V9.14.008.2026.06.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

ciss_live_builder.sh

@@ -167,12 +167,29 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
   source_guard "./lib/lib_provider_netcup.sh"
   source_guard "./lib/lib_run_analysis.sh"
   source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
   source_guard "./lib/lib_trap_on_err.sh"
   source_guard "./lib/lib_trap_on_exit.sh"
   source_guard "./lib/lib_update_microcode.sh"
   source_guard "./lib/lib_usage.sh"
 }
 
+### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
+### Formal validation still happens in arg_parser().
+for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
+  case "${ARY_PARAM_ARRAY[idx],,}" in
+    --secure-boot-profile=*)
+      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
+      ;;
+    --secure-boot-profile)
+      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
+        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
+      fi
+      ;;
+  esac
+done
+unset idx
+
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
 
@@ -248,6 +265,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
+secureboot_profile_apply
 
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi