V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -0,0 +1,490 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper.sh to be executed as 'dropbear-initramfs' SSH forced command.
+
+set -Ceu -o pipefail -o ignoreeof
+shopt -s failglob
+shopt -s lastpipe
+shopt -u nullglob
+umask 0077
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+#######################################
+# Variable declaration
+#######################################
+# shellcheck disable=SC2016
+declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
+# shellcheck disable=SC2155
+declare -r CURRENTDATE=$(date +"%F %T")
+declare -g ERRTRAP='false'
+declare -r GRE='\e[0;92m'
+declare -r MAG='\e[0;95m'
+declare -r RED='\e[0;91m'
+declare -r RES='\e[0m'
+declare -r NL='\n'
+declare -g NUKE_ENABLED='false'
+declare -g NUKE_HASH=''
+declare -g PASSPHRASE=''
+
+#######################################
+# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
+# Arguments:
+#   1: Prompt to print on terminal
+#   2: Variable name to capture passphrase
+#######################################
+ask_via_stdin() {
+  declare -r  prompt="$1"
+  declare -r  varname="$2"
+  ### Prompt to STDERR so pipes don't capture it.
+  printf "%s" "${prompt}" >&2
+  ### Silent, canonical read from FD 0 (SSH channel when forced-command).
+  IFS= read -r -s "${varname?}" <&0
+  printf "\n" >&2
+  return 0
+}
+
+#######################################
+# Printed text in color.
+# Arguments:
+#   1: Color code.
+#   *: Text to print.
+#######################################
+color_echo() { declare c="${1}"; shift; declare msg="${*}"; printf "%b%s %b%b" "${c}" "${msg}" "${RES}" "${NL}"; return 0; }
+
+#######################################
+# Die Helper: print and then exit hard.
+# Globals:
+#   NC
+#   RED
+# Arguments:
+#   1: Message string to print.
+#######################################
+die() { printf "%b✘ %s %b%b" "${RED}" "$1" "${RES}" "${NL}" >&2; power_off 3; }
+
+#######################################
+# Drop into the bash environment.
+# Arguments:
+#   None
+#######################################
+drop_bash() { stty echo 2>/dev/null || true; prompt_string; exec /bin/bash -i; }
+
+#######################################
+# Extract the 'nuke=' parameter from '/proc/cmdline'.
+# Globals:
+#   GRE
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   RED
+#   REGEX
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+extract_nuke_hash() {
+  declare     ARG="" CMDLINE=""
+
+  ### Read '/proc/cmdline' into a single line safely.
+  read -r CMDLINE < /proc/cmdline
+
+  for ARG in ${CMDLINE}; do
+
+    case "${ARG,,}" in
+
+      nuke=*)
+        NUKE_HASH="${ARG#*=}"
+        if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
+
+          declare -g NUKE_ENABLED="true"
+          color_echo "${GRE}" "✅ System self check: [ok]"
+          return 0
+
+        else
+
+          ### If there is a malformed Grub Bootparameter 'nuke=HASH', drop to bash.
+          color_echo "${RED}" "✘ Nuke Hash Malformat : [${REGEX}] [${NUKE_HASH}]."
+          color_echo "${RED}" "✘ Dropping to bash ...:"
+          drop_bash
+
+        fi
+      ;;
+
+    esac
+
+  done
+
+  color_echo "${GRE}" "✅ No Nuke Hash found."
+
+  return 0
+}
+
+#######################################
+# Gather information of all LUKS Devices available on the system.
+# Arguments:
+#   None
+#######################################
+gather_luks_devices() {
+  declare     prev=() curr=()
+  declare -i  tries=0
+
+  while ((tries < 10)); do
+
+    # shellcheck disable=SC2312
+    mapfile -t curr < <(blkid -t TYPE=crypto_LUKS -o device | /usr/bin/sort -V)
+
+    if [[ "${curr[*]}" == "${prev[*]}" ]]; then
+      break
+    fi
+
+    prev=("${curr[@]}")
+    tries=$((tries + 1))
+    sleep 1
+
+  done
+
+  printf '%s\n' "${curr[@]}"
+
+  return 0
+}
+
+#######################################
+# Erase the LUKS headers on all LUKS devices, then shut down the system.
+# Globals:
+#   DEVICES_LUKS
+#   RED
+# Arguments:
+#   None
+#######################################
+nuke() {
+  declare     dev=""
+
+  for dev in "${DEVICES_LUKS[@]}"; do
+
+    cryptsetup erase --batch-mode "${dev}" || true
+    color_echo "${RED}" "✘ Error: LUKS Device Header malfunction: [${dev}]."
+
+  done
+
+  secure_unset_pass
+
+  color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
+
+  power_off 16
+}
+
+#######################################
+# Unified power-off routine.
+# Arguments:
+#   1: Sleep time before power-off in seconds (Default to 0 seconds).
+#######################################
+power_off() {
+  declare -r  wait="${1:-0}"
+  sleep "${wait}"
+  sync
+  echo 1 >| /proc/sys/kernel/sysrq
+  echo o >| /proc/sysrq-trigger
+  ### The System powers off immediately; no further code is executed.
+}
+
+#######################################
+# Print Error Message for Trap on 'ERR' on Terminal.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+print_scr_err() {
+  declare -r  scr_err_errcode="$1"
+  declare -r  scr_err_errscrt="$2"
+  declare -r  scr_err_errline="$3"
+  declare -r  scr_err_errfunc="$4"
+  declare -r  scr_err_errcmmd="$5"
+
+  printf "%b" "${NL}" >&2
+
+  color_echo "${RED}" "✘ System caught an 'ERROR'. System Power Off in 16 seconds." >&2
+  printf "%b" "${NL}" >&2
+  color_echo "${RED}" "✘ Error               : [${scr_err_errcode}]" >&2
+  color_echo "${RED}" "✘ Line                : [${scr_err_errline}]" >&2
+  color_echo "${RED}" "✘ Script              : [${scr_err_errscrt}]" >&2
+  color_echo "${RED}" "✘ Function            : [${scr_err_errfunc}]" >&2
+  color_echo "${RED}" "✘ Command             : [${scr_err_errcmmd}]" >&2
+  printf "%b" "${NL}" >&2
+
+  return 0
+}
+
+#######################################
+# Print Error Message for '0'-Exit-Code on Terminal.
+# Globals:
+#   GRE
+# Arguments:
+#   None
+#######################################
+print_scr_scc() { color_echo "${GRE}" "✅ Script exited successfully. Proceeding with booting."; sleep 3; }
+
+#######################################
+# Generates an informative shell prompt.
+# Globals:
+#   PS1
+# Arguments:
+#   None
+#######################################
+prompt_string() {
+  declare -gx PS1="\
+\[\033[1;91m\]\d\[\033[0m\]|\[\033[1;91m\]\u\[\033[0m\]@\
+\[\033[1;95m\]\h\[\033[0m\]:\
+\[\033[1;96m\]\w\[\033[0m\]/>>\
+\$(if [[ \$? -eq 0 ]]; then \
+  # Show exit status in green if zero
+  echo -e \"\[\033[1;92m\]\$?\[\033[0m\]\"; \
+else \
+  # Show exit status in red otherwise
+  echo -e \"\[\033[1;91m\]\$?\[\033[0m\]\"; \
+fi)\
+|~\$ "
+}
+
+#######################################
+# Read the passphrase interactively.
+# Globals:
+#   NUKE_ENABLED
+#   NUKE_HASH
+#   PASSPHRASE
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+read_passphrase() {
+  declare -i  ROUNDS=0
+  declare     CAND="" SALT=""
+
+  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
+  ask_via_stdin "Enter passphrase: " PASSPHRASE
+
+  ### NUKE pre-check.
+  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
+
+    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="${ROUNDS#rounds=}"
+    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
+    CAND=$(/usr/mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
+
+    ### NUKE final check.
+    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
+
+      nuke
+
+    fi
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Securely unset the 'PASSPHRASE'-variable.
+# Globals:
+#   PASSPHRASE
+# Arguments:
+#   None
+#######################################
+secure_unset_pass() { unset PASSPHRASE; PASSPHRASE=""; return 0; }
+
+#######################################
+# Trap function to be called on 'ERR'.
+# Arguments:
+#   1: ${?}
+#   2: ${BASH_SOURCE[0]}
+#   3: ${LINENO}
+#   4: ${FUNCNAME[0]:-main}
+#   5: ${BASH_COMMAND}
+#######################################
+trap_on_err() {
+  declare -r  errcode="$1"
+  declare -r  errscrt="$2"
+  declare -r  errline="$3"
+  declare -r  errfunc="$4"
+  declare -r  errcmmd="$5"
+  declare -g  ERRTRAP='true'
+
+  trap - ERR INT TERM
+  stty echo 2>/dev/null || true
+  print_scr_err "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
+  power_off 16
+}
+
+#######################################
+# Security Trap on 'EXIT'.
+# Globals:
+#   ERRTRAP
+# Arguments:
+#   None
+#######################################
+trap_on_exit() {
+  trap - ERR EXIT INT TERM
+  [[ "${ERRTRAP,,}" == "false" ]] && print_scr_scc
+}
+
+#######################################
+# Security Trap on 'INT' and 'TERM' to provide a deterministic way to not circumvent the nuke routine.
+# Globals:
+#   NL
+#   RED
+# Arguments:
+#   None
+#######################################
+trap_on_term() {
+  trap - ERR INT TERM
+  stty echo 2>/dev/null || true
+  printf "%b" "${NL}"
+  color_echo "${RED}" "✘ Received termination signal. System Power Off in 3 seconds."
+  power_off 3
+}
+
+#######################################
+# Check the integrity and authenticity of this script itself.
+# Globals:
+#   GRE
+#   MAG
+#   RED
+# Arguments:
+#   0: Script Name
+#######################################
+verify_script() {
+  declare     dir
+  # shellcheck disable=SC2312
+  dir="$(dirname "$(readlink -f "${0}")")"
+  declare     script; script="$(basename "${0}")"
+  declare -a  algo=( "sha512" )
+  declare     cmd="" computed="" expected="" hashfile="" item="" sigfile=""
+
+  for item in "${algo[@]}"; do
+
+    hashfile="${dir}/${script}.${item}"
+    sigfile="${hashfile}.sig"
+    cmd="${item}sum"
+
+    color_echo "${MAG}" "🔏 Verifying signature of: [${hashfile}]"
+
+    if ! gpgv --keyring /etc/keys/unlock_wrapper_pubring.gpg "${sigfile}" "${hashfile}"; then
+
+      color_echo "${RED}" "✘ Signature verification failed for: [${hashfile}]"
+      color_echo "${RED}" "✘ System Power Off in 3 seconds."
+      power_off 3
+
+    else
+
+      color_echo "${GRE}" "🔏 Verifying signature of: [${hashfile}] successful."
+
+    fi
+
+
+    color_echo "${MAG}" "🔢 Recomputing Hash: [${item}]"
+
+    # shellcheck disable=SC2312
+    read -r computed _ < <("${cmd}" "${dir}/${script}")
+    read -r expected < "${hashfile}"
+
+    if [[ "${computed}" != "${expected}" ]]; then
+
+      color_echo "${RED}" "✘ Recomputed hash mismatch for     : [${item}]"
+      color_echo "${RED}" "✘ System Power Off in 3 seconds."
+      power_off 3
+
+    fi
+
+    color_echo "${GRE}" "🔢 Recomputing Hash: [${item}] successful."
+
+  done
+
+  color_echo "${GRE}" "🔏 All signatures and hashes verified successfully. Proceeding."
+  return 0
+}
+
+#######################################
+# Main Program Sequence.
+# Globals:
+#   CURRENTDATE
+#   DEVICES_LUKS
+#   GRE
+#   MAG
+#   NL
+#   PASSPHRASE
+#   RED
+# Arguments:
+#   None
+#######################################
+main() {
+  exec 1>&2
+
+  trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
+  trap 'trap_on_exit' EXIT
+  trap 'trap_on_term' INT TERM
+
+  uname -a
+
+  printf "%b" "${NL}"
+  color_echo "${RED}" "Coresecret Connection established."
+  color_echo "${RED}" "Starting Time: ${CURRENTDATE}"
+
+  printf "%b" "${NL}"
+  color_echo "${MAG}" "Integrity self-check ..."
+  verify_script
+
+  ### Read newline-separated output into an array.
+  printf "%b" "${NL}"
+  color_echo "${MAG}" "Scanning for LUKS devices ..."
+  # shellcheck disable=SC2312
+  mapfile -t DEVICES_LUKS < <(gather_luks_devices)
+
+  ### If there are no LUKS devices at all, drop to bash.
+  if (( ${#DEVICES_LUKS[@]} == 0 )); then
+    printf "%b" "${NL}"
+    color_echo "${RED}" "✘ No LUKS Devices found. Dropping to bash ..."
+    drop_bash
+  fi
+
+  ### Extract the 'nuke='-parameter from '/proc/cmdline'.
+  printf "%b" "${NL}"
+  extract_nuke_hash
+
+  ### Read passphrase interactively.
+  read_passphrase
+
+  if printf "%s" "${PASSPHRASE}" | cryptroot-unlock; then
+
+    secure_unset_pass
+    exit 0
+
+  else
+
+    secure_unset_pass
+
+    printf "%b" "${NL}"
+    color_echo "${RED}" "✘ Unsuccessful command 'cryptroot-unlock'."
+    color_echo "${GRE}" "  No LUKS operations performed. Dropping to bash ..."
+    color_echo "${GRE}" "  To unlock 'root' partition, and maybe others like '/home', run 'cryptroot-unlock'."
+
+    drop_bash
+
+  fi
+}
+
+main "${@}"
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh.sha512

@@ -0,0 +1 @@
+2d90783e0ffba3c6972b3a0d5335cca4a37c03b417f43b62b082a83734d4e4148390ac22509e68d63aaca11baf4fb081747f83347eab08176fb647e5445372f6

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper_signer.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+# SPDX-Comment: unlock_wrapper_signer.sh for signing unlock_wrapper.sh
+
+set -Ceuo pipefail
+
+### Paths
+declare -r SCRIPT="/etc/initramfs-tools/files/unlock_wrapper.sh"
+declare -r KEYFILE="/root/.ciss/keys/dummy_0x12345678_SECRET.asc"
+declare -r GNUPGHOME="/root/.ciss/gnupg"
+
+### Output Files
+declare -r HASH384="${SCRIPT}.sha384"
+declare -r HASH512="${SCRIPT}.sha512"
+declare -r SIG384="${HASH384}.sig"
+declare -r SIG512="${HASH512}.sig"
+
+### Ensure GNUPGHOME exists with secure permissions
+mkdir -p "${GNUPGHOME}"
+chmod 0700 "${GNUPGHOME}"
+
+### Import private key only if not already present
+if ! gpg --homedir "${GNUPGHOME}" --list-secret-keys | grep -q "sec"; then
+  printf "\e[0;92m✅ Importing private key ... \e[0m\n"
+  gpg --homedir "${GNUPGHOME}" --import "${KEYFILE}"
+else
+  printf "\e[0;92m✅ Private key already present in keyring. \e[0m\n"
+fi
+
+### Extract fingerprint of the first secret key
+# shellcheck disable=SC2155
+declare -r FPR=$(gpg --homedir "${GNUPGHOME}" --list-secret-keys --with-colons | awk -F: '/^fpr:/ { print $10; exit }')
+
+if [[ -z "${FPR}" ]]; then
+  printf "\e[0;91m✘ Error: Could not extract fingerprint from keyring. \e[0m\n" >&2
+  exit 1
+fi
+
+printf "\e[0;92m✅ Using GPG key fingerprint: [%s] \e[0m\n" "${FPR}"
+
+### Hashing (only the hash value, no filename)
+printf "\e[0;95m🔢 Generating Hashes ... \e[0m\n"
+
+if sha384sum "${SCRIPT}" | awk '{print $1}' >| "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH384}" "${SCRIPT}"
+fi
+
+if sha512sum "${SCRIPT}" | awk '{print $1}' >| "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] of Script: [%s] created. \e[0m\n" "${HASH512}" "${SCRIPT}"
+fi
+
+printf "\e[0;92m🔢 Generating Hashes done. \e[0m\n"
+
+### Signing Hashes
+printf "\e[0;95m🔑 Signing hashes ... \e[0m\n"
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG384}" --detach-sign "${HASH384}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH384}" "${SIG384}"
+fi
+
+if gpg --homedir "${GNUPGHOME}" --batch --yes --local-user "${FPR}" --output "${SIG512}" --detach-sign "${HASH512}"; then
+  printf "\e[0;92m✅ Hash: [%s] signed: [%s]. \e[0m\n" "${HASH512}" "${SIG512}"
+fi
+
+printf "\e[0;92m🔑 Signing hashes done.  \e[0m\n"
+
+exit 0
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh

@@ -0,0 +1,42 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+mkdir -p "${DESTDIR}/etc"
+
+cat >| "${DESTDIR}/etc/profile" << 'EOF'
+export PS1='$( STATUS=$?; \
+  if [ "${STATUS}" -eq 0 ]; then \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;92m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  else \
+    printf "\001\e[0;31m\002\u@\H\001\e[0m\002:\001\e[0;95m\002\w\001\e[0m\002>>\001\e[0;91m\002%d\001\e[0m\002|~#> " "${STATUS}"; \
+  fi; ) '
+EOF
+
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_custom_prompt.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh

@@ -0,0 +1,155 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+printf "\e[95mStarting: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+
+
+### Ensure directory structure in initramfs ------------------------------------------------------------------------------------
+install -d -m 0755  "${DESTDIR}/etc/ciss/keys"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/conf.d"
+install -d -m 0755  "${DESTDIR}/etc/initramfs-tools/scripts/init-premount"
+install -d -m 0755  "${DESTDIR}/usr/bin"
+install -d -m 0755  "${DESTDIR}/usr/local/bin"
+install -d -m 0755  "${DESTDIR}/usr/sbin"
+
+
+### Include 'bash' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/bash /usr/bin/bash
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/bash /usr/bin/bash] \n\e[0m"
+
+
+### Include 'blkid' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/sbin/blkid /usr/sbin/blkid
+printf "\e[92mSuccessfully executed: [copy_exec /usr/sbin/blkid /usr/sbin/blkid] \n\e[0m"
+
+
+### Include 'busybox' ----------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/busybox /usr/busybox
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/busybox /usr/busybox] \n\e[0m"
+
+
+### Include GNU coreutils 'sort' (has -V) --------------------------------------------------------------------------------------
+copy_exec /usr/bin/sort /usr/bin/sort
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sort /usr/bin/sort] \n\e[0m"
+
+
+### Include 'gpgv' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/gpgv /usr/bin/gpgv
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/gpgv /usr/bin/gpgv] \n\e[0m"
+
+
+### Include 'lsblk' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/lsblk /usr/bin/lsblk
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/lsblk /usr/bin/lsblk] \n\e[0m"
+
+
+### Include 'mkpasswd' ---------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/mkpasswd /usr/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/mkpasswd] \n\e[0m"
+copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/mkpasswd /usr/bin/mkpasswd] \n\e[0m"
+
+
+### Include 'udevadm' (udev management tool) -----------------------------------------------------------------------------------
+copy_exec /usr/bin/udevadm /usr/bin/udevadm
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/udevadm /usr/bin/udevadm] \n\e[0m"
+
+
+### Include 'sha384sum' 'sha512sum' --------------------------------------------------------------------------------------------
+copy_exec /usr/bin/sha384sum /usr/bin/sha384sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha384sum /usr/bin/sha384sum ] \n\e[0m"
+copy_exec /usr/bin/sha512sum /usr/bin/sha512sum
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/sha512sum /usr/bin/sha512sum] \n\e[0m"
+
+
+### Include 'tree' -------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/tree /usr/bin/tree
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/tree /usr/bin/tree] \n\e[0m"
+
+
+### Include 'whois' ------------------------------------------------------------------------------------------------------------
+copy_exec /usr/bin/whois /usr/bin/whois
+printf "\e[92mSuccessfully executed: [copy_exec /usr/bin/whois /usr/bin/whois] \n\e[0m"
+
+
+### Link busybox applets for compatibility -------------------------------------------------------------------------------------
+for dir in bin usr/bin; do
+  ln -sf busybox "${DESTDIR}/${dir}/cat"
+  ln -sf busybox "${DESTDIR}/${dir}/sleep"
+done
+
+
+### Install GPG signing keys ---------------------------------------------------------------------------------------------------
+src_dir="/etc/ciss/keys"
+dst_dir="${DESTDIR}/etc/ciss/keys"
+key=""
+
+if [ -d "${src_dir}" ]; then
+
+    install -d -m 0755 "${dst_dir}"
+
+    for key in "${src_dir}"/*.gpg; do
+
+        [ -e "${key}" ] || continue
+
+        install -m 0444 "${key}" "${dst_dir}/"
+
+        printf '\e[92mSuccessfully executed: [install -m 0444 %s %s]\n\e[0m' "${key}" "${dst_dir}"
+
+    done
+
+fi
+
+### Install Dropbear configuration ---------------------------------------------------------------------------------------------
+install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
+
+# TODO: Update the scripts to be usable for upcoming Live ISO encryption
+# TODO: Integrate online signing
+### Install Dropbear 'cryptroot-unlock'-Wrapper --------------------------------------------------------------------------------
+install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh "${DESTDIR}/usr/local/bin/unlock_wrapper.sh"
+printf "\e[92mSuccessfully executed: [install -m 0555 /etc/initramfs-tools/files/unlock_wrapper.sh %s/usr/local/bin/unlock_wrapper.sh] \n\e[0m" "${DESTDIR}"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512 %s/usr/local/bin/unlock_wrapper.sh.sha512] \n\e[0m" "${DESTDIR}"
+
+install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig "${DESTDIR}/usr/local/bin/unlock_wrapper.sh.sha512.sig"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/initramfs-tools/files/unlock_wrapper.sh.sha512.sig %s/usr/local/bin/unlock_wrapper.sh.sha512.sig] \n\e[0m" "${DESTDIR}"
+
+# TODO: Refactor with online signing
+### Install Dropbear GPG Signing Keys ------------------------------------------------------------------------------------------
+install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg "${DESTDIR}/etc/keys/unlock_wrapper_pubring.gpg"
+printf "\e[92mSuccessfully executed: [install -m 0444 /root/.ciss/cdi/keys/unlock_wrapper_pubring.gpg %s/etc/keys/unlock_wrapper_pubring.gpg] \n\e[0m" "${DESTDIR}"
+
+### Install Dropbear Banner ----------------------------------------------------------------------------------------------------
+install -m 0444 /etc/dropbear/initramfs/banner "${DESTDIR}/etc/dropbear/banner"
+printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
+
+### EOS
+
+printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+mkdir -p /run/ciss
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_late.log
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-11-10; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+
+set -e
+
+PREREQ=""
+prereqs() { echo "${PREREQ}"; }
+# shellcheck disable=SC2249
+case "${1}" in
+  prereqs) prereqs; exit 0 ;;
+esac
+
+mkdir -p /run/ciss
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log
+
+### Make sure /usr/local/bin is in front of 'PATH'.
+export PATH="/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr"
+
+printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_late.log
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/ssh/ssh_known_hosts

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==

config/includes.chroot/etc/ssh/sshd_config

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig

config/includes.chroot/etc/sysctl.d/99_local.hardened

@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.400.2025.11.08
+# Version Master V8.13.404.2025.11.10
 
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/

config/includes.chroot/preseed/.iso/preseed_hash_generator.sh

@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-declare -gr VERSION="Master V8.13.400.2025.11.08"
+declare -gr VERSION="Master V8.13.404.2025.11.10"
 
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then

config/includes.chroot/preseed/preseed.cfg

@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.400.2025.11.08 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V8.13.404.2025.11.10 at: 10:18:37.9542

config/includes.chroot/usr/lib/live/boot/0030-verify-checksums

@@ -209,12 +209,12 @@ Verify_checksums() {
           if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
 
             _RETURN_SHA="${?}"
-            printf "\e[92m[INFO] Found: [%s] successful done, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
 
           else
 
             _RETURN_SHA="${?}"
-            printf "\e[91m[FATAL] Found: [%s] failed, for: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
+            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"
 
           fi
 

config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear

@@ -0,0 +1,65 @@
+#!/bin/sh
+# bashsupport disable=BP5007
+# shellcheck shell=sh
+
+PREREQ="udev"
+
+prereqs() {
+    echo "${PREREQ}"
+}
+
+# shellcheck disable=SC2249
+case "$1" in
+    prereqs)
+        prereqs
+        exit 0
+    ;;
+esac
+
+# shellcheck disable=SC2292
+[ -x /sbin/dropbear ] || exit 0
+
+
+run_dropbear() {
+    ### CISS.debian.live.builder
+    ### Remove old flags for dropbear version 2025.88-2.
+    ### Only accepts flags from '/etc/dropbear/dropbear.conf'.
+
+    #local flags="Fs"
+    # shellcheck disable=SC2034,SC2154,SC2292
+    [ "${debug}" != y ] || flags="E${flags}" # log to standard error
+
+    # Always run configure_networking() before dropbear(8); on NFS
+    # mounts this has been done already
+
+    # shellcheck disable=SC2292
+    [ "${BOOT}" = nfs ] || configure_networking
+
+    log_begin_msg "Starting dropbear"
+    # Using exec and keeping dropbear in the foreground enables the
+    # init-bottom script to kill the remaining ipconfig processes if
+    # someone unlocks the rootfs from the console while the network is
+    # being configured
+    # shellcheck disable=SC2086
+    exec /sbin/dropbear ${DROPBEAR_OPTIONS-}
+}
+
+# shellcheck disable=SC2292
+if [ -e /etc/dropbear/dropbear.conf ]; then
+    . /etc/dropbear/dropbear.conf
+fi
+. /scripts/functions
+
+# On NFS mounts, wait until the network is configured.  On local mounts,
+# configure the network in the background (in run_dropbear()) so someone
+# with console access can enter the passphrase immediately.  (With the
+# default ip=dhcp, configure_networking hangs for 5mins or so when the
+# network is unavailable, for instance.)
+
+# shellcheck disable=SC2292
+[ "${BOOT}" != nfs ] || configure_networking
+
+run_dropbear &
+echo $! >/run/dropbear.pid
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh