in /proc/mounts, so let's get
   # rid of it when running from RAM
   # shellcheck disable=SC2244
-  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
+  if [ -n "${FROMISO}" ] && [ "${TORAM}" ]; then
-  then
+
     losetup -d /dev/loop0
 
-    if is_mountpoint /run/live/fromiso
+    if is_mountpoint /run/live/fromiso; then
-    then
+
       umount /run/live/fromiso
-      rmdir --ignore-fail-on-non-empty /run/live/fromiso \
+      rmdir --ignore-fail-on-non-empty /run/live/fromiso >/dev/null 2>&1 || true
-        >/dev/null 2>&1 || true
+
     fi
+
   fi
 
   printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"

config/includes.chroot/usr/lib/live/boot/9990-overlay.sh

@@ -31,25 +31,18 @@ setup_unionfs ()
   addimage_directory="${3}"
 
   ### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
-  #if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
+  if [ -r /run/ciss-rootdev ]; then
 
-  #  CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
+    . /run/ciss-rootdev
 
-  #fi
+    export PLAIN_ROOT=1
+    export image_directory="${CDLB_MAPPER_DEV}"
 
-  #if [ -n "${CISS_ROOT_DEV:-}" ]; then
+    printf "\e[92m[INFO] setup_unionfs()      : [image_directory=%s]    \n\e[0m" "${image_directory}"
+    printf "\e[92m[INFO] setup_unionfs()      : [rootmnt=%s]            \n\e[0m" "${rootmnt}"
+    printf "\e[92m[INFO] setup_unionfs()      : [addimage_directory=%s] \n\e[0m" "${addimage_directory}"
 
-    ### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
+  fi
-  #  PLAIN_ROOT=1
-  #  image_directory="${CISS_ROOT_DEV}"
-
-  #elif [ -n "${CISS_ROOT_DIR:-}" ]; then
-
-    ### Alternative: explicitly provided root directory.
-  #  PLAIN_ROOT=1
-  #  image_directory="${CISS_ROOT_DIR}"
-
-  #fi
   ### --------------------------------------------------------------------------------------------------------------------------
 
   # shellcheck disable=SC2086