V9.14.022.2026.06.10: Document rootfs attestation boundary

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

.archive/0010_dhcp_supersede.sh

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
 
@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/0100_ciss_mem_wipe.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t
 
 systemctl enable ciss-memwipe.service
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/9985_clamav.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/9999_interfaces_update.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF
 
 chmod 0644 /etc/network/interfaces
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

.archive/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 

.archive/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 💙 Generating a PUBLIC Live ISO.
 

.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml

@@ -25,7 +25,7 @@ body:
     attributes:
       label: "Version"
       description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.512.2025.11.27"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
     validations:
       required: true
 

.gitea/TODO/dockerfile

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 FROM debian:bookworm
 

.gitea/TODO/render-md-to-html.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔁 Render README.md to README.html.
 

.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V8.13.768.2025.12.06
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_PUBLIC.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/trigger/t_generate_dns.yaml

@@ -11,5 +11,5 @@
 
 build:
   counter: 1023
-  version: V8.13.512.2025.11.27
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml

.gitea/workflows/generate_PRIVATE_trixie_0.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,6 +184,7 @@ jobs:
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -196,6 +198,7 @@ jobs:
           echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
           echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -204,20 +207,22 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --dhcp-centurion \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS }} \
             --key_age=keys.txt \
             --key_luks=luks.txt \
             --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
             --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
             --signing_key_pass=signing_key_pass.txt \
             --signing_key=signing_key.asc \
@@ -227,7 +232,6 @@ jobs:
             --trixie
 
       - name: 📥 Checking Centurion Cloud for existing LIVE ISOs.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
@@ -237,11 +241,8 @@ jobs:
           SHARE_SUBDIR=""
 
           echo "📥 Get directory listing via PROPFIND ..."
-          curl -s \
-          --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-          -X PROPFIND \
-          -H "Depth: 1" \
-          "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
+
+          curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X PROPFIND -H "Depth: 1" "${NC_BASE}/public.php/webdav/${SHARE_SUBDIR}" \
           -o propfind_public.xml
 
           echo "📥 Filter .iso files from the PROPFIND response ..."
@@ -249,46 +250,65 @@ jobs:
           grep -oP '(?<=<d:href>)[^<]+\.iso(?=</d:href>)' propfind_public.xml >| public_iso_list.txt || true
 
           if [[ -f public_iso_list.txt && -s public_iso_list.txt ]]; then
+
             echo "💡 Old ISO files found and deleted :"
+
             while IFS= read -r href; do
+
               FILE_URL="${NC_BASE}${href}"
               echo "  Delete: ${FILE_URL}"
-              if curl -s \
-                --user "${SHARE_TOKEN}:${SHARE_PASS}" \
-                  -X DELETE "${FILE_URL}"; then
+
+              if curl -s --user "${SHARE_TOKEN}:${SHARE_PASS}" -X DELETE "${FILE_URL}"; then
+
                 echo "    ✅ Successfully deleted: $(basename "${href}")"
+
               else
+
                 echo "    ❌ Error: $(basename "${href}") could not be deleted"
+
               fi
+
             done < public_iso_list.txt
+
           else
+
             echo "💡 No old ISO files found to delete."
+
           fi
 
       - name: ⬆️ Upload the ISO file to the Centurion Cloud (cloud.e2ee.li) via WebDAV.
-        shell: bash
         env:
           NC_BASE: "https://cloud.e2ee.li"
           SHARE_TOKEN: "${{ secrets.CENTURION_CLOUD_UL_USER }}"
           SHARE_PASS: "${{ secrets.CENTURION_CLOUD_UL_PASSWD }}"
         run: |
           set -euo pipefail
+
           if [[ $(ls /opt/cdlb/*.iso 2>/dev/null | wc -l) -ne 1 ]]; then
+
             echo "❌ There must be exactly one .iso file in the directory!"
             exit 1
+
           else
+
             VAR_ISO_FILE_PATH=$(ls /opt/cdlb/*.iso)
             VAR_ISO_FILE_NAME=$(basename "${VAR_ISO_FILE_PATH}")
             echo "✅ ISO file found: ${VAR_ISO_FILE_NAME}"
+
           fi
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
+
           if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
+
             echo "✅ New ISO successfully uploaded."
+
           else
+
             echo "❌ Uploading the new ISO failed."
             exit 1
+
           fi
 
       - name: 🔑 Generating a sha512 Hash of ISO, signing with the 'CI PGP DEPLOY ONLY' key, generate a success message file.

.gitea/workflows/generate_PRIVATE_trixie_1.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔐 Generating a Private Live ISO TRIXIE.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,6 +184,7 @@ jobs:
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -196,6 +198,7 @@ jobs:
           echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
           echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -204,17 +207,20 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
             --jump-host ${{ secrets.CISS_DLB_JUMP_HOSTS_1 }} \
             --key_age=keys.txt \
             --key_luks=luks.txt \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
             --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
             --signing_key_pass=signing_key_pass.txt \
             --signing_key=signing_key.asc \
@@ -291,7 +297,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/generate_PUBLIC_iso.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 💙 Generating a PUBLIC Live ISO.
 
@@ -65,6 +65,7 @@ jobs:
             bash \
             bat \
             ca-certificates \
+            cryptsetup \
             curl \
             debootstrap \
             git \
@@ -183,14 +184,14 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
-            --autobuild=6.16.3+deb13-amd64 \
+            --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
-            --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
-            --debug \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
             --ssh-port 42137 \
             --ssh-pubkey /dev/shm/cdlb_secrets \
@@ -264,7 +265,7 @@ jobs:
 
           AUTH="${SHARE_TOKEN}:${SHARE_PASS}"
 
-          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}"
+          if curl --retry 2 "${NC_BASE}"/public.php/webdav/"${VAR_ISO_FILE_NAME}" \
           --upload-file "${VAR_ISO_FILE_PATH}" --user "${AUTH}" > /dev/null 2>&1; then
 
             echo "✅ New ISO successfully uploaded."

.gitea/workflows/linter_char_scripts.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 # Gitea Workflow: Shell-Script Linting
 #

.gitea/workflows/render-dnssec-status.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
 

.gitea/workflows/render-dot-to-png.yaml

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-# Version Master V8.13.512.2025.11.27
+# Version Master V9.14.022.2026.06.10
 
 name: 🔁 Render Graphviz Diagrams.
 

.gitignore

@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
+ciss.secureboot/private/*
+!ciss.secureboot/private/README.md
+ciss.secureboot/manifests/*
+!ciss.secureboot/manifests/.gitkeep
+ciss.secureboot/uki/*
+!ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

.version.properties

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.512.2025.11.27"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

AGENTS.md

@@ -0,0 +1,125 @@
+# AGENTS.md
+
+## Purpose
+
+This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
+Treat every change as security-sensitive and boot-chain-sensitive.
+
+Persistent coding details live in `docs/CODING_CONVENTION.md`.
+Review-only instructions live in `code_review.md`.
+
+## Instruction precedence for this repository
+
+Use this order when instructions differ:
+
+1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
+2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
+3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
+4. `code_review.md` applies when performing a review or final self-review.
+5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
+
+When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.
+
+## Non-negotiable constraints
+
+- Target Debian 13 Trixie unless the task explicitly states otherwise.
+- Do not introduce Ubuntu-specific assumptions.
+- Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
+- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
+- Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
+- Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
+- Prefer simple, explicit, inspectable Bash over clever abstraction.
+- Do not use `eval`.
+- Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
+
+## Repository map
+
+Common areas:
+
+- `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
+- `makefile`: local wrapper for composing and executing builder invocations.
+- `config/hooks/live/*.chroot`: live-build chroot hooks.
+- `config/hooks/live/*.binary`: live-build binary-image hooks.
+- `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
+- `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
+- `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
+- `scripts/*`: helper scripts or files copied into the generated image.
+- `docs/*`: project documentation and conventions.
+
+## Working method
+
+Before editing:
+
+1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
+2. Identify the affected build or boot phase.
+3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
+
+While editing:
+
+- Keep changes minimal and local to the task.
+- Preserve existing architecture, naming style, error handling, formatting, and security posture.
+- Do not perform unrelated cleanup or formatting churn.
+- Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
+- Do not introduce new runtime dependencies unless technically necessary and justified.
+
+After editing:
+
+- Run only the narrowest checks that prove the change.
+- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
+- Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
+- Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
+- Changed Python files: run the repository's relevant Python checks if present.
+- CLI or user-facing behavior changes: update `usage()` and relevant documentation.
+- Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.
+
+## Bash conventions summary
+
+See `docs/CODING_CONVENTION.md` for detail.
+
+- Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
+- Prefer `set -Ceuo pipefail` where feasible.
+- Use `declare` for variables inside functions.
+- Quote expansions unless word splitting or globbing is explicitly required.
+- Prefer arrays where argument boundaries matter.
+- Use `[[ ... ]]` for Bash conditionals.
+- Use `case` for option dispatch and multi-branch string handling.
+- Avoid parsing `ls`.
+- Prefer `command -v` over `which`.
+- Keep functions small and readable.
+- End functions explicitly with `return 0` where consistent with surrounding code.
+- Code comments must be in English.
+
+## Security-sensitive areas
+
+Before finalizing a change, check whether it affects:
+
+- boot trust
+- initramfs behavior
+- live-boot runtime behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remote unlock
+- TLS, mTLS, signature, checksum, or provenance verification
+- package sources or remote downloads
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+If affected, document the concrete risk and mitigation in the final response.
+
+## Final response
+
+Return a concise implementation report:
+
+- changed files
+- what changed
+- checks run and result
+- real remaining risks or follow-up steps
+
+Do not claim success for checks that were not run.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

CISS.debian.live.builder.spdx

@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.512.2025.11.27
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder

LINTER_RESULTS.txt

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-27; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-11-27T23:55:26Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:39:51Z"
 
 ✅ The last linter check was successful. ✅
 

LIVE_ISO_TRIXIE_0.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-08; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-11-08T19:46:24Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T03:44:29Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_11_08T18_57_19Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T02_53_28Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  11065e6ed8f99b533352ad86bd5b4cc9b407652e79a34718da6aad46a5f603738553fde6fbcceaa3128bfbbfa4c1674c05552232d4620ea250bc029545600718
+  2bf967b902455fe1f4d3ba1cb0b3c5983c6812181ae95b10ce837c0aaae084207bf15c22add2709c21c45f4262db2a2f787b2c93f3a1c507289c020e70314707
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQ+eEAAKCRA85KY4hzOw
-IcJaAP9FYAzawGRXQqt5mEL3SQy4cSDkc5/r/KDhy+ABdVNMvAEA1ReKZ7qXrESP
-rgP2MsHaXHVBWGJUvFyMf6dUpbjEnA8=
-=SkUY
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOmnQAKCRA85KY4hzOw
+IcItAQDvE6vEkbslGR5BLMVV+DKi2GDnIzIMVs7zROiPsKb3BgEA1Koqx7ccc+H2
+MmNv12w674dS2xmTZHOViYePe2KWLw0=
+=I8w2
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

LIVE_ISO_TRIXIE_1.private

@@ -1,5 +1,5 @@
 # SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-29; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-CreationInfo: 2025-12-06; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
@@ -9,19 +9,19 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-This file was automatically generated by the DEPLOY BOT on: "2025-10-29T21:52:45Z"
+This file was automatically generated by the DEPLOY BOT on: "2025-12-06T04:35:36Z"
 
 CISS.debian.live.builder ISO :
-  "ciss-debian-live-2025_10_29T20_59_34Z-amd64.hybrid.iso"
+  "ciss-debian-live-2025_12_06T03_45_41Z-amd64.hybrid.iso"
 CISS.debian.live.builder ISO sha512 :
-  c2b295aa3bd7ccfbe6c83aa27aeeace796251ad93ebfbf999bc6b1ae7c3c881efeeeda5e9235c5f5b7ad022ee465bc61e04c46906c6a7ca79214866ae62e160d
+  fe9481d92cf61554da92ff883a58d9aaa2ae5fe86d9c3dd634a1c3a79e1b6ca5e08693d4f9b0870077fc0bf2f840a3e678d9c9dc44f9b8dae5d474a6d39e16b2
 CISS.debian.live.builder ISO sha512 sign :
   -----BEGIN PGP SIGNATURE-----
 
-iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaQKMrQAKCRA85KY4hzOw
-ISgMAQDy82Yr4/F3cI/ZzLQJyoFSY2qgPl8d84eJZFhhTFpD3AEAmMBws55fQAzz
-Q9DBRAvRYgMDLmqsog+m3FEH7cXtDAg=
-=o+0d
+iHUEABYKAB0WIQSqYnPMNKGz69afyHA85KY4hzOwIQUCaTOymAAKCRA85KY4hzOw
+Ic1iAQDVxT891Nv+LHzQs3vL31/1wqeOjiGmZbEJR8XvBoRe4wEAjdmvUpEXyb1Y
+qhaFcxWDrRgiVKaitGkbNo2w6yICdgY=
+=TQPs
 -----END PGP SIGNATURE-----
 
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=text

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.512.2025.11.27-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh)  
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
  
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/)  
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/)  
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly)  
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/)  
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de)  
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/)  
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu)  
@@ -26,27 +26,68 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
 
-This shell wrapper automates the creation of a Debian Bookworm live ISO hardened according to the latest best practices in server
-and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for
-cloud deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows 
-based on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
+**CISS.debian.live.builder — First of its own.**<br>
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
+
+Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
+to serve as a reference implementation for hardened, image-based Debian deployments.
+
+This shell wrapper automates the creation of a Debian Trixie live ISO hardened according to the latest best practices in server
+and service security. It integrates into your build pipeline to deliver an isolated, robust environment suitable for cloud
+deployment or unattended installations via the forthcoming `CISS.debian.installer`. Additionally, automated CI workflows based
+on Gitea Actions are provided, enabling reproducible ISO generation. A generic ISO is automatically built upon significant
 changes and made publicly available for download. The latest generic ISO is available at:
 **[PUBLIC CISS.debian.live.ISO](/docs/DL_PUB_ISO.md)**
 
-Check out more:
-* [CenturionNet Services](https://coresecret.eu/cnet/) 
+Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
+in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
+with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
+with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
+customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
+are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
+an installed system. For an overview of the entire build process, see:
+**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
+
+When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
+``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
+**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
+validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
+silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
+and spoofing surfaces.
+
+Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
+(`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
+line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+
+Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt) 
-* [CenturionNet Status](https://uptime.coresecret.eu/) 
 * [CenturionMeet](https://talk.e2ee.li/)
+* [CenturionNet Services](https://coresecret.eu/cnet/)
+* [CenturionNet Status](https://uptime.coresecret.eu/) 
+
+**Contact the author:**
 * [Contact the author](https://coresecret.eu/contact/)
 
+**Legal Disclaimer:**
+* This project is not affiliated with, authorized, maintained, sponsored, or endorsed by the [Debian Project](https://www.debian.org/) 
+* [Licensing & Compliance](#6-licensing--compliance)
+* [Disclaimer](#7-disclaimer)
+* [Centurion Imprint & Legal Notice](https://coresecret.eu/imprint/)
+* [Centurion Privacy Policy](https://coresecret.eu/privacy/)
+
 ## 1.1. Preliminary Remarks
 
 ### 1.1.1. HSM
+
 Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
 move to a room-gapped environment. ^^
 
@@ -58,57 +99,48 @@ add_header Expect-CT                 "max-age=86400, enforce"
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 ````
 
-* Additionally, the entire zone is dual-signed with **DNSSEC**. See the current **DNSSEC** status at: **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
-* A comprehensive TLS audit of the **`git.coresecret.dev`** Gitea server is also available. See: **[TLS Audit Report](/docs/AUDIT_TLS.md)**
-* The infrastructure of the **`CISS.debian.live.builder`** building system is visualized here. See: **[Centurion Net](/docs/CNET.md)**
+* The zones behind this project are dual-signed with **DNSSEC**. The current validation state is documented in the **[DNSSEC Audit Report](/docs/AUDIT_DNSSEC.md)**
+* The TLS surface of **``git.coresecret.dev``** is independently audited, and the findings are held in the **[TLS Audit Report](/docs/AUDIT_TLS.md)**
+* The topology of the underlying **`CISS.debian.live.builder`** building infrastructure is described in **[Centurion Net](/docs/CNET.md)**
 
 ### 1.1.3. Gitea Action Runner Hardening
 
-The CI runners operate on a dedicated host system located in a completely separate Autonomous System (AS). This host is solely 
-dedicated to providing CI runners and does not perform any other tasks. Each runner is hermetically isolated from others using 
-non-privileged, shell-less user accounts with no direct login capability. Additionally, each runner executes within its own 
-separate directory tree, employs `DynamicUser` features, and adheres to strict systemd hardening policies (achieving a ``systemd-analyze security`` 
-rating of **``2.6``**). Docker containers used by runners do not run in privileged mode. Security is further enhanced through the use 
-of both UFW software firewalls and dedicated hardware firewall appliances.
+The CI runners live on a host in a separate autonomous system, and that host has exactly one purpose: run Gitea Actions runners. 
+Each runner receives its own service account without a login shell, is bound to a separate directory tree, and inherits a 
+hardened systemd unit with ``DynamicUser``, reduced capabilities, and restrictive sandboxing. A ``systemd-analyze security`` score 
+of around **``2.6``** is the baseline, not an aspiration. Traffic from those runners traverses both a software firewall (UFW) 
+and dedicated hardware firewall appliances. Docker, where used, runs unprivileged.
 
 ## 1.2. Match Host and Target Versions
 
-Build, for example, a Debian Trixie live image only on a Debian Trixie host. The build toolchain and boot artifacts are 
-release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``kernel/initramfs`` tools, ``mksquashfs``, 
-``GRUB/ISOLINUX``, and even ``dpkg/apt`` often change defaults and formats between releases (e.g., compression modes, SquashFS 
-options, hook ordering, systemd/udev behavior). Building on a different host release commonly yields non-reproducible or even 
-unbootable ISOs (missing modules/firmware, ABI mismatches, divergent paths). Keeping host and target on the same version ensures
-reproducible builds, matching dependencies, and compatible boot artifacts.
+I always build a Debian Trixie live image on a Debian Trixie host. The toolchain and all boot components that matter to 
+reproducibility are release-specific: ``live-build``, ``live-boot``, ``live-config``, ``debootstrap``, ``mksquashfs``, ``grub``, 
+the ``kernel``, ``initramfs`` tooling, and even ``dpkg`` and ``apt`` defaults evolve from one release to the next. Mixing 
+generations produces fragile or outright broken ISOs, sometimes subtly, sometimes catastrophically. Keeping host and target in 
+lockstep avoids those mismatches and gives me predictable artifacts across builds.
 
-## 1.3. Immutable Source-of-Truth System
+## 1.3. Immutable Source-of-Truth System and Encrypted Live Root
 
-This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
-source-code definitions. All configurations, system components, and installation routines are embedded during build time and 
-locked for runtime immutability. This ensures that the live environment functions as a trusted **Source of Truth** — not only 
-for boot-time operations, but for deploying entire systems in a secure and reproducible way.<br>
+The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
+security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
+ immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
+integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
+verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
 
-Once booted, the environment optionally launches a fully scripted installer, via the forthcoming `CISS.debian.installer`,
-yet to deploy, that provisions the target system (the hardware the DVD is running on). The installer pulls no external 
-dependencies besides of the necessary Debian debootstrap and Debian Packages and never exposes the target system in a not 
-secure manner to the internet during installation. It operates strictly from within the verified image content, providing fully 
-secured provisioning. Combined with checksum verification, **activated by default**, at boot and strict firewall defaults, this 
-architecture guarantees that what is executed has not been tampered with and corresponds exactly to the intended source definition.<br>
+In compact form, my expectations for the system are:<br>
 
-An even more secure deployment variant — an unattended and headless version — can be built without any active network interface
-or shell-access, also via the forthcoming `CISS.debian.installer`. Such a version performs all verification steps autonomously, 
-provisions the target device from embedded source artifacts, and reboots into a fully encrypted system image. The system then 
-awaits the decryption passphrase input via an embedded Dropbear SSH server (SSH PubKey only) in the initramfs, exposing no ports
-without cryptographic hardened access, while also the `/boot` partition could be encrypted via the built-in support of 
-`grub2 (2.12-9)`.<br>
+* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
+* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* Verification steps are not advisory. Any anomaly causes a hard abort during boot.
+* After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
+* For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
 
-This approach provides a fully reproducible, audit-friendly, and tamper-resistant provisioning workflow rooted entirely in 
-source-defined infrastructure logic.<br>
+These combinations give me a provisioning chain that is auditable, reproducible, and robust against both casual and targeted tampering.<br>
 
-After build and configuration, the following audit reports can be generated:
+Once the system is up, I can trigger a set of audits from within the live environment:
 
-* **Haveged Audit Report**: Validates entropy daemon health and confirms `/dev/random` seeding performance.
-  Type `chkhvg` at the prompt. See example report: **[Haveged Audit Report](/docs/AUDIT_HAVEGED.md)**
-* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 91%+ hardening baseline.
+* **Lynis Audit Report**: Outputs a detailed security score and recommendations, confirming a 93%+ hardening baseline.
   Type `lsadt` at the prompt. See example report: **[Lynis Audit Report](/docs/AUDIT_LYNIS.md)**
 * **SSH Audit Report**: Verifies SSH daemon configuration against the latest best-practice cipher, KEX, and MAC recommendations.
   Type `ssh-audit <IP>:<PORT>`. See example report: **[SSH Audit Report](/docs/AUDIT_SSH.md)**
@@ -117,42 +149,33 @@ After build and configuration, the following audit reports can be generated:
 
 ![CISS.debian.live.builder](/docs/screenshots/CISS.debian.live.builder_preview.jpeg)
 
-## 1.5. Caution. Significant information for those considering using D-I.
-
+## 1.5. Caution. Debian Installer and Security Context
 **The Debian Installer (d-i) will ALWAYS boot a new system.**<br>
 
-Regardless of whether you start it:
-* via the boot menu of your Live ISO (grub, isolinux) like **CISS.debian.live.builder**,
-* via kexec in the running system,
-* via the debian-installer-launcher package,
-* or even via a graphical installer shortcut.
+The classical Debian Installer (d-i) always boots its own kernel and its own initramfs. That effect is independent of the way it
+is launched: 
 
-The following happens in all cases:
-* The installer kernel (/install/vmlinuz) + initrd.gz are started.
-* The existing live system is exited.
-* The memory is overwritten.
-* All running processes - e.g., firewall, hardened SSH access, etc. pp. - cease to exist.
+* from a GRUB entry on the live medium, 
+* from within a running live session via a graphical shortcut, 
+* through kexec, 
+* or via helper packages such as debian-installer-launcher.
 
-The Debian Installer loads:
-* its own kernel,
-* its own initramfs,
-* its own minimal root filesystem (BusyBox + udeb packages),
-* no SSH access (unless explicitly enabled via preseed)
-* no firewall, AppArmor, logging, etc. pp.,
-* it disables all running network services, even if you were previously in the live system.
+In all of these cases the running live system is discarded. The memory contents of the hardened live environment vanish, the 
+firewall disappears, the hardened SSH daemon is terminated, and the hardened kernel is replaced by the installer kernel. The 
+installer brings its own minimal root file system, usually BusyBox plus a limited set of udeb packages, and it does not 
+implement my firewall, my AppArmor profiles, my logging configuration, or my remote access policies, unless I explicitly 
+reintroduce those elements via preseed.
 
-This means function status of the **CISS.2025.debian.live.builder** ISO after d-i start:
-* ufw, iptables, nftables ✘ disabled, not loaded,
-* sshd with hardening ✘ stopped (processes gone),
-* the running kernel ✘ replaced,
-* Logging (rsyslog, journald) ✘ not active,
-* preseed control over the network is possible (but without any protection).
+In that phase the security properties are therefore those of d-i, not those of CISS.debian.live.builder. This is not a defect in
+Debian, it is a property of how any installer that boots its own kernel behaves. It is important to keep this distinction in 
+mind when deciding whether a workflow must stay inside the hardened live context or may trade that environment for the standard 
+installer toolchain.
 
 ## 1.6. Versioning Schema
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V8.13.512.2025.11.27`
+Example: `V9.14.022.2026.06.10`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -168,74 +191,76 @@ and only when, they appear in all capitals, as shown here.
 
 # 2. Features & Rationale
 
-Below is a breakdown of each hardening component, with a summary of why each is critical to your security posture.
+Below I walk through the major hardening components, with a focus on why I implemented them the way I did and how they interact.
+I treat this builder as a reference implementation for my own infrastructure; **it is not a toy**.
 
 ## 2.1. Kernel Hardening
 
-### 2.1.1. Boot Parameters
+### 2.1.1. Unified Hardened Boot Parameters
 
-* **Description**: Customizes kernel command-line flags to disable unused features and enable mitigations.
-* **Key Parameters**:
-  * `audit_backlog_limit=8192`: Ensures the audit subsystem can queue up to 8192 events to avoid dropped logs under heavy loads.
-  * `audit=1`: Enables kernel auditing from boot to record system calls and security events.
-  * `cfi=kcfi`: Activates kernel control-flow integrity using kCFI to protect against control-flow hijacking.
-  * `debugfs=off`: Disables debugfs to prevent non-privileged access to kernel internals.
-  * `efi=disable_early_pci_dma`: Stops early PCI DMA under EFI to mitigate DMA-based attacks during boot.
-  * `efi_no_storage_paranoia`: Disables extra EFI storage checks to streamline boot without compromising expected storage integrity.
-  * `hardened_usercopy=1`: Enables stringent checks on copy operations between user and kernel space to prevent buffer overflows.
-  * `ia32_emulation=0`: Turns off 32-bit compatibility modes to reduce attack surface on 64-bit hosts.
-  * `init_on_alloc=1`: Zeroes memory on allocation to prevent leakage of previous data.
-  * `init_on_free=1`: Initializes memory on free to catch use-after-free bugs.
-  * `iommu=force`: Enforces IOMMU for all devices to isolate DMA-capable hardware.
-  * `kfence.sample_interval=100`: Configures the kernel fence memory safety tool to sample every 100 allocations.
-  * `kvm.nx_huge_pages=force`: Enforces non-executable huge pages in KVM to mitigate code injection.
-  * `l1d_flush=on`: Flushes L1 data cache on context switch to mitigate L1D vulnerabilities.
-  * `lockdown=confidentiality`: Puts the kernel in confidentiality lockdown to restrict direct hardware access.
-  * `loglevel=0`: Suppresses non-critical kernel messages to reduce information leakage.
-  * `mce=0`: Disables machine check exceptions to prevent side-channel data leaks from hardware error reporting.
-  * `mitigations=auto,nosmt`: Enables all automatic CPU mitigations and disables SMT to reduce side-channel risks.
-  * `mmio_stale_data=full,nosmt`: Ensures stale MMIO data is fully flushed and disables SMT for added protection.
-  * `oops=panic`: Forces a kernel oops to trigger a panic, preventing the system from running in an inconsistent state.
-  * `page_alloc.shuffle=1`: Randomizes physical page allocation to hinder memory layout prediction attacks.
-  * `page_poison=1`: Fills freed pages with a poison pattern to detect use-after-free.
-  * `panic=-1`: Disables automatic reboot on panic to preserve the system state for forensic analysis.
-  * `pti=on`: Enables page table isolation to mitigate Meltdown attacks.
-  * `random.trust_bootloader=off`: Prevents trusting entropy provided by the bootloader.
-  * `random.trust_cpu=off`: Disables trusting CPU-provided randomness, enforcing external entropy sources.
-  * `randomize_kstack_offset=on`: Randomizes the kernel stack offset on each syscall entry to harden against stack probing.
-  * `randomize_va_space=2`: Enables full address space layout randomization (ASLR) for user space.
-  * `retbleed=auto,nosmt`: Enables automatic RETBLEED mitigations and disables SMT for better side-channel resistance.
-  * `rodata=on`: Marks kernel read-only data sections to prevent runtime modification.
-  * `tsx=off`: Disables Intel TSX extensions to eliminate related speculative execution vulnerabilities.
-  * `vdso32=0`: Disables 32-bit vDSO to prevent unintended cross-mode calls.
-  * `vsyscall=none`: Disables legacy vsyscall support to close a potential attack vector.
-* **Rationale**: Ensures early activation of protections, reducing exposure to CPU vulnerabilities before the system fully boots.
+Both the ``CISS.debian.live.builder`` LIVE ISO and the ``CISS.debian.installer`` rely on the same kernel command line. I consider
+a diverging kernel baseline between installer and live system operationally dangerous, because it leads to two distinct sets of 
+expectations about mitigations and attack surface. The boot parameters I apply are:
+
+````bash
+apparmor=1 security=apparmor audit_backlog_limit=262144 audit=1 debugfs=off \
+efi=disable_early_pci_dma hardened_usercopy=1 ia32_emulation=0 \
+init_on_alloc=1 init_on_free=1 \
+iommu.passthrough=0 iommu.strict=1 iommu=force \
+kfence.sample_interval=100 kvm.nx_huge_pages=force \
+l1d_flush=on lockdown=integrity loglevel=0 \
+mitigations=auto,nosmt mmio_stale_data=full,force nosmt=force \
+oops=panic page_alloc.shuffle=1 page_poison=1 panic=0 pti=on \
+random.trust_bootloader=off random.trust_cpu=off randomize_kstack_offset=on \
+retbleed=auto,nosmt rodata=on slab_nomerge vdso32=0 vsyscall=none
+````
+
+The parameters fall into several categories.
+
+* The AppArmor-related flags ``apparmor=1``, ``security=apparmor`` guarantee that AppArmor is not an afterthought but an integral part of the security architecture from the first instruction. I do not accept a boot sequence that comes up without LSM enforcement and then attempts to enable it later.
+* The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
+* The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
+* Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
+* Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
+* ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
+* Speculative execution and microarchitectural issues are covered by ``mitigations=auto,nosmt``,`` mmio_stale_data=full,force``, and ``retbleed=auto,nosmt``. I combine the automatic mitigation set provided by the kernel with a forced Single Thread mode where it is required because simultaneous multithreading is simply not worth the residual risk profile in many server contexts.
+* ``nosmt=force`` acts as a guardrail here. It prevents a misconfiguration from quietly re-enabling SMT while the system operator assumes it is disabled.
+* Fault handling is configured through ``oops=panic`` and ``panic=0``. An oops triggers a panic so that I do not continue to run a kernel in an undefined state. At the same time I instruct the system not to reboot automatically on panic, to preserve the state for post-mortem analysis rather than cutting the ground away under a debugging session.
+* ``pti=on``, ``rodata=on``, and ``slab_nomerge`` are classical hardening parameters that I still consider essential. Page-table isolation, read-only data segments, and prohibiting slab merging collectively prevent a wide range of exploits, especially under pressure from speculative execution attacks.
+* To avoid brittle side assumptions, I remove legacy or obsolete interfaces: ``vdso32=0`` and ``vsyscall=none`` shut down the remaining vestiges of 32-bit vDSO and vsyscall support on 64-bit systems. ``ia32_emulation=0`` it again narrows the attack surface by disabling full 32-bit compatibility on 64-bit kernels.
+* Finally, I do not trust entropy claims either from the bootloader or the CPU itself. I opt out of both with ``random.trust_bootloader=off`` and ``random.trust_cpu=off`` and rely on my own entropy strategy described later.
+
+All of these parameters are applied in exactly the same way for the live ISO and for the installer environment. That is a 
+deliberate design decision.
 
 ### 2.1.2. CPU Vulnerability Mitigations
 
-* **Description**: Enables all known kernel-level mitigations (Spectre, Meltdown, MDS, L1TF, etc.).
-* **Rationale**: Prevents side-channel attacks that exploit speculative execution, which remain a high-risk vector in
-  multi-tenant cloud environments.
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
+are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
+context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
 
 ### 2.1.3. Kernel Self-Protection
 
-* **Description**: Activates `CONFIG_DEBUG_RODATA`, `CONFIG_STRICT_MODULE_RWX`, and other self-protections.
-* **Rationale**: Hardens kernel memory regions against unauthorized writings and enforces stricter module loading policies.
+I enable the standard set of self-protection options, such as strict module page permissions, read-only data enforcement, and 
+restrictions around kprobes and BPF. The builder is not a kernel configuration tool, but it carries the expectation that the 
+kernels it runs with are compiled according to this hardening profile. I treat deviations from that profile as unsupported.
 
 ### 2.1.4. Local Kernel Hardening
 
-* **Description**: The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/99_local.hardened`:
+The wrapper `sysp()`provides a function to apply and audit local kernel hardening rules from `/etc/sysctl.d/90-ciss-local.hardened`:
 ````bash
-###########################################################################################
-# Globals: Wrapper for loading CISS.2025 hardened Kernel Parameters
+#######################################
+# Wrapper for loading CISS hardened Kernel Parameters.
 # Arguments:
-#  none
-###########################################################################################
-# shellcheck disable=SC2317
+#   None
+#######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
-  # sleep 1
-  sysctl -a | grep -E 'kernel|vm|net' > /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened
+  # shellcheck disable=SC2312
+  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
 }
 ````
 * **Key measures loaded by this file include:**
@@ -251,16 +276,36 @@ Once applied, some hardening settings cannot be undone via `sysctl` without a re
 until the next boot. Automatic enforcement at startup is therefore omitted by design—run `sysp()` manually and plan a reboot to 
 apply or revert these controls.
 
+In case you provide the ``--cdi`` option to the installer, the ``sysp()`` function is automatically applied at the boot process via:
+[9999_cdi_starter.sh](scripts/usr/local/sbin/9999_cdi_starter.sh).
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
+
 ## 2.2. Module Blacklisting
 
 * **Description**: Disables and blacklists non-essential or insecure kernel modules.
 * **Rationale**: Minimizes attack surface by preventing loads of drivers or modules not required by the live environment.
 
+For further details see: **[30-ciss-hardening.conf.md](docs/documentation/30-ciss-hardening.conf.md)**
+
 ## 2.3. Network Hardening
 
-* **Description**: Applies `sysctl` settings (e.g., `net.ipv4.conf.all.rp_filter=1`, `arp_ignore`, `arp_announce`) to restrict
-  inbound/outbound traffic behaviors.
-* **Rationale**: Mitigates ARP spoofing, IP spoofing, and reduces the risk of man-in-the-middle on internal networks.
+At the kernel level classical ``sysctl`` settings are applied that defend against spoofing and sloppy network behavior. Reverse path 
+filtering is enabled, ARP handling is pinned down, and loose binding of addresses is discouraged. Where appropriate, IPv6 
+receives the same level of attention as IPv4. The network stack is switched firmly to ``systemd-networkd`` and ``systemd-resolved``. 
+The hook [0000_basic_chroot_setup.chroot](config/hooks/live/0000_basic_chroot_setup.chroot) removes ``ifupdown``, wires up 
+``systemd-networkd`` and ``systemd-resolved`` via explicit WantedBy symlinks, and ensures that the stub resolver at ``127.0.0.53``
+is the canonical ``resolv.conf`` target. The same hook writes dedicated configuration snippets:
+
+``/etc/systemd/resolved.conf.d/10-ciss-dnssec.conf`` enforces opportunistic ``DNS-over-TLS`` and full ``DNSSEC`` validation 
+while disabling ``LLMNR`` and ``MulticastDNS``.
+
+This converges the system on a single, hardened DNS resolution path and avoids the common situation where multiple name 
+resolution mechanisms step on each other. Where desired, this resolution chain can be plugged into **CenturionDNS**, a resolver
+infrastructure that I control and that enforces DNSSEC validation, QNAME minimisation, and a curated blocklist. For sensitive 
+deployments, this stack is used as the default.
+
+For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-ciss-local.hardened.md)**
 
 ## 2.4. Core Dump & Kernel Hardening
 
@@ -320,6 +365,11 @@ apply or revert these controls.
 ## 2.9. UFW Hardening
 
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
+* **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
+  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
+  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
+  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
+  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
   deployment.
 
@@ -424,9 +474,12 @@ predictable script behavior.
 
 # 4. Prerequisites
 
-* **Host**: Debian Trixie with `live-build` and ``debootstrap`` packages installed.
-* **Privileges**: Root or sudo access to execute `ciss_live_builder.sh` and related scripts.
-* **Network**: Outbound access to Debian repositories and PTB NTPsec pool.
+To use **``CISS.debian.live.builder``** as intended, the following baseline is expected:<br>
+
+* The build host runs Debian 13 Trixie, fully updated. Building a Trixie image on an older or newer release is technically possible but explicitly not supported.
+* The host has the standard live-build stack installed ``live-build``, ``live-boot``, ``live-config``, ``debootstrap`` and the cryptographic tooling required for ``LUKS2``, ``dm-integrity``, ``cryptsetup``, ``gpg``.
+* Disk space must be sufficient to hold the chroot, the temporary build artifacts, and the final ISO with encrypted root. For comfortable work I assume around 30–40 gigabytes of free space.
+* The user running the builder has root privileges and understands that the script is capable of creating, mounting, and manipulating block devices.
 
 # 5. Installation & Usage
 
@@ -466,15 +519,25 @@ predictable script behavior.
      --reionice-priority 1 2 \
      --renice-priority "-19" \
      --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --secure-boot-profile debian-shim \
+     --sops-version 3.13.1 \
      --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
      --signing_key_pass=signing_key_pass.txt \
      --signing_key=signing_key.asc \
      --ssh-port 4242 \
+     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
+     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
+     --primordial-ssh 42842 \
      --ssh-pubkey /dev/shm/cdlb_secrets \
      --sshfp \
      --trixie
    ````
 
+   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
+   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
+   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
+   SOPS binary with `sha256sum -c --ignore-missing`.
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -508,10 +571,15 @@ preview it or run it.
     ````bash
     BUILD_DIR=/opt/cdlb
     ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
+    SECURE_BOOT_PROFILE=debian-shim
+    SOPS_VERSION=3.13.1
     SSH_PORT=4242
     SSH_PUBKEY=/dev/shm/cdlb_secrets
 
     # Optional
+    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
+    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
+    PRIMORDIAL_SSH_PORT=42842
     PROVIDER_NETCUP_IPV6=2001:cdb::1
     # comma-separated; IPv6 in [] is fine
     JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -521,7 +589,31 @@ preview it or run it.
 
 4. Execute the build: ````make live````
 
-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
+
+The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
+``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
+standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
+
+The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
+Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
+builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
+``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
+``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
+live-build created one.
+
+Required files for ``ciss-uki``:
+
+````text
+ciss.secureboot/private/ciss-efi-image.key
+ciss.secureboot/public/ciss-efi-image.crt
+````
+
+The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
+``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
+``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
+
+## 5.4. CI/CD Gitea Runner Workflow Example
 
 1. Clone the repository:
 
@@ -589,13 +681,22 @@ preview it or run it.
 
 # 6. Licensing & Compliance
 
-This repository is fully SPDX-compliant. All source files include appropriate SPDX license identifiers and headers to ensure
-clear and unambiguous licensing. You can verify compliance by reviewing the top of each file, which follows the SPDX
-standard for license expressions and metadata.
+Unless stated otherwise in individual files via SPDX headers, this project is licensed under the European Union Public License (EUPL 1.2).
+That license is OSI-approved and compatible with internal use in both public sector and private environments. Several files carry
+dual or multi-license statements, for example **``LicenseRef-CNCL-1.1``** and / or **``LicenseRef-CCLA-1.1``**, where I offer a 
+non-commercial license for community use and a commercial license for professional integration. The SPDX headers in each file 
+are authoritative. If you plan to integrate **``CISS.debian.live.builder``** into a commercial product or a managed service 
+offering, you should treat these license markers as binding and reach out for a proper agreement where required.
 
 # 7. Disclaimer
 
-This README is provided "as-is" without any warranty. Review your organization's policies before deploying to production.
+This repository is designed for well-experienced administrators and security professionals who are comfortable with low-level 
+Linux tooling, cryptography, and automation. It can and will create, format, and encrypt devices. It is entirely possible to 
+destroy data if you use it carelessly. I publish this work in good faith and with a strong focus on correctness and robustness. 
+Nevertheless, there is no warranty of any kind. You are responsible for understanding what you are doing, for validating your 
+own threat model, and for ensuring that this tool fits your regulatory and operational environment. If you treat the builder, and 
+the resulting images with the same discipline with which they were created, you will obtain a hardened, reproducible, and 
+auditable base for serious systems. If you treat them casually, they will not save you from yourself.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**

REPOSITORY.md

@@ -7,16 +7,16 @@ include_toc: true
 
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
-**Build**: V8.13.512.2025.11.27<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
 
-# 2.1. Repository Structure
+# 2. Repository Structure
 
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.512.2025.11.27** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)
 
-## 2.2. Top-Level Layout
+## 3.1. Top-Level Layout
 
 ````text
 CISS.debian.live.builder/
@@ -59,15 +59,15 @@ CISS.debian.live.builder/
 
 > **Note:** The ISO marker files (`LIVE_ISO.*`) are produced by CI workflows for convenient retrieval of generated images.
 
-## 2.3. Directory Semantics
+## 3.2. Directory Semantics
 
-### 2.3.1. `.gitea/` — CI/CD Orchestration
+### 3.2.1. `.gitea/` — CI/CD Orchestration
 - **`workflows/`**: Declarative Gitea Actions to lint shell scripts, render Graphviz/DNSSEC status, and generate **PUBLIC**/**PRIVATE (TRIXIE)** ISOs reproducibly.
 - **`trigger/`**: Manual/auxiliary trigger manifests (`t_generate_PUBLIC.yaml`, `t_generate_PRIVATE_trixie_{0,1}.yaml`, `t_generate_dns.yaml`) to drive pipeline variants.
 - **`ISSUE_TEMPLATE/`**: Issue and pull request templates to standardize change management.
 - **`properties/`** and **`TODO/`**: Auxiliary config fragments (JSON/Lua) and maintenance utilities (e.g., `render-md-to-html.yaml`).
 
-### 2.3.2. `config/` — Live-Build Configuration
+### 3.2.2. `config/` — Live-Build Configuration
 - **`bootloaders/`**: Boot assets for GRUB in EFI and PC modes, incl. a branded splash image.
 - **`hooks/live/`**: **Ordered** `*.chroot` hooks implementing system configuration and hardening during image creation; the numeric prefixes dictate execution (e.g., `0000_basic_chroot_setup.chroot`, `0810_chrony_setup.chroot`, `0900_ufw_setup.chroot`, `9930_hardening_ssh.chroot`, `9950_hardening_fail2ban.chroot`).
 - **`includes.binary/boot/grub/`**: Static GRUB configuration embedded in the binary image (`config.cfg`).
@@ -77,40 +77,40 @@ CISS.debian.live.builder/
   - `root/` (administrator dotfiles and keys).
 - **`package-lists/`**: Architecture-specific and common package manifests (`amd64`, `arm64`, `common`) used by `live-build`.
 
-### 2.3.3. `docs/` — Documentation Corpus
+### 3.2.3. `docs/` — Documentation Corpus
 Audit reports (DNSSEC, Lynis, SSH, TLS, Haveged), **BOOTPARAMS**, **CHANGELOG**, **CODING_CONVENTION**, **CONTRIBUTING**, **REFERENCES**; plus `SECURITY/`, `LICENSES/`, architecture diagrams under `graphviz/`, and illustrative `screenshots/`.
 
-### 2.3.4. `lib/` — Shell Library Modules
+### 3.2.4. `lib/` — Shell Library Modules
 Composable, single-purpose modules used by the wrapper and CI steps (argument parsing and validation, kernel/CPU mitigation checks, provider support, `lb config/build` scaffolding, usage/version banners, sanitization and traps, SSH/root-password hardening, ultra-hardening profile, etc.).
 
-### 2.3.5. `scripts/` — Operational Helpers
+### 3.2.5. `scripts/` — Operational Helpers
 Ancillary scripts for DHCP supersedes, resolver bootstrapping, and live-boot verification; targeted paths such as `scripts/etc/network/` and `scripts/live-boot/` encapsulate deploy-time adjustments and integrity checks.
 
-### 2.3.6. `var/` — Variables & Defaults
+### 3.2.6. `var/` — Variables & Defaults
 Layered variable sets (`early.var.sh`, `global.var.sh`, `bash.var.sh`, `color.var.sh`) providing early-boot defaults, global tuning, and TTY/UI niceties.
 
-## 2.4. Key Files
+## 3.3. Key Files
 
 - **`ciss_live_builder.sh`** — Primary entrypoint; orchestrates argument parsing, environment preparation, `lb config`/`lb build` execution and post-processing.
 - **`makefile`** & **`config.mk.sample`** — Make-based convenience wrapper and a sample configuration surface.
 - **`README.md`, `SECURITY.md`, `LICENSE`, `CISS.debian.live.builder.spdx`** — Project overview, security policy, licensing, and SPDX manifest for compliance.
 - **ISO markers**: `LIVE_ISO.public`, `LIVE_ISO_TRIXIE_{0,1}.private` reflect CI pipeline outputs.
 
-## 2.5. Conventions & Build Logic
+## 3.4. Conventions & Build Logic
 
 - **Hook Ordering**: Numeric prefixes (`0000_…` → `99xx_…`) strictly determine execution sequencing within `config/hooks/live/`. Early hooks establish base state (initramfs modules, checksums), mid-range hooks integrate security services (AppArmor, Chrony/NTPsec, Lynis, UFW, Fail2Ban, SSH auditing), late hooks enforce hardening and cleanup (SSH tightening, memory-dump policies, service disablement).
 - **Binary vs. Chroot Includes**: Assets under `includes.binary/` affect the ISO’s bootloader stage; `includes.chroot/` become part of the runtime filesystem.
 - **Architecture Scoping**: Package lists are split into `*amd64*`, `*arm64*`, and `*common*` to keep images minimal and deterministic.
 - **CI/CD**: Reproducible ISO builds are executed via Gitea workflows; dedicated `trigger/` manifests parameterize public vs. private images and auxiliary rendering jobs (e.g., DNSSEC status, Graphviz diagrams).
 
-## 2.6. Cross-References (Documentation)
+## 3.5. Cross-References (Documentation)
 
 - **Boot Parameters**: see `docs/BOOTPARAMS.md`.
 - **Audits**: `docs/AUDIT_*.md` (DNSSEC, Lynis, SSH, TLS, Haveged).
 - **Coding & Contribution**: `docs/CODING_CONVENTION.md`, `docs/CONTRIBUTING.md`.
 - **Change Log & References**: `docs/CHANGELOG.md`, `docs/REFERENCES.md`.
 
-## 2.7. Licensing & Compliance
+## 3.6. Licensing & Compliance
 
 The repository is **SPDX-compliant**; source files carry SPDX identifiers. See `CISS.debian.live.builder.spdx` and `LICENSE` for details.
 

bootscreen.txt

@@ -0,0 +1,33 @@
+                                          .-=+*###%%###*+=-:.
+                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
+                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
+                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
+                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
+                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
+                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
+                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
+                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
+                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
+                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
+                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
+                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
+                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
+                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
+                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
+                             +@%%%%%@.    +@%%@#:        #@%%%@-
+                              *@%%@@=    :%%@@+          *%%%@#
+                               =@%#-    :%@@#-          :@@%%%-
+                                ..     =@%*-            .+#%@%.
+                                      :+-.                 .=*
+
+  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
+ / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
+| |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
+| |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
+ \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
+
+Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
+
+Preparing Builder...
+
+Please wait...

centurion.txt

@@ -0,0 +1,37 @@
+                              .:-=++***#####***+==-:.
+                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
+                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
+                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
+              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
+            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
+          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
+        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
+       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
+      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
+     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
+    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
+   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
+  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
+  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
+ #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+.%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
+-@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
+=@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
+=@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
+=@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
+:@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
+ %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
+ *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
+ :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
+  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
+  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
+   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
+    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
+     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
+      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
+       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
+        :#*+:         :%%%@@%+                    -@@@%%%%%@:
+                     =@@@@#=.                      :+#@@@@%%.
+                   .*%#*=.                            .=*%@%
+                   ::.                                   .-+

ciss.secureboot/manifests/.gitkeep

@@ -0,0 +1 @@
+

ciss.secureboot/private/README.md

@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
+
+# 2. CISS Secure Boot Private Material
+
+This directory is intentionally ignored except for this README.
+
+On the air-gapped build host, place the private EFI image signing key here:
+
+* `ciss-efi-image.key`
+
+Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
+`config/includes.*`.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

ciss.secureboot/public/README.md

@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.022.2026.06.10<br>
+
+# 2. CISS Secure Boot Public Material
+
+Place public CISS Secure Boot certificates here on the air-gapped build host.
+
+Expected file for the `ciss-uki` build profile:
+
+* `ciss-efi-image.crt`
+
+Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
+`ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

ciss.secureboot/uki/.gitkeep

@@ -0,0 +1 @@
+

ciss_live_builder.sh

@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -111,11 +111,17 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+clear
+printf '\033[95m'
+cat bootscreen.txt
+printf '\033[0m\n'
+sleep 4
+printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 
 ### SECURING SECRETS ARTIFACTS.
@@ -167,12 +173,29 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
   source_guard "./lib/lib_provider_netcup.sh"
   source_guard "./lib/lib_run_analysis.sh"
   source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
   source_guard "./lib/lib_trap_on_err.sh"
   source_guard "./lib/lib_trap_on_exit.sh"
   source_guard "./lib/lib_update_microcode.sh"
   source_guard "./lib/lib_usage.sh"
 }
 
+### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
+### Formal validation still happens in arg_parser().
+for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
+  case "${ARY_PARAM_ARRAY[idx],,}" in
+    --secure-boot-profile=*)
+      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
+      ;;
+    --secure-boot-profile)
+      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
+        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
+      fi
+      ;;
+  esac
+done
+unset idx
+
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
 
@@ -199,6 +222,7 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
 
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
+
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -248,6 +272,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
+secureboot_profile_apply
 
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi

code_review.md

@@ -0,0 +1,78 @@
+# code_review.md
+
+Use this file for explicit review tasks and final self-review after implementation.
+Do not treat it as a mandate for an unlimited audit unless the user asks for one.
+
+## Review priorities
+
+Review findings in this order:
+
+1. Correctness
+2. Security regressions
+3. Boot/build reproducibility
+4. Data loss risk
+5. Error handling
+6. Test or validation coverage
+7. Maintainability
+8. Minimality of diff
+9. Style consistency
+
+## Finding classes
+
+- `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
+- `RISK`: plausible issue or security concern that is not fully proven from the available context.
+- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
+- `NOTE`: observation only; no change requested.
+
+## Review output format
+
+List findings first, ordered by severity.
+
+For each finding include:
+
+- class
+- file path and line number where possible
+- observation
+- concrete impact
+- smallest reasonable fix
+
+Then include:
+
+- missing checks or validation gaps
+- residual risks
+- concise final recommendation
+
+If there are no findings, say so explicitly and still mention relevant validation gaps.
+
+## Scope control
+
+- Do not nitpick formatting when automated tooling exists.
+- Do not invent requirements not present in the task, repository, or documentation.
+- Do not expand a small implementation task into a broad quality-management audit.
+- Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
+- Prefer a small actionable finding over a broad speculative warning.
+
+## Security-sensitive checklist
+
+Check whether the change affects:
+
+- boot trust
+- initramfs behavior
+- live-boot runtime behavior
+- cryptsetup/LUKS handling
+- encrypted SquashFS handling
+- key material
+- remote unlock
+- TLS or mTLS verification
+- signature, checksum, or provenance verification
+- package sources or remote downloads
+- network exposure
+- file permissions
+- persistence
+- logging of sensitive values
+
+For affected areas, separate observation, inference, and recommendation.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

config.mk.sample

@@ -10,8 +10,19 @@
 # SPDX-Security-Contact: security@coresecret.eu
 
 BUILD_DIR            ?=
+
+### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
+DROPBEAR_VERSION     ?=
+### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
+SOPS_VERSION         ?=
+### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
+PRIMORDIAL_URL       ?=
+PRIMORDIAL_KEY       ?=
+PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
+### Secure Boot profile; debian-shim or ciss-uki:
+SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
 

config/hooks/live/0000_basic_chroot_setup.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -236,14 +236,55 @@ rm -f /etc/cron.daily/apt-show-versions || true
 [[ -e /usr/lib/live/boot/0030-verify-checksums ]] && rm -f /usr/lib/live/boot/0030-verify-checksums
 
 ### Ensure proper 0755 rights for CISS initramfs scripts  ----------------------------------------------------------------------
-[[ -x /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh ]] \
-  && chmod 0755 /etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh
-[[ -x /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
+find /usr/lib/live/boot -type f -exec chmod 0755 {} +
+
+[[ -e /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
-[[ -x /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
+
+[[ -e /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh ]] \
   && chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+### Ensure proper systemd directories exist ------------------------------------------------------------------------------------
+mkdir -p /etc/systemd/resolved.conf.d
+mkdir -p /etc/systemd/system
+mkdir -p /etc/systemd/system/multi-user.target.wants
+mkdir -p /etc/systemd/system/sockets.target.wants
+
+### Enable clean systemd-networkd stack ----------------------------------------------------------------------------------------
+apt-get -y purge ifupdown || true
+
+ln -sf /lib/systemd/system/systemd-networkd.service /etc/systemd/system/multi-user.target.wants/systemd-networkd.service
+
+ln -sf /lib/systemd/system/systemd-resolved.service /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
+
+ln -sf /lib/systemd/system/systemd-resolved.socket  /etc/systemd/system/sockets.target.wants/systemd-resolved.socket
+
+cat << EOF >| /etc/systemd/system/ciss-fix-resolvconf.service
+[Unit]
+Description=Force systemd-resolved stub resolv.conf
+After=network-online.target
+Before=apt-daily.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rm -f /etc/resolv.conf
+ExecStart=/usr/bin/ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+ln -sf /etc/systemd/system/ciss-fix-resolvconf.service /etc/systemd/system/multi-user.target.wants/ciss-fix-resolvconf.service
+
+cat << EOF >| /etc/systemd/resolved.conf.d/10-ciss-dnssec.conf
+[Resolve]
+DNSOverTLS=opportunistic
+DNSSEC=yes
+LLMNR=no
+MulticastDNS=no
+EOF
+
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0001_initramfs_modules.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0002_hardening_overlay_tmpfs.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 VAR_DATE="$(date +%F)"
 
@@ -45,8 +45,10 @@ EOF
 
 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+# The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
+# scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF
 
 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF
 
 systemctl enable ciss-remount-root.service
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0003_cdi_autostart.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 if [[ -f /root/.cdi ]]; then
 
@@ -48,7 +48,7 @@ EOF
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0007_update_logrotate.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0010_install_apparmor.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF
 
 install -d -m 0755 /var/cache/apparmor
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0020_dropbear_build.chroot

@@ -11,21 +11,40 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 
 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 
 mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  exit 43
+}
+
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"
 
@@ -67,7 +86,7 @@ if ! setsid bash -c '
   ' >| "${var_logfile}" 2>&1
 then
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
   tail -n 42 "${var_logfile}" >&2 || true
   exit 42
 
@@ -75,7 +94,7 @@ fi
 
   rm -rf /root/dropbear
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0021_dropbear_initramfs.chroot

@@ -11,15 +11,30 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-
-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 
+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file
 
 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/
 
 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do
 
   mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/
 
 done
 
+rm -f "${var_dropbear_env}"
+
 mkdir -p /etc/initramfs-tools/scripts/init-bottom
 
 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -126,7 +143,7 @@ EOF
 
 systemctl mask dropbear.service dropbear.socket
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0022_dropbear_setup.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf
 
 dropbear_setup
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0040_ssh_config_setup.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0050_activate_root.chroot

@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 if [[ ! -f /root/.pwd ]]; then
 
-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
   exit 0
 
 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd
 
 if shred -fzu -n 5 /root/.pwd; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0080_keyboard_layout.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0090_jitterentropy.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0120_set_hostname.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local
 
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0130_machineid.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0400_eza_install.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 
@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0800_lynis_setup.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0810_chrony_setup.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 mkdir -p /var/log/chrony
 
@@ -114,7 +114,7 @@ fi
 
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0820_kernel_hardening_checker.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0822_ssh_restart_hook.chroot

@@ -11,39 +11,20 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
-cd /root
-declare target_script="/etc/cron.d/restart-ssh"
+mkdir -p /etc/systemd/system/ssh.service.d
 
-cat << 'EOF' >| "${target_script}"
-@reboot root /usr/local/bin/restart-ssh.sh
+cat << EOF >| /etc/systemd/system/ssh.service.d/10-ciss-network.conf
+[Unit]
+After=network-online.target ufw.service fail2ban.service
+Wants=network-online.target
+
+[Service]
+ExecStartPre=/bin/sleep 5
 EOF
 
-chmod 0444 "${target_script}"
-
-cat << 'EOF' >| /usr/local/bin/restart-ssh.sh
-#!/bin/bash
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Script to restart SSH at boot
-systemctl stop ssh
-sleep 5
-systemctl start ssh
-EOF
-
-chmod +x /usr/local/bin/restart-ssh.sh
-
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0825_my_sqltuner_perl.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0830_download_yq.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0835_testssl.sh.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0840_ufw_abuse_ipdb_reporter.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0845_harbian_audit.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0850_ssh_audit.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0855_dnsviz.chroot

@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0860_sops.chroot

@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 
-SOPS_VER="v3.11.0"
-ARCH="$(dpkg --print-architecture)"
-case "${ARCH}" in
-  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
-  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
-  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
-esac
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"
 
-cd /tmp
+#######################################
+# Print a fatal error and abort the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Message string
+# Returns:
+#   None
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
+  exit 43
+}
 
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+#######################################
+# Require an executable tool.
+# Globals:
+#   None
+# Arguments:
+#   1: Tool name
+# Returns:
+#   0: on success
+#######################################
+require_tool() {
+  declare tool_name="$1"
 
-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
-  --certificate    "sops-${SOPS_VER}.checksums.pem" \
-  --signature      "sops-${SOPS_VER}.checksums.sig" \
-  --certificate-identity-regexp="https://github.com/getsops" \
-  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"
 
-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  return 0
+}
 
-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
-age --version                      >| /root/.ciss/cdlb/log/age.log
+#######################################
+# Validate and normalize a SOPS semantic version.
+# Globals:
+#   None
+# Arguments:
+#   1: SOPS version string
+# Outputs:
+#   Normalized bare semantic version
+# Returns:
+#   0: on success
+#######################################
+normalize_sops_version() {
+  declare sops_version="${1#v}"
 
-rm -f "/tmp/${SOPS_FILE}"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."
 
-chmod 0400 /root/.config/sops/age/keys.txt
+  printf '%s' "${sops_version}"
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  return 0
+}
+
+#######################################
+# Download a mandatory release asset.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: on success
+#######################################
+download_required_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+
+  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
+    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
+
+  return 0
+}
+
+#######################################
+# Download an optional release asset and distinguish absence from download errors.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: asset was downloaded
+#   1: asset is absent upstream
+#######################################
+download_optional_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+  declare http_code=""
+
+  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
+    rm -f -- "${target_file}"
+    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  case "${http_code}" in
+    200)
+      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
+      return 0
+      ;;
+    404)
+      rm -f -- "${target_file}"
+      return 1
+      ;;
+    *)
+      rm -f -- "${target_file}"
+      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
+      ;;
+  esac
+}
+
+#######################################
+# Verify the SOPS checksums file with Cosign.
+# Globals:
+#   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
+#   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
+# Arguments:
+#   1: Checksums filename
+#   2: Bundle filename
+#   3: Certificate filename
+#   4: Signature filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_checksums_signature() {
+  declare checksums_file="$1"
+  declare bundle_file="$2"
+  declare certificate_file="$3"
+  declare signature_file="$4"
+
+  if [[ -f "${bundle_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
+    cosign verify-blob "${checksums_file}" \
+      --bundle "${bundle_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
+    cosign verify-blob "${checksums_file}" \
+      --certificate "${certificate_file}" \
+      --signature "${signature_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
+    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
+  fi
+
+  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
+}
+
+#######################################
+# Verify the SOPS artifact checksum and ensure the expected artifact was covered.
+# Globals:
+#   None
+# Arguments:
+#   1: Checksums filename
+#   2: Artifact filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_artifact_checksum() {
+  declare checksums_file="$1"
+  declare artifact_file="$2"
+  declare checksum_output=""
+
+  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
+    printf '%s\n' "${checksum_output}" >&2
+    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
+  fi
+
+  printf '%s\n' "${checksum_output}"
+
+  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
+     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
+    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
+  fi
+
+  return 0
+}
+
+#######################################
+# Install SOPS from an upstream GitHub release after signature and checksum verification.
+# Globals:
+#   CISS_SOPS_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  require_tool curl
+  require_tool cosign
+  require_tool sha256sum
+
+  declare sops_env="/root/sops.env"
+  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
+
+  # shellcheck disable=SC1090
+  . "${sops_env}"
+
+  declare ciss_sops_version
+  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
+
+  declare architecture
+  architecture="$(dpkg --print-architecture)"
+
+  declare sops_tag="v${ciss_sops_version}"
+  declare sops_file=""
+  case "${architecture}" in
+    amd64)
+      sops_file="sops-${sops_tag}.linux.amd64"
+      ;;
+    arm64)
+      sops_file="sops-${sops_tag}.linux.arm64"
+      ;;
+    *)
+      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
+      ;;
+  esac
+
+  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
+  declare checksums_file="sops-${sops_tag}.checksums.txt"
+  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
+  declare certificate_file="sops-${sops_tag}.checksums.pem"
+  declare signature_file="sops-${sops_tag}.checksums.sig"
+  declare bundle_available="false"
+  declare certificate_available="false"
+  declare signature_available="false"
+
+  cd /tmp
+
+  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
+  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
+  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"
+
+  # shellcheck disable=SC2310
+  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
+    bundle_available="true"
+  fi
+
+  if [[ "${bundle_available}" == "false" ]]; then
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
+      certificate_available="true"
+    fi
+
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
+      signature_available="true"
+    fi
+
+    if [[ "${certificate_available}" != "${signature_available}" ]]; then
+      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
+    fi
+  fi
+
+  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
+  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
+
+  install -m 0755 "${sops_file}" /usr/local/bin/sops
+  sops --version >| /root/.ciss/cdlb/log/sops.log
+  age --version  >| /root/.ciss/cdlb/log/age.log
+
+  rm -f -- "/tmp/${sops_file}"
+  rm -f -- "/tmp/${checksums_file}"
+  rm -f -- "/tmp/${bundle_file}"
+  rm -f -- "/tmp/${certificate_file}"
+  rm -f -- "/tmp/${signature_file}"
+
+  if [[ -f /root/.config/sops/age/keys.txt ]]; then
+    chmod 0400 /root/.config/sops/age/keys.txt
+  fi
+
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+  return 0
+}
+
+if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
+  main "$@"
+  exit 0
+fi
 
-exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0865_yq.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O
 
 yq --version
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0870_bashdb.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 umask 0077
 
@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/0900_ufw_setup.chroot

@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
+# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET
 
 ufw --force reset
 
@@ -41,9 +42,11 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
   ufw allow out  443/tcp comment 'Outgoing HTTPS'
   ufw allow out  465/tcp comment 'Outgoing SMTPS'
   ufw allow out  587/tcp comment 'Outgoing SMTPS'
+  ufw allow out  853/tcp comment 'Outgoing DoT'
   ufw allow out  993/tcp comment 'Outgoing IMAPS'
   ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
+  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
   ufw allow out   53/udp comment 'Outgoing DNS'
   ufw allow out  123/udp comment 'Outgoing NTP'
   ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -60,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9900_process_accounting.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi
 
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9910_motd.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF
 
 chmod 0755 /etc/update-motd.d/10-uname
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9920_deleting_invalid_x509.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
 
   mkdir -p "${backup_dir}"
   declare dir=""
@@ -44,7 +44,7 @@ create_backup() {
 
   done
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 
 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {
 
     if [[ -f ${bundle} ]]; then
 
-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
       declare tmp_bundle="${bundle}.tmp"
       declare -a block=()
       declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {
 
           else
 
-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
 
           fi
 
@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {
 
       mv -f "${tmp_bundle}" "${bundle}"
 
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
 
     fi
 
   done
 }
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates
 
 if [[ ${#expired_certificates[@]} -eq 0 ]]; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"
 
 else
 
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"
 
   for exp_cert in "${expired_certificates[@]}"; do
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"
 
   done
 
@@ -191,7 +191,7 @@ else
 
     rm -f "${exp_cert}"
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
     basename=$(basename "${exp_cert}")
     mozilla_entry="mozilla/${basename%.pem}.crt"
     mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
     if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
 
       sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
 
     fi
 
   done
 
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
   update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 
 exit 0

config/hooks/live/9930_hardening_ssh.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""
 
 cd /etc/ssh
@@ -44,8 +44,11 @@ chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
-chmod 0440 /etc/ssh/*sha256sum.txt
-chown root:root /etc/ssh/*sha256sum.txt
+
+if compgen -G "/etc/ssh/*sha256sum.txt" > /dev/null; then
+  chmod 0440 /etc/ssh/*sha256sum.txt
+  chown root:root /etc/ssh/*sha256sum.txt
+fi
 
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
@@ -112,7 +115,7 @@ fi
 
 /usr/sbin/sshd -t || exit 42
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9935_hardening_ssl.chroot

@@ -0,0 +1,445 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-12-03; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
+
+mkdir -p /root/.ciss/cdlb/backup/etc/ssl
+
+mv /etc/ssl/openssl.cnf /root/.ciss/cdlb/backup/etc/ssl/openssl.cnf.bak
+
+cat << 'EOF' >| /etc/ssl/openssl.cnf
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more information.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for autoloading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+#.include filename
+
+openssl_conf = default_conf
+
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+
+# Use this to automatically load providers.
+openssl_conf = openssl_init
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+# Extra OBJECT IDENTIFIER information:
+# oid_file       = $ENV::HOME/.oid
+oid_section = new_oids
+
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca,' 'req,' and 'ts.'
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+
+# For FIPS
+# Optionally include a file that is generated by the OpenSSL fipsinstall
+# application. This file contains configuration data required by the OpenSSL
+# fips provider. It contains a named section e.g., [fips_sect] which is
+# referenced from the [provider_sect] below.
+# Refer to the OpenSSL security policy for more information.
+# .include fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+
+# List of providers to load
+[provider_sect]
+default = default_sect
+# The fips section name should match the section name inside the
+# included fipsmodule.cnf.
+# fips = fips_sect
+
+# If no providers are activated explicitly, the default one is activated implicitly.
+# See man 7 OSSL_PROVIDER-default for more details.
+#
+# If you add a section explicitly activating any other provider(s), you most
+# probably need to explicitly activate the default provider, otherwise it
+# becomes unavailable in openssl.  As a consequence, applications depending on
+# OpenSSL may not work correctly, which could lead to significant system
+# problems including inability to remotely access the system.
+[default_sect]
+# activate = 1
+
+
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+
+####################################################################
+[ CA_default ]
+
+dir		= ./demoCA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of several certs with the same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+
+certificate	= $dir/cacert.pem 	# The CA certificate
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+private_key	= $dir/private/cakey.pem # The private key
+
+x509_extensions	= usr_cert		# The extensions to add to the cert
+
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use it with caution.
+# copy_extensions = copy
+
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= default		# use public key default MD
+preserve	= no			# keep passed DN ordering
+
+# A few different ways of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that.
+policy		= policy_match
+
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+
+####################################################################
+[ req ]
+default_bits		= 4096
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extensions to add to the self-signed cert
+
+# Passwords for private keys if not present, they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
+[ req_distinguished_name ]
+countryName			= Country Name (2-letter code)
+countryName_default		= AU
+countryName_min			= 2
+countryName_max			= 2
+
+stateOrProvinceName		= State or Province Name (full name)
+stateOrProvinceName_default	= Some-State
+
+localityName			= Locality Name (e.g., city)
+
+0.organizationName		= Organization Name (e.g., company)
+0.organizationName_default	= Internet Widgits Pty Ltd
+
+# we can do this, but it is unnecessary normally
+#1.organizationName		= Second Organization Name (e.g., company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+
+organizationalUnitName		= Organizational Unit Name (e.g., section)
+#organizationalUnitName_default	=
+
+commonName			= Common Name (e.g., server FQDN or YOUR name)
+commonName_max			= 64
+
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+# SET-ex3			= SET extension number 3
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+
+unstructuredName		= An optional company name
+
+[ usr_cert ]
+
+# These extensions are added when 'ca' signs a request.
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations are harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+[ v3_ca ]
+
+
+# Extensions for a typical CA
+
+
+# PKIX recommendation.
+
+subjectKeyIdentifier=hash
+
+authorityKeyIdentifier=keyid:always,issuer
+
+basicConstraints = critical,CA:true
+
+# Key usage: this is typical for a CA certificate. However, since it will
+# prevent it being used as a test self-signed certificate, it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object.
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+
+# This goes against PKIX guidelines, but some CAs do it, and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+
+basicConstraints=CA:FALSE
+
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
+# PKIX recommendations are harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated, according to PKIX.
+# subjectAltName=email:move
+
+# Copy subject details
+# issuerAltName=issuer:copy
+
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+
+####################################################################
+[ tsa ]
+
+default_tsa = tsa_config1	# the default TSA section
+
+[ tsa_config1 ]
+
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
+
+[insta] # CMP using Insta Demo CA
+# Message transfer
+server = pki.certificate.fi:8700
+# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
+# tls_use = 0
+path = pkix/
+
+# Server authentication
+recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer
+ignore_keyusage = 1 # quirk needed to accept Insta CA cert not including digitalsignature
+unprotected_errors = 1 # quirk needed to accept negative responses possibly not protected
+extracertsout = insta.extracerts.pem
+
+# Client authentication
+ref = 3078 # user identification
+secret = pass:insta # can be used for both client and server side
+
+# Generic message options
+cmd = ir # default operation, can be overridden on cmd line with, e.g., kur
+
+# Certificate enrollment
+subject = "/CN=openssl-cmp-test"
+newkey = insta.priv.pem
+out_trusted = apps/insta.ca.crt # does not include keyUsage digitalSignature
+certout = insta.cert.pem
+
+[pbm] # Password-based protection for Insta CA
+# Server and client authentication
+ref = $insta::ref # 3078
+secret = $insta::secret # pass:insta
+
+[signature] # Signature-based protection for Insta CA
+# Server authentication
+trusted = $insta::out_trusted # apps/insta.ca.crt
+
+# Client authentication
+secret = # disable the PBM
+key = $insta::newkey # insta.priv.pem
+cert = $insta::certout # insta.cert.pem
+
+[ir]
+cmd = ir
+
+[cr]
+cmd = cr
+
+[kur]
+# Certificate update
+cmd = kur
+oldcert = $insta::certout # insta.cert.pem
+
+[rr]
+# Certificate revocation
+cmd = rr
+oldcert = $insta::certout # insta.cert.pem
+
+##### Added by CISS.debian.live.builder #####
+[default_conf]
+ssl_conf = ssl_sect
+
+[ssl_sect]
+system_default = system_default_sect
+
+[system_default_sect]
+MinProtocol = TLSv1.2
+MaxProtocol = TLSv1.3
+
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
+Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+
+# Preferred ECDHE groups.
+Groups = X448:P-521:P-384
+
+# Flags: Tickets off, servers order, renegotiation off.
+Options = -SessionTicket,ServerPreference,NoRenegotiation
+
+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
+EOF
+
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9940_hardening_memory.dump.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9950_hardening_fail2ban.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 
@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9960_disable_services.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done
 
 unset target
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9970_remove_exim.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
   rm -rf /etc/exim4
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9980_usb_guard.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon
 
 rm -f /tmp/rules.conf
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9990_final_purge.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 
@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
 
   printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
   sed -i 's!deinstall!!' /tmp/deinstall.log
 
   while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
     declare trimmed_string
     trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
     echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
 
   done < /tmp/deinstall.log
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"
 
 else
 
   printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 
 fi
 
@@ -60,7 +60,7 @@ apt-get autopurge -y
 
 updatedb
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9991_file_permissions.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd
 
-      (c) Marc S. Weidner, 2018 - 2025
-      (p) Centurion Press, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
+      (p) Centurion Press, 2018 - 2026
           Centurion Intelligence Consulting Agency (tm)
           https://coresecret.eu/
           Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +
 
 rm -f /etc/tmpfiles.d/legacy.conf
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9992_password_expiration.chroot

@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 if ! command -v chage &>/dev/null; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
   exit 0
 
@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(
 
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
   exit 0
 
@@ -120,7 +121,7 @@ fi
 
 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
   chage --maxdays "${max_days}" "${user}"
 done
 
@@ -128,11 +129,11 @@ unset max_days user users_to_update
 
 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"
 
 update_shadow
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9993_aide.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 
 if aideinit > /dev/null 2>&1; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9994_password_policy.chroot

@@ -15,7 +15,7 @@
 
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only
 
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9995_sysstat.chroot

@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9996_auditd.chroot

@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 
@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
--b 16384
+-b 262144
 
 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200
 
 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
---backlog_wait_time 1024
+--backlog_wait_time 16384
 
 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load
 
 EOF
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9997_debsums.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 cd /root
 
@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 
 if debsums -g > /dev/null 2>&1; then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"
 
 else
 
   # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9998_sources_list_trixie.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9999_yyyy_logrotate.chroot

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done
 
 if ! logrotate -d /etc/logrotate.conf; then
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
 
 else
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
 
 fi
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/9999_zzzz.chroot

@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
+# regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
+# multi-user.target by masking common display managers.
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
 
@@ -20,7 +24,7 @@ rm -f  /root/ciss_xdg_tmp.sh
 rm -fr /root/build
 find /etc /home /root /usr /var -type f -name '.keep' -print -delete
 
-### Securing '/root/.ciss' ----------------------------------------------------------------------------------------------------------
+### Securing '/root/.ciss' -----------------------------------------------------------------------------------------------------
 find /root/.ciss -type d -exec chmod 0700 {} +
 find /root/.ciss -type f -exec chmod 0440 {} +
 
@@ -30,6 +34,10 @@ find /etc/ciss/keys -type f -exec chmod 0440 {} +
 ### Regenerate the initramfs for the live system kernel ------------------------------------------------------------------------
 update-initramfs -u -k all -v
 
+### Prepare '/etc/resolv.conf' for systemd-networkd ----------------------------------------------------------------------------
+rm -f /etc/resolv.conf
+ln -s /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
+
 ### Determine the canonical systemd unit dir inside chroot ---------------------------------------------------------------------
 if [[ -d /lib/systemd/system ]]; then
 
@@ -88,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do
 
 done
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/zzzz_ciss_crypt_squash.hook.binary

@@ -9,13 +9,90 @@
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2154
 set -Ceuo pipefail
 
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, format it with the
+# generated build secret, copy the generated filesystem.squashfs into the opened encrypted mapping, generate and sign a
+# SHA-512 attestation manifest for the complete decrypted mapper, then close the container, shred the temporary LUKS secret,
+# and remove the plaintext SquashFS from the ISO payload.
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 
 __umask=$(umask)
 umask 0077
 
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="${1}"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="${1}"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists and is readable.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing or unreadable
+#######################################
+require_file() {
+  declare file_path="${1}"
+  declare description="${2}"
+
+  [[ -f "${file_path}" && -r "${file_path}" ]] || die "Missing or unreadable ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required environment variable is non-empty.
+# Globals:
+#   None
+# Arguments:
+#   1: Variable name
+# Returns:
+#   0: on success
+#   42: if the variable is empty or unset
+#######################################
+require_variable() {
+  declare variable_name="${1}"
+
+  [[ -n "${!variable_name:-}" ]] || die "Required environment variable is empty or unset: '${variable_name}'."
+
+  return 0
+}
+
 #######################################
 # Pre allocates space for LUKS container.
 # Globals:
@@ -34,23 +111,23 @@ preallocate() {
 
   if fallocate -l "${size}" -- "${file}" 2>/dev/null; then
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
     return 0
 
   else
 
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
 
   fi
 
   if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
 
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 0
 
   else
 
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync ] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
     return 42
 
   fi
@@ -61,8 +138,25 @@ readonly -f preallocate
 
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
+declare MAPPER_DEV="/dev/mapper/crypt_liveiso"
+declare ROOTFS_ATTESTATION="${LUKSFS}.decrypted.sha512sum.txt"
+declare ROOTFS_ATTESTATION_SIG="${ROOTFS_ATTESTATION}.sig"
 declare KEYFD=""
 
+require_command gpg
+require_command gpgv
+require_command sha512sum
+require_file "${ROOTFS}" "final SquashFS payload"
+require_variable VAR_SIGNING_KEY_FPR
+require_variable VAR_SIGNING_KEY_PASSFILE
+require_variable VAR_VERIFY_KEYRING
+require_file "${VAR_SIGNING_KEY_PASSFILE}" "GPG signing passphrase file"
+require_file "${VAR_VERIFY_KEYRING}" "GPG verification keyring"
+
+[[ "${VAR_SIGNER:-false}" == "true" ]] || die "Rootfs attestation requires an enabled artifact signer."
+
+rm -f -- "${ROOTFS_ATTESTATION}" "${ROOTFS_ATTESTATION_SIG}"
+
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 
@@ -71,8 +165,8 @@ declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
 #   - dm-integrity Overhead (Tags and Journal)
 #   - Filesystem-Slack
 declare -i OVERHEAD_FIXED=$((64 * 1024 * 1024))
-declare -i OVERHEAD_PCT=1.6
-declare -i ALIGN_BYTES=$(( 2048 * 1024 ))
+declare -i OVERHEAD_PCT=2
+declare -i ALIGN_BYTES=$(( 4096 * 1024 ))
 declare -i BASE_SIZE=$(( VAR_ROOTFS_SIZE + OVERHEAD_FIXED + (VAR_ROOTFS_SIZE * OVERHEAD_PCT / 100) ))
 declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) * ALIGN_BYTES ))
 
@@ -80,7 +174,9 @@ preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
 
 exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
 
-cryptsetup luksFormat \
+if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
+
+  cryptsetup luksFormat \
     --batch-mode \
     --cipher aes-xts-plain64 \
     --integrity hmac-sha512 \
@@ -97,25 +193,59 @@ cryptsetup luksFormat \
     --verbose \
     "${LUKSFS}"
 
+elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+
+  cryptsetup luksFormat \
+    --batch-mode \
+    --cipher aes-xts-plain64 \
+    --iter-time 1000 \
+    --key-file "/proc/$$/fd/${KEYFD}" \
+    --key-size 512 \
+    --label crypt_liveiso \
+    --luks2-keyslots-size 16777216 \
+    --luks2-metadata-size 4194304 \
+    --pbkdf argon2id \
+    --sector-size 4096 \
+    --type luks2 \
+    --use-random \
+    --verbose \
+    "${LUKSFS}"
+
+fi
+
 cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
 
 # shellcheck disable=SC2155
-declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso)
+declare -i LUKS_FREE=$(blockdev --getsize64 "${MAPPER_DEV}")
 declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 
 if (( LUKS_FREE >= SQUASH_FS )); then
 
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 
 else
 
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
   exit 42
 
 fi
 
-dd if="${ROOTFS}" of=/dev/mapper/crypt_liveiso bs=8M status=progress conv=fsync
+dd if="${ROOTFS}" of="${MAPPER_DEV}" bs=8M status=progress conv=fsync
 sync
+
+# The selected boot root is the complete decrypted mapper. Hashing this exact block payload binds the signed manifest to the
+# bytes later mounted as SquashFS, including the mapper padding after the SquashFS image.
+LC_ALL=C sha512sum "${MAPPER_DEV}" >| "${ROOTFS_ATTESTATION}"
+
+gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
+  --detach-sign --output "${ROOTFS_ATTESTATION_SIG}" "${ROOTFS_ATTESTATION}"
+
+gpgv --keyring "${VAR_VERIFY_KEYRING}" "${ROOTFS_ATTESTATION_SIG}" "${ROOTFS_ATTESTATION}"
+
+(cd / && LC_ALL=C sha512sum -c --strict --quiet "${ROOTFS_ATTESTATION}")
+
+chmod 0444 "${ROOTFS_ATTESTATION}" "${ROOTFS_ATTESTATION_SIG}"
+
 cryptsetup close crypt_liveiso
 
 exec {KEYFD}<&-
@@ -127,7 +257,7 @@ rm -f -- "${ROOTFS}"
 umask "${__umask}"
 __umask=""
 
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/zzzz_ciss_uki_build.hook.binary

@@ -0,0 +1,396 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
+# complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
+# and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
+# Secure Boot key material in build artifact paths.
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="${1}"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="${1}"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="${1}"
+  declare description="${2}"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
+# Globals:
+#   None
+# Arguments:
+#   1: live-build binary configuration file
+#   2: Output variable name for the kernel command line
+# Returns:
+#   0: on success
+#   42: if the file is missing, the entry is ambiguous, or the value is empty
+#######################################
+read_bootappend_live() {
+  declare config_file="${1}"
+  declare output_var="${2}"
+  declare -a matches=()
+  declare value=""
+
+  require_file "${config_file}" "live-build binary configuration"
+
+  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
+
+  if (( ${#matches[@]} != 1 )); then
+    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
+  fi
+
+  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
+  if [[ "${value}" == \"*\" ]]; then
+    value="${value#\"}"
+    value="${value%\"}"
+  fi
+
+  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
+
+  printf -v "${output_var}" "%s" "${value}"
+
+  return 0
+}
+
+#######################################
+# Collects kernel and initrd candidates from one artifact directory.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected kernel path
+#   3: Output variable name for the selected initrd path
+# Returns:
+#   0: on success, including when the directory does not exist
+#   42: if more than one kernel or initrd candidate exists
+#######################################
+collect_artifacts_from_dir() {
+  declare artifact_dir="${1}"
+  declare kernel_output_var="${2}"
+  declare initrd_output_var="${3}"
+  declare -a kernels=()
+  declare -a initrds=()
+
+  if [[ ! -d "${artifact_dir}" ]]; then
+    printf -v "${kernel_output_var}" "%s" ""
+    printf -v "${initrd_output_var}" "%s" ""
+    return 0
+  fi
+
+  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
+  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#kernels[@]} > 1 )); then
+    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  if (( ${#initrds[@]} > 1 )); then
+    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
+  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Selects the kernel/initrd pair used to build the UKI.
+# Globals:
+#   None
+# Arguments:
+#   1: Output variable name for the selected kernel path
+#   2: Output variable name for the selected initrd path
+# Returns:
+#   0: on success
+#   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
+#######################################
+select_kernel_initrd_pair() {
+  declare kernel_output_var="$1"
+  declare initrd_output_var="$2"
+  declare binary_kernel=""
+  declare binary_initrd=""
+  declare fallback_kernel=""
+  declare fallback_initrd=""
+
+  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
+
+  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
+    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
+    return 0
+  fi
+
+  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
+    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
+  fi
+
+  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
+  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
+
+  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
+    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
+    return 0
+  fi
+
+  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
+}
+
+#######################################
+# Finds an optional separate early microcode cpio next to the selected initrd.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected microcode cpio path
+# Returns:
+#   0: on success, including when no separate microcode cpio exists
+#   42: if more than one separate microcode cpio candidate exists
+#######################################
+collect_optional_microcode() {
+  declare artifact_dir="${1}"
+  declare output_var="${2}"
+  declare -a microcode_candidates=()
+
+  mapfile -d '' -t microcode_candidates < <(
+    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
+  )
+
+  if (( ${#microcode_candidates[@]} > 1 )); then
+    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_EFI_KEY
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require a CISS UKI
+#   42: on validation, artifact selection, UKI build, signing, or verification failure
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+  declare os_release="chroot/usr/lib/os-release"
+  declare kernel_path=""
+  declare initrd_path=""
+  declare kernel_base=""
+  declare initrd_base=""
+  declare kernel_version=""
+  declare initrd_version=""
+  declare cmdline=""
+  declare microcode_initrd=""
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare unsigned_uki=""
+  declare signed_uki=""
+  declare manifest=""
+  declare -a ukify_args=()
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command ukify
+  require_command sbverify
+  require_command sha512sum
+  require_file "${stub}" "systemd EFI stub"
+  require_file "${secureboot_key}" "CISS EFI image signing key"
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${os_release}" "target os-release metadata"
+  guard_private_key_leaks
+
+  select_kernel_initrd_pair kernel_path initrd_path
+
+  kernel_base="${kernel_path##*/}"
+  initrd_base="${initrd_path##*/}"
+  kernel_version="${kernel_base#vmlinuz-}"
+  initrd_version="${initrd_base#initrd.img-}"
+
+  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
+  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
+
+  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
+    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
+  fi
+
+  read_bootappend_live "config/binary" cmdline
+  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
+  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
+
+  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
+  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
+
+  ukify_args=(
+    build
+    --stub="${stub}"
+    --linux="${kernel_path}"
+    --cmdline="${cmdline}"
+    --os-release="@${os_release}"
+    --uname="${kernel_version}"
+  )
+
+  if [[ -n "${microcode_initrd}" ]]; then
+    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
+    ukify_args+=(--initrd="${microcode_initrd}")
+  else
+    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
+  fi
+
+  ukify_args+=(--initrd="${initrd_path}")
+
+  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
+  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
+
+  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
+  ukify "${ukify_args[@]}" \
+    --secureboot-private-key="${secureboot_key}" \
+    --secureboot-certificate="${secureboot_cert}" \
+    --output="${signed_uki}"
+
+  require_file "${unsigned_uki}" "unsigned CISS UKI"
+  require_file "${signed_uki}" "signed CISS UKI"
+
+  {
+    printf "CISS Secure Boot UKI build manifest\n"
+    printf "Kernel: %s\n" "${kernel_path}"
+    printf "Initrd: %s\n" "${initrd_path}"
+    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
+    printf "Uname: %s\n" "${kernel_version}"
+    printf "OS release: %s\n" "${os_release}"
+    printf "Command line: %s\n" "${cmdline}"
+    printf "\nSHA512:\n"
+    sha512sum "${unsigned_uki}" "${signed_uki}"
+    printf "\nukify inspect:\n"
+    ukify inspect "${signed_uki}"
+    printf "\nsbverify:\n"
+    sbverify --cert "${secureboot_cert}" "${signed_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/hooks/live/zzzz_ciss_uki_install.hook.binary

@@ -0,0 +1,347 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
+# the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
+# mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
+# material in build artifact paths.
+
+declare TMP_DIR=""
+
+#######################################
+# Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
+# Globals:
+#   PWD
+#   TMP_DIR
+#   VAR_HANDLER_BUILD_DIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when no temporary directory exists
+#   42: if the temporary directory is outside the expected cleanup root
+#   non-zero: if removal of the expected temporary directory fails under strict mode
+#######################################
+cleanup() {
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+
+  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
+    case "${TMP_DIR}" in
+      "${build_dir}/ciss.secureboot/"*)
+        rm -rf -- "${TMP_DIR}"
+        ;;
+      *)
+        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
+        return 42
+        ;;
+    esac
+  fi
+
+  return 0
+}
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="$1"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="$1"
+  declare description="$2"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Selects the single signed CISS UKI generated by the CISS UKI build hook.
+# Globals:
+#   None
+# Arguments:
+#   1: CISS UKI output directory
+#   2: Output variable name for the selected signed UKI path
+# Returns:
+#   0: on success
+#   42: if the UKI directory is missing or does not contain exactly one signed UKI
+#######################################
+select_signed_uki() {
+  declare uki_dir="$1"
+  declare output_var="$2"
+  declare -a signed_ukis=()
+
+  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
+
+  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#signed_ukis[@]} != 1 )); then
+    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
+  fi
+
+  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Signed UKI path
+#   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
+# Returns:
+#   0: on success, including when no ISO EFI tree exists
+#   non-zero: if directory creation or file installation fails under strict mode
+#######################################
+install_iso_tree_bootx64() {
+  declare signed_uki="$1"
+  declare output_var="$2"
+  declare iso_tree_bootx64=""
+
+  if [[ -d "binary/EFI/boot" ]]; then
+    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
+  elif [[ -d "binary/EFI/BOOT" ]]; then
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  elif [[ -d "binary/EFI" ]]; then
+    install -d -m 0755 "binary/EFI/BOOT"
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  fi
+
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
+    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
+  else
+    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
+  fi
+
+  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
+
+  return 0
+}
+
+#######################################
+# Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   SOURCE_DATE_EPOCH
+#   TMP_DIR
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require CISS UKI installation
+#   42: on explicit validation, comparison, or signature verification failure
+#   non-zero: if an external tool, installation command, or manifest write fails under strict mode
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare signed_uki=""
+  declare efi_img="binary/boot/grub/efi.img"
+  declare uki_name=""
+  declare kernel_version=""
+  declare manifest=""
+  declare tmp_img=""
+  declare extracted_uki=""
+  declare iso_tree_bootx64=""
+  declare uki_size=""
+  declare -i uki_kib=0
+  declare -i blocks=0
+  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
+  declare volid=""
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command cmp
+  require_command mcopy
+  require_command mdir
+  require_command mkfs.msdos
+  require_command sbverify
+  require_command sha512sum
+  require_command stat
+  require_command ukify
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${efi_img}" "live-build EFI boot image"
+  guard_private_key_leaks
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  select_signed_uki "${uki_dir}" signed_uki
+
+  uki_name="${signed_uki##*/}"
+  kernel_version="${uki_name#CISS-LIVE-}"
+  kernel_version="${kernel_version%.signed.efi}"
+  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
+
+  install -d -m 0755 "${manifest_dir}"
+  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
+  tmp_img="${TMP_DIR}/efi.img"
+  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
+  rm -f -- "${manifest}"
+
+  uki_size="$(stat -c %s -- "${signed_uki}")"
+  uki_kib=$(( (uki_size + 1023) / 1024 ))
+  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
+  if (( blocks < 32768 )); then
+    blocks=32768
+  fi
+
+  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
+    source_epoch="0"
+  fi
+  printf -v volid "%08x" "$((source_epoch % 4294967296))"
+
+  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
+  mmd -i "${tmp_img}" "::EFI"
+  mmd -i "${tmp_img}" "::EFI/BOOT"
+  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
+  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install -m 0644 "${tmp_img}" "${efi_img}"
+
+  rm -f -- "${extracted_uki}"
+  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
+    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
+  fi
+
+  guard_private_key_leaks
+
+  {
+    printf "CISS Secure Boot EFI image installation manifest\n"
+    printf "EFI image: %s\n" "${efi_img}"
+    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
+    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
+    printf "Signed UKI: %s\n" "${signed_uki}"
+    printf "FAT image blocks KiB: %s\n" "${blocks}"
+    printf "FAT volume id: %s\n" "${volid}"
+    printf "\nSHA512:\n"
+    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
+    if [[ -n "${iso_tree_bootx64}" ]]; then
+      sha512sum "${iso_tree_bootx64}"
+    fi
+    printf "\nEFI directory:\n"
+    mdir -i "${efi_img}" "::EFI/BOOT"
+    printf "\nukify inspect installed BOOTX64.EFI:\n"
+    ukify inspect "${extracted_uki}"
+    printf "\nsbverify installed BOOTX64.EFI:\n"
+    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+cleanup
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -293,7 +293,7 @@ verify_script() {
 
   for item in "${algo[@]}"; do
 
-    hashfile="${dir}/${script}.sha${item}sum.txt"
+    hashfile="${dir}/${script}.${item}sum.txt"
     sigfile="${hashfile}.sig"
     cmd="${item}sum"
 
@@ -341,8 +341,8 @@ readonly -f verify_script
 #######################################
 # Main Program Sequence.
 # Globals:
+#   CDLB_MAPPER_DEV
 #   CURRENTDATE
-#   DEVICES_LUKS
 #   GRE
 #   MAG
 #   NL
@@ -354,6 +354,9 @@ readonly -f verify_script
 main() {
   declare PASS="" COUNTER=0 PASS_SENT=0 WAIT_LOOP=0
 
+  mkdir -p /var/log
+  : >| /var/log/wtmp
+
   exec 1>&2
 
   trap 'trap_on_err "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
@@ -382,7 +385,7 @@ main() {
 
     fi
 
-    if [[ "${COUNTER}" -eq 3 ]]; then
+    if [[ "${COUNTER}" -ge 3 && "${PASS_SENT}" -eq 0 ]]; then
 
       secure_unset_pass
       break
@@ -391,6 +394,8 @@ main() {
 
     if [[ "${PASS_SENT}" -eq 0 ]]; then
 
+      COUNTER=$((COUNTER + 1))
+
       # shellcheck disable=SC2310
       read_passphrase || continue
 

config/includes.chroot/etc/initramfs-tools/scripts/init-bottom/0042_ciss_post_decrypt_attest.sh

@@ -1,181 +0,0 @@
-#!/bin/sh
-# bashsupport disable=BP5007
-# shellcheck disable=SC2249
-# shellcheck shell=sh
-
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-12; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : bottom (executed by live-boot inside the initramfs).
-
-_SAVED_SET_OPTS="$(set +o)"
-
-set -eu
-
-printf "\e[95m[INFO] Starting             : [/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest] \n\e[0m"
-
-### Declare variables ----------------------------------------------------------------------------------------------------------
-
-### Will be replaced at build time:
-export CDLB_EXP_FPR="@EXP_FPR@"
-export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
-
-### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
-
-### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
-CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt}"
-CDLB_ATTEST_FPR_SIG="${CDLB_ATTEST_FPR_SIG:-/root/.ciss/attest/${CDLB_EXP_FPR}.sha512sum.txt.sig}"
-CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
-
-### Declare functions ----------------------------------------------------------------------------------------------------------
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_in() { printf '\e[95m[INFO]  %s \n\e[0m' "$*"; }
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_ok() { printf '\e[92m[INFO]  %s \n\e[0m' "$*"; }
-
-#######################################
-# Helper for colored text output on stdout.
-# Globals:
-#   None
-# Arguments:
-#   *: String to print
-#######################################
-log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
-
-### Locate decrypted rootfs mount ----------------------------------------------------------------------------------------------
-_mp=""
-ROOTMP=""
-
-for _mp in /run/live/rootfs /run/live/rootfs.squashfs /run/live/overlay /root ; do
-
-  if [ -d "${_mp}" ] && [ -e "${_mp}/etc" ]; then ROOTMP="${_mp}"; break; fi
-
-done
-
-if [ -z "${ROOTMP}" ]; then
-
-  log_er "No decrypted rootfs mount found."
-  sleep 8
-  panic "[FATAL] No decrypted rootfs mount found."
-
-fi
-
-log_ok "Decrypted rootfs at: [${ROOTMP}]"
-
-HASH_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SHA}"
-SIGN_FILE="${ROOTMP}${CDLB_ATTEST_FPR_SIG}"
-KEYFILE="${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
-
-[ -s "${KEYFILE}" ]   || { log_er "No public key found under: [${ROOTMP}${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"; exit 42; }
-[ -s "${HASH_FILE}" ] || { log_er "Attestation data missing: [${HASH_FILE}]"; exit 42; }
-[ -s "${SIGN_FILE}" ] || { log_er "Attestation signature missing: [${SIGN_FILE}]"; exit 42; }
-
-log_in "Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(gpgv --no-default-keyring --keyring "${KEYFILE}" --status-fd 1 --verify "${SIGN_FILE}" "${HASH_FILE}" 2>/dev/null)"
-_CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
-
-### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
-if [ "${_CDLB_SIG_FILE_FPR}" = "${CDLB_EXP_FPR}" ]; then
-
-  log_ok "Signature FPR valid: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
-
-else
-
-  log_er "Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]"
-  sleep 8
-  panic "[FATAL] Signature FPR mismatch: got: [${_CDLB_SIG_FILE_FPR}] expected: [${CDLB_EXP_FPR}]."
-
-fi
-
-### 'dmsetup' health check -----------------------------------------------------------------------------------------------------
-MAP_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
-if [ -e "${MAP_DEV}" ]; then
-
-  log_in "Checking dmsetup table for ${MAP_DEV}"
-
-  TOP_LINE="$(/usr/sbin/dmsetup table --showkeys "${MAP_DEV}" 2>/dev/null | awk 'NR==1{print; exit}')"
-  if printf '%s\n' "${TOP_LINE}" | grep -q ' crypt '; then
-
-    log_ok "Top layer is 'crypt'."
-
-  else
-
-    log_er "Top layer is NOT 'crypt'."
-    sleep 8
-    panic "[FATAL] Top layer is NOT 'crypt'."
-
-  fi
-
-  if printf '%s\n' "${TOP_LINE}" | grep -Eq ' xts|aes-xts'; then
-
-    log_ok "Cipher looks like AES-XTS."
-
-  else
-
-    log_er "Cipher does not look like AES-XTS."
-    sleep 8
-    panic "[FATAL] Cipher does not look like AES-XTS."
-
-  fi
-
-### Extract child device token (the second last field is 'device', the last is 'offset.') --------------------------------------
-CHILD_TOK="$(printf '%s\n' "${TOP_LINE}" | awk '{print $(NF-1)}')"
-CHILD_NAME="${CHILD_TOK}"
-
-case "${CHILD_TOK}" in
-
-  *:* )
-    if [ -e "/sys/dev/block/${CHILD_TOK}/dm/name" ]; then
-      CHILD_NAME="$(cat "/sys/dev/block/${CHILD_TOK}/dm/name" 2>/dev/null || true)"
-      [ -n "${CHILD_NAME}" ] || CHILD_NAME="${CHILD_TOK}"
-    fi
-    ;;
-
-  /dev/* )
-    CHILD_NAME="$(basename -- "${CHILD_TOK}")"
-    ;;
-
-esac
-
-#### Child layer must be 'integrity' with hmac and sha512 and 4096-byte sectors (best-effort greps). ---------------------------
-log_in "Checking underlying integrity target: ${CHILD_NAME}"
-
-CHILD_TAB="$(/usr/sbin/dmsetup table --showkeys "${CHILD_NAME}" 2>/dev/null || true)"
-printf '%s\n' "${CHILD_TAB}" | grep -q ' integrity ' || { log_er "Underlying layer is not 'integrity'"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'hmac'       || { log_er "Integrity target not using keyed MAC (hmac)"; }
-printf '%s\n' "${CHILD_TAB}" | grep -qi 'sha512'     || { log_er "Integrity algo not sha512"; }
-printf '%s\n' "${CHILD_TAB}" | grep -Eq '\b4096\b'   || { log_er "Expected 4096-byte sector size not found"; }
-
-log_ok "dm-crypt and dm-integrity(HMAC-SHA512, 4096B) chain looks healthy."
-
-fi
-
-eval "${_SAVED_SET_OPTS}"
-
-printf "\e[92m[INFO] Successfully applied : [/etc/initramfs-tools/scripts/init-bottom/0042-ciss-post-decrypt-attest] \n\e[0m"
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

config/includes.chroot/etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh

@@ -22,6 +22,9 @@ case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_premount_early.log
 

config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

@@ -22,6 +22,9 @@ case "${1}" in
   prereqs) prereqs; exit 0 ;;
 esac
 
+mkdir -p /var/log
+: >| /var/log/wtmp
+
 mkdir -p /run/ciss
 printf '%s\n' "${PATH}" >| /run/ciss/fixpath_init_top_early.log
 

config/includes.chroot/etc/modprobe.d/30-ciss-hardening.conf

@@ -94,9 +94,11 @@ blacklist gfs2
 # The vivid driver is only useful for testing purposes and has been the cause of privilege escalation vulnerabilities, so it should be disabled.
 install vivid /bin/true
 
-##### Disable access to USB #####
-install usb_storage /bin/true
+##### Disable access to USB and UAS #####
+install usb-storage /bin/true
+install uas /bin/true
 blacklist usb-storage
+blacklist uas
 
 ##### Disable access to IEEE1394 #####
 install firewire-core /bin/true

config/includes.chroot/etc/resolv.conf

@@ -1,16 +0,0 @@
-# bashsupport disable=BP5007
-
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-11-26; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.live.builder
-# SPDX-Security-Contact: security@coresecret.eu
-
-ln -s /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf