V9.14.022.2026.06.11: document and test audit safeguards

V9.14.022.2026.06.11: enforce secret and cleanup safeguards
V9.14.022.2026.06.11: add path security helpers
2026-06-11 05:08:18 +02:00 · 2026-06-11 05:08:01 +02:00 · 2026-06-11 05:07:33 +02:00 · 2026-06-10 18:57:46 +01:00 · 2026-06-10 17:57:31 +01:00 · 2026-06-09 18:11:15 +01:00
173 changed files with 4897 additions and 873 deletions
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then
@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t
 systemctl enable ciss-memwipe.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF
 chmod 0644 /etc/network/interfaces
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V8.13.768.2025.12.06"
+      placeholder: "e.g., Master V9.14.022.2026.06.10"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V8.13.768.2025.12.06
+  version: V9.14.022.2026.06.10
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 name: 🔁 Render Graphviz Diagrams.
@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
 ciss.secureboot/private/*
 !ciss.secureboot/private/README.md
 ciss.secureboot/manifests/*
 !ciss.secureboot/manifests/.gitkeep
 ciss.secureboot/uki/*
 !ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V8.13.768.2025.12.06"
+properties_version="V9.14.022.2026.06.10"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -0,0 +1,125 @@
 # AGENTS.md
 ## Purpose
 This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
 Treat every change as security-sensitive and boot-chain-sensitive.
 Persistent coding details live in `docs/CODING_CONVENTION.md`.
 Review-only instructions live in `code_review.md`.
 ## Instruction precedence for this repository
 Use this order when instructions differ:
 1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
 2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
 3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
 4. `code_review.md` applies when performing a review or final self-review.
 5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
 When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.
 ## Non-negotiable constraints
 - Target Debian 13 Trixie unless the task explicitly states otherwise.
 - Do not introduce Ubuntu-specific assumptions.
 - Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
 - Verify uncertain behavior against existing repository code or authoritative upstream documentation.
 - Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
 - Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
 - Prefer simple, explicit, inspectable Bash over clever abstraction.
 - Do not use `eval`.
 - Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.
 ## Repository map
 Common areas:
 - `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
 - `makefile`: local wrapper for composing and executing builder invocations.
 - `config/hooks/live/*.chroot`: live-build chroot hooks.
 - `config/hooks/live/*.binary`: live-build binary-image hooks.
 - `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
 - `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
 - `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
 - `scripts/*`: helper scripts or files copied into the generated image.
 - `docs/*`: project documentation and conventions.
 ## Working method
 Before editing:
 1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
 2. Identify the affected build or boot phase.
 3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
 While editing:
 - Keep changes minimal and local to the task.
 - Preserve existing architecture, naming style, error handling, formatting, and security posture.
 - Do not perform unrelated cleanup or formatting churn.
 - Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
 - Do not introduce new runtime dependencies unless technically necessary and justified.
 After editing:
 - Run only the narrowest checks that prove the change.
 - Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
 - Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
 - Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
 - Changed Python files: run the repository's relevant Python checks if present.
 - CLI or user-facing behavior changes: update `usage()` and relevant documentation.
 - Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.
 ## Bash conventions summary
 See `docs/CODING_CONVENTION.md` for detail.
 - Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
 - Prefer `set -Ceuo pipefail` where feasible.
 - Use `declare` for variables inside functions.
 - Quote expansions unless word splitting or globbing is explicitly required.
 - Prefer arrays where argument boundaries matter.
 - Use `[[ ... ]]` for Bash conditionals.
 - Use `case` for option dispatch and multi-branch string handling.
 - Avoid parsing `ls`.
 - Prefer `command -v` over `which`.
 - Keep functions small and readable.
 - End functions explicitly with `return 0` where consistent with surrounding code.
 - Code comments must be in English.
 ## Security-sensitive areas
 Before finalizing a change, check whether it affects:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remote unlock
 - TLS, mTLS, signature, checksum, or provenance verification
 - package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 If affected, document the concrete risk and mitigation in the final response.
 ## Final response
 Return a concise implementation report:
 - changed files
 - what changed
 - checks run and result
 - real remaining risks or follow-up steps
 Do not claim success for checks that were not run.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V8.13.768.2025.12.06
+PackageVersion: Master V9.14.022.2026.06.10
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V8.13.768.2025.12.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -11,10 +11,10 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/shellformat-passed-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=shellformat&color=%234285F4)](https://github.com/mvdan/sh) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.25.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-0.2.13-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2025.2.4-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.10-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -26,11 +26,11 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
+**Master Version**: 9.14<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Build**: V9.14.022.2026.06.10<br>
 **CISS.debian.live.builder — First of its own.**<br>
-**World-class CIA: Designed, handcrafted and powered by Centurion Intelligence Consulting Agency.**
+**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
 Developed and maintained as a one-man, security-driven engineering effort since 2024, **CISS.debian.live.builder** is designed 
 to serve as a reference implementation for hardened, image-based Debian deployments.
@@ -60,12 +60,15 @@ and spoofing surfaces.
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
+line, is guarded by a `0700 root:root` secret root and single-link regular `0400` or `0600` root-owned files, and any symlink
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
+inside the secret path is treated as a hard failure that aborts the run. Filename-only secret arguments reject slashes and
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
+traversal.
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
+Critical code paths temporarily disable Bash xtrace, and a final exact-value debug-log sanitisation pass provides additional
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
+defence in depth. Transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed, but this is only a
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+best-effort cleanup on SSD, NVMe, copy-on-write, journaled, and virtualised storage. Use tmpfs for secrets and encrypted storage
 for build workspaces. Destructive build cleanup is restricted to the exact canonical directory carrying the
 `.ciss-live-builder-owned` marker. This private operator workflow still requires strict local path validation; it does not
 define public ISO release policy.
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -175,7 +178,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V8.13.768.2025.12.06`
+Example: `V9.14.022.2026.06.10`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -221,7 +224,7 @@ The parameters fall into several categories.
 * The audit subsystem is configured to be always on ``audit=1`` and to tolerate heavy bursts without dropping events ``audit_backlog_limit=262144``. I treat the audit trail as an evidentiary artifact; truncation because of backlog limits is not acceptable in that model.
 * The debug surface of the kernel is reduced aggressively. ``debugfs=off`` avoids a traditional footgun that exposes kernel internals in a way that is friendly to attackers and rarely necessary in production.
 * Memory is hardened on several levels at allocation time and at free time. ``init_on_alloc=1`` and ``init_on_free=1`` provide deterministic zeroing, ``page_poison=1`` fills freed pages with a poison pattern, and ``page_alloc.shuffle=1`` shuffles the allocator so that a process can no longer rely on stable physical patterns. Together these measures raise the cost of use-after-free exploitation and other memory corruption attacks.
-* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough ``iommu.passthrough=0`` and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
+* The IOMMU is not optional. I force it on ``iommu=force``, disable passthrough, and require strict behavior ``iommu.strict=``1. Any environment that contains devices capable of DMA must have a correctly configured IOMMU, otherwise the trust model for the CPU and for the memory hierarchy collapses as soon as a hostile device is introduced.
 * ``kfence.sample_interval=100`` activates KFENCE with a sampling interval that is still usable in production but sensitive enough to catch a meaningful subset of memory safety bugs under real workloads.
 * Virtualization-specific knobs include ``kvm.nx_huge_pages=force``, to keep huge pages non-executable, and ``l1d_flush=on`` so that context switches flush the L1 data cache where needed.
 * ``lockdown=integrity`` places the kernel into lockdown mode with an emphasis on integrity. In this project I consider the integrity of the system more critical than the ability to introspect a running kernel from userspace.
@@ -237,7 +240,7 @@ deliberate design decision.
 ### 2.1.2. CPU Vulnerability Mitigations
-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -365,6 +368,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening
 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
 * **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.
@@ -488,10 +496,14 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the empty build directory with `install -d -m 0700 -o root -g root /opt/cdlb`.
-   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   3. Create the tmpfs secret root with `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
-   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
+   4. Place required secret files in the secret root as single-link regular, non-symlink, root-owned files with mode `0400`
-   5. Make any other changes you need to.
+      or `0600`.
   5. Place your desired SSH public key in `/dev/shm/cdlb_secrets/authorized_keys`.
   6. Place your desired root password in `/dev/shm/cdlb_secrets/password.txt`.
   7. Use filename-only values without slashes, `.` or `..` for `--key_age`, `--key_luks`, and signing-file arguments.
   8. Make any other changes you need to.
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
@@ -514,15 +526,29 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
     --secure-boot-profile debian-shim \
     --sops-version 3.13.1 \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
     --primordial-ssh 42842 \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````
   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
   SOPS binary with `sha256sum -c --ignore-missing`.
   On the first run, the builder creates `.ciss-live-builder-owned` in a new or empty build directory whose canonical parent
   already exists. A populated directory without that marker is rejected and is never adopted automatically. Cleanup remains
   intentionally destructive inside the exact validated marker-owned directory.
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -544,7 +570,8 @@ preview it or run it.
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the empty build directory and tmpfs secret root with restrictive ownership and permissions:
      `install -d -m 0700 -o root -g root /opt/cdlb /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
@@ -556,10 +583,15 @@ preview it or run it.
    ````bash
    BUILD_DIR=/opt/cdlb
    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
    SECURE_BOOT_PROFILE=debian-shim
    SOPS_VERSION=3.13.1
    SSH_PORT=4242
    SSH_PUBKEY=/dev/shm/cdlb_secrets
    # Optional
    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
    PRIMORDIAL_SSH_PORT=42842
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -569,7 +601,31 @@ preview it or run it.
 4. Execute the build: ````make live````
-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
 The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
 ``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
 standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
 The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
 Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
 builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
 ``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
 ``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
 live-build created one.
 Required files for ``ciss-uki``:
 ````text
 ciss.secureboot/private/ciss-efi-image.key
 ciss.secureboot/public/ciss-efi-image.crt
 ````
 The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
 ``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
 ``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
 ## 5.4. CI/CD Gitea Runner Workflow Example
 1. Clone the repository:
@@ -612,10 +668,10 @@ preview it or run it.
  #...
        - name: Preparing the build environment.
          run: |
-            mkdir -p /opt/config
+            install -d -m 0700 -o root -g root /opt/livebuild /dev/shm/cdlb_secrets
-            mkdir -p /opt/livebuild
+            umask 0077
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/password.txt
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/password.txt
-            echo "${{ secrets.CHANGE_ME }}" >| /opt/config/authorized_keys
+            printf '%s\n' "${{ secrets.CHANGE_ME }}" >| /dev/shm/cdlb_secrets/authorized_keys
  #...
        - name: Starting CISS.debian.live.builder. This may take a while ...
          run: |
@@ -628,9 +684,9 @@ preview it or run it.
              --build-directory /opt/livebuild \
              --control "${timestamp}" \
              --jump-host "${{ secrets.CHANGE_ME }}" \
-              --root-password-file /opt/config/password.txt \
+              --root-password-file /dev/shm/cdlb_secrets/password.txt \
              --ssh-port CHANGE_ME \
-              --ssh-pubkey /opt/config
+              --ssh-pubkey /dev/shm/cdlb_secrets
  #...
        ### SKIP OR CHANGE ALL REMAINING STEPS
  ```
@@ -7,14 +7,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
-**Master Version**: 8.13<br>
+**Master Version**: 9.14<br>
-**Build**: V8.13.768.2025.12.06<br>
+**Build**: V9.14.022.2026.06.10<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **8.13**, Build **V8.13.768.2025.12.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.022.2026.06.10** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -0,0 +1,33 @@
                                          .-=+*###%%###*+=-:.
                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
                             +@%%%%%@.    +@%%@#:        #@%%%@-
                              *@%%@@=    :%%@@+          *%%%@#
                               =@%#-    :%@@#-          :@@%%%-
                                ..     =@%*-            .+#%@%.
                                      :+-.                 .=*
  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
 / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
 | |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
 | |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
 \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
 Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
 Preparing Builder...
 Please wait...
@@ -0,0 +1,37 @@
                              .:-=++***#####***+==-:.
                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
 #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 .%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
 -@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
 =@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
 =@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
 =@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
 :@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
 %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
 *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
 :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
        :#*+:         :%%%@@%+                    -@@@%%%%%@:
                     =@@@@#=.                      :+#@@@@%%.
                   .*%#*=.                            .=*%@%
                   ::.                                   .-+
@@ -0,0 +1 @@
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.022.2026.06.10<br>
 # 2. CISS Secure Boot Private Material
 This directory is intentionally ignored except for this README.
 On the air-gapped build host, place the private EFI image signing key here:
 * `ciss-efi-image.key`
 Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
 `config/includes.*`.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,26 @@
 ---
 gitea: none
 include_toc: true
 ---
 # 1. CISS.debian.live.builder
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
 **Build**: V9.14.022.2026.06.10<br>
 # 2. CISS Secure Boot Public Material
 Place public CISS Secure Boot certificates here on the air-gapped build host.
 Expected file for the `ciss-uki` build profile:
 * `ciss-efi-image.crt`
 Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
 `ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1 @@
@@ -15,7 +15,7 @@
 ### WHY BASH?
 # Ease of installation. No compiling or installing gems, CPAN modules, pip packages, etc. Simple to use and read. Clear syntax
 # and straightforward output interpretation. Built-in power. Pattern matching, line processing, and regular expression support
-# are available natively, no external binaries required. Cross-platform consistency. '/bin/bash' is the default shell on most
+# are available natively; no external binaries are required. Cross-platform consistency. '/bin/bash' is the default shell on most
 # Linux distributions, ensuring scripts run unmodified across systems. macOS compatibility. Since macOS Catalina (10.15), the
 # default login shell has been zsh, but bash remains available at '/bin/bash'. Windows support. You can use bash via WSL, MSYS2,
 # or Cygwin on Windows systems.
@@ -111,29 +111,41 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done
 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+clear
 printf '\033[95m'
 cat bootscreen.txt
 printf '\033[0m\n'
 sleep 4
 printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"
 ### SECURING SECRETS ARTIFACTS.
 test ! -L "${VAR_TMP_SECRET}" || {
  . ./var/global.var.sh
  printf "\e[91m❌ Refusing symlink: '%s'! Bye... \e[0m\n" "${VAR_TMP_SECRET}" >&2
  exit "${ERR_SECRETSSYM}"
 }
 find "${VAR_TMP_SECRET}" -type f -exec chmod 0400 {} +
 find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 ### SOURCING VARIABLES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./var/color.var.sh"
  source_guard "./var/global.var.sh"
 }
-### SOURCING LIBRARIES.
+### SOURCE THE MINIMUM REQUIRED FOR EARLY EXIT CLEANUP COVERAGE.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_secret_validation.sh"
  source_guard "./lib/lib_build_directory.sh"
  source_guard "./lib/lib_debug_sanitizer.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
 }
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 ### Validate the fixed tmpfs secret staging area without modifying operator-provided files.
 validate_secret_staging_area
 ### SOURCING REMAINING LIBRARIES.
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
@@ -152,7 +164,6 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_ciss_upgrades_boot.sh"
  source_guard "./lib/lib_ciss_upgrades_build.sh"
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
@@ -167,12 +178,30 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
-  source_guard "./lib/lib_trap_on_err.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
  source_guard "./lib/lib_usage.sh"
 }
 ### Add ERR handling after all remaining libraries are available.
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
 ### Formal validation still happens in arg_parser().
 for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
  case "${ARY_PARAM_ARRAY[idx],,}" in
    --secure-boot-profile=*)
      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
      ;;
    --secure-boot-profile)
      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
      fi
      ;;
  esac
 done
 unset idx
 ### CHECKING REQUIRED PACKAGES.
 check_pkgs
@@ -199,9 +228,6 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
 ### Following the CISS Bash naming and ordering scheme:
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nSanitizing Arguments ... \nXXX\n75\n" >&3; fi
@@ -248,6 +274,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
 secureboot_profile_apply
 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
@@ -0,0 +1,78 @@
 # code_review.md
 Use this file for explicit review tasks and final self-review after implementation.
 Do not treat it as a mandate for an unlimited audit unless the user asks for one.
 ## Review priorities
 Review findings in this order:
 1. Correctness
 2. Security regressions
 3. Boot/build reproducibility
 4. Data loss risk
 5. Error handling
 6. Test or validation coverage
 7. Maintainability
 8. Minimality of diff
 9. Style consistency
 ## Finding classes
 - `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
 - `RISK`: plausible issue or security concern that is not fully proven from the available context.
 - `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
 - `NOTE`: observation only; no change requested.
 ## Review output format
 List findings first, ordered by severity.
 For each finding include:
 - class
 - file path and line number where possible
 - observation
 - concrete impact
 - smallest reasonable fix
 Then include:
 - missing checks or validation gaps
 - residual risks
 - concise final recommendation
 If there are no findings, say so explicitly and still mention relevant validation gaps.
 ## Scope control
 - Do not nitpick formatting when automated tooling exists.
 - Do not invent requirements not present in the task, repository, or documentation.
 - Do not expand a small implementation task into a broad quality-management audit.
 - Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
 - Prefer a small actionable finding over a broad speculative warning.
 ## Security-sensitive checklist
 Check whether the change affects:
 - boot trust
 - initramfs behavior
 - live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
 - remote unlock
 - TLS or mTLS verification
 - signature, checksum, or provenance verification
 - package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values
 For affected areas, separate observation, inference, and recommendation.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -10,8 +10,19 @@
 # SPDX-Security-Contact: security@coresecret.eu
 BUILD_DIR            ?=
 ### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
 DROPBEAR_VERSION     ?=
 ### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
 SOPS_VERSION         ?=
 ### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
 PRIMORDIAL_URL       ?=
 PRIMORDIAL_KEY       ?=
 PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
 ### Secure Boot profile; debian-shim or ciss-uki:
 SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -284,7 +284,7 @@ LLMNR=no
 MulticastDNS=no
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 VAR_DATE="$(date +%F)"
@@ -45,8 +45,10 @@ EOF
 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
 # The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
 # scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF
 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF
 systemctl enable ciss-remount-root.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ -f /root/.cdi ]]; then
@@ -48,7 +48,7 @@ EOF
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF
 install -d -m 0755 /var/cache/apparmor
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,21 +11,40 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
 # shellcheck disable=SC1090
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 mkdir -p "/root/build"
 [[ -r "${var_tar}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
  exit 43
 }
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"
@@ -67,7 +86,7 @@ if ! setsid bash -c '
  ' >| "${var_logfile}" 2>&1
 then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42
@@ -75,7 +94,7 @@ fi
  rm -rf /root/dropbear
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,15 +11,30 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }
 # shellcheck disable=SC1090
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }
 declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file
 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/
 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do
  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/
 done
 rm -f "${var_dropbear_env}"
 mkdir -p /etc/initramfs-tools/scripts/init-bottom
 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -126,7 +143,7 @@ EOF
 systemctl mask dropbear.service dropbear.socket
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf
 dropbear_setup
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if [[ ! -f /root/.pwd ]]; then
-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0
 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd
 if shred -fzu -n 5 /root/.pwd; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /var/log/chrony
@@ -114,7 +114,7 @@ fi
 chronyd -Q -f /etc/chrony/chrony.conf 2>&1
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /etc/systemd/system/ssh.service.d
@@ -24,7 +24,7 @@ Wants=network-online.target
 ExecStartPre=/bin/sleep 5
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
-SOPS_VER="v3.11.0"
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
-ARCH="$(dpkg --print-architecture)"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
 esac
-cd /tmp
+#######################################
 # Print a fatal error and abort the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Message string
 # Returns:
 #   None
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
  exit 43
 }
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
+#######################################
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
+# Require an executable tool.
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
+# Globals:
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+#   None
 # Arguments:
 #   1: Tool name
 # Returns:
 #   0: on success
 #######################################
 require_tool() {
  declare tool_name="$1"
-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  return 0
 }
-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
+#######################################
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
+# Validate and normalize a SOPS semantic version.
-age --version                      >| /root/.ciss/cdlb/log/age.log
+# Globals:
 #   None
 # Arguments:
 #   1: SOPS version string
 # Outputs:
 #   Normalized bare semantic version
 # Returns:
 #   0: on success
 #######################################
 normalize_sops_version() {
  declare sops_version="${1#v}"
-rm -f "/tmp/${SOPS_FILE}"
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."
 rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
 rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
-chmod 0400 /root/.config/sops/age/keys.txt
+  printf '%s' "${sops_version}"
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  return 0
 }
 #######################################
 # Download a mandatory release asset.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: on success
 #######################################
 download_required_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
  fi
  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
  return 0
 }
 #######################################
 # Download an optional release asset and distinguish absence from download errors.
 # Globals:
 #   None
 # Arguments:
 #   1: Asset URL
 #   2: Target filename
 # Returns:
 #   0: asset was downloaded
 #   1: asset is absent upstream
 #######################################
 download_optional_asset() {
  declare asset_url="$1"
  declare target_file="$2"
  declare http_code=""
  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
    rm -f -- "${target_file}"
    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
  fi
  case "${http_code}" in
    200)
      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
      return 0
      ;;
    404)
      rm -f -- "${target_file}"
      return 1
      ;;
    *)
      rm -f -- "${target_file}"
      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
      ;;
  esac
 }
 #######################################
 # Verify the SOPS checksums file with Cosign.
 # Globals:
 #   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
 #   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
 # Arguments:
 #   1: Checksums filename
 #   2: Bundle filename
 #   3: Certificate filename
 #   4: Signature filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_checksums_signature() {
  declare checksums_file="$1"
  declare bundle_file="$2"
  declare certificate_file="$3"
  declare signature_file="$4"
  if [[ -f "${bundle_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
    cosign verify-blob "${checksums_file}" \
      --bundle "${bundle_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
    cosign verify-blob "${checksums_file}" \
      --certificate "${certificate_file}" \
      --signature "${signature_file}" \
      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
    return 0
  fi
  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
  fi
  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
 }
 #######################################
 # Verify the SOPS artifact checksum and ensure the expected artifact was covered.
 # Globals:
 #   None
 # Arguments:
 #   1: Checksums filename
 #   2: Artifact filename
 # Returns:
 #   0: on success
 #######################################
 verify_sops_artifact_checksum() {
  declare checksums_file="$1"
  declare artifact_file="$2"
  declare checksum_output=""
  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
    printf '%s\n' "${checksum_output}" >&2
    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
  fi
  printf '%s\n' "${checksum_output}"
  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
  fi
  return 0
 }
 #######################################
 # Install SOPS from an upstream GitHub release after signature and checksum verification.
 # Globals:
 #   CISS_SOPS_VERSION
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 main() {
  require_tool curl
  require_tool cosign
  require_tool sha256sum
  declare sops_env="/root/sops.env"
  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
  # shellcheck disable=SC1090
  . "${sops_env}"
  declare ciss_sops_version
  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
  declare architecture
  architecture="$(dpkg --print-architecture)"
  declare sops_tag="v${ciss_sops_version}"
  declare sops_file=""
  case "${architecture}" in
    amd64)
      sops_file="sops-${sops_tag}.linux.amd64"
      ;;
    arm64)
      sops_file="sops-${sops_tag}.linux.arm64"
      ;;
    *)
      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
      ;;
  esac
  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
  declare checksums_file="sops-${sops_tag}.checksums.txt"
  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
  declare certificate_file="sops-${sops_tag}.checksums.pem"
  declare signature_file="sops-${sops_tag}.checksums.sig"
  declare bundle_available="false"
  declare certificate_available="false"
  declare signature_available="false"
  cd /tmp
  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"
  # shellcheck disable=SC2310
  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
    bundle_available="true"
  fi
  if [[ "${bundle_available}" == "false" ]]; then
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
      certificate_available="true"
    fi
    # shellcheck disable=SC2310
    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
      signature_available="true"
    fi
    if [[ "${certificate_available}" != "${signature_available}" ]]; then
      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
    fi
  fi
  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
  install -m 0755 "${sops_file}" /usr/local/bin/sops
  sops --version >| /root/.ciss/cdlb/log/sops.log
  age --version  >| /root/.ciss/cdlb/log/age.log
  rm -f -- "/tmp/${sops_file}"
  rm -f -- "/tmp/${checksums_file}"
  rm -f -- "/tmp/${bundle_file}"
  rm -f -- "/tmp/${certificate_file}"
  rm -f -- "/tmp/${signature_file}"
  if [[ -f /root/.config/sops/age/keys.txt ]]; then
    chmod 0400 /root/.config/sops/age/keys.txt
  fi
  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  return 0
 }
 if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
  main "$@"
  exit 0
 fi
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O
 yq --version
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 umask 0077
@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
 # PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET
 ufw --force reset
@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -61,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi
 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF
 chmod 0755 /etc/update-motd.d/10-uname
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
  mkdir -p "${backup_dir}"
  declare dir=""
@@ -44,7 +44,7 @@ create_backup() {
  done
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }
 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {
    if [[ -f ${bundle} ]]; then
-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {
          else
-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
          fi
@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {
      mv -f "${tmp_bundle}" "${bundle}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
    fi
  done
 }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates
 if [[ ${#expired_certificates[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"
 else
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"
  for exp_cert in "${expired_certificates[@]}"; do
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"
  done
@@ -191,7 +191,7 @@ else
    rm -f "${exp_cert}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then
      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
    fi
  done
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""
 cd /etc/ssh
@@ -115,7 +115,7 @@ fi
 /usr/sbin/sshd -t || exit 42
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 mkdir -p /root/.ciss/cdlb/backup/etc/ssl
@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options
-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true
 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF
@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
@@ -418,37 +418,28 @@ ssl_conf = ssl_sect
 system_default = system_default_sect
 [system_default_sect]
 # Protocol floor / ceiling:
 # - only TLS 1.2 and 1.3.
 # - TLS 1.3 is FS by design;
 # - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3
-# TLS 1.2 cipher policy:
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
 # - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
 # - Keep distro default SECLEVEL=2 explicitly.
 CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384
-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+# Flags: Tickets off, servers order, renegotiation off.
 # Operational flags:
 # -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
 # ServerPreference: honor server cipher order (TLS 1.2)
 # NoRenegotiation : disallow TLS 1.2 renegotiation
 Options = -SessionTicket,ServerPreference,NoRenegotiation
 # Permitted signature algorithms.
 SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done
 unset target
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon
 rm -f /tmp/rules.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then
  printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log
  while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
    declare trimmed_string
    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
  done < /tmp/deinstall.log
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"
 else
  printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"
 fi
@@ -60,7 +60,7 @@ apt-get autopurge -y
 updatedb
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd
-      (c) Marc S. Weidner, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
-      (p) Centurion Press, 2018 - 2025
+      (p) Centurion Press, 2018 - 2026
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +
 rm -f /etc/tmpfiles.d/legacy.conf
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 if ! command -v chage &>/dev/null; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(
 if [[ ${#users_to_update[@]} -eq 0 ]]; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
  exit 0
@@ -120,7 +121,7 @@ fi
 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "${max_days}" "${user}"
 done
@@ -128,11 +129,11 @@ unset max_days user users_to_update
 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"
 update_shadow
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf
 if aideinit > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -15,7 +15,7 @@
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules
 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
-b 16384
+-b 262144
 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200
 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
--backlog_wait_time 1024
+--backlog_wait_time 16384
 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load
 EOF
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 cd /root
@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums
 if debsums -g > /dev/null 2>&1; then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"
 else
  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done
 if ! logrotate -d /etc/logrotate.conf; then
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
 else
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
 fi
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
 # regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
 # multi-user.target by masking common display managers.
 printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"
@@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do
 done
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build binary hook for encrypted root filesystem packaging. Preallocate a LUKS2 container, formats it with the
 # generated build secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container,
 # shreds the temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload.
 printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 __umask=$(umask)
 umask 0077
@@ -34,23 +38,23 @@ preallocate() {
  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
  fi
  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 0
  else
-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 42
  fi
@@ -62,6 +66,49 @@ readonly -f preallocate
 declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
 declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
 declare KEYFD=""
 declare LUKS_KEY_FILE=""
 declare LUKS_KEY_FILENAME="${VAR_LUKS_KEY:-luks.txt}"
 declare LUKS_KEY_LINK_COUNT=""
 declare LUKS_KEY_MODE=""
 declare LUKS_KEY_OWNER=""
 declare SECRET_ROOT_FS=""
 declare SECRET_ROOT_MODE=""
 declare SECRET_ROOT_OWNER=""
 if [[ -L "${VAR_TMP_SECRET}" || ! -d "${VAR_TMP_SECRET}" ]]; then
  printf "\e[91m❌ Unsafe secret root rejected. \e[0m\n" >&2
  exit 42
 fi
 SECRET_ROOT_OWNER="$(stat -c '%u' "${VAR_TMP_SECRET}")"
 SECRET_ROOT_MODE="$(stat -c '%a' "${VAR_TMP_SECRET}")"
 SECRET_ROOT_FS="$(stat -f -c '%T' "${VAR_TMP_SECRET}")"
 if [[ "${SECRET_ROOT_OWNER}" != "${EUID}" || "${SECRET_ROOT_MODE}" != "700" \
  || ( "${SECRET_ROOT_FS}" != "tmpfs" && "${SECRET_ROOT_FS}" != "ramfs" ) ]]; then
  printf "\e[91m❌ Unsafe secret-root ownership, permissions, or filesystem rejected. \e[0m\n" >&2
  exit 42
 fi
 if [[ -z "${LUKS_KEY_FILENAME}" || "${LUKS_KEY_FILENAME}" == "." || "${LUKS_KEY_FILENAME}" == ".." \
  || "${LUKS_KEY_FILENAME}" == */* || ! "${LUKS_KEY_FILENAME}" =~ ^[A-Za-z0-9._@%+=:,~-]+$ ]]; then
  printf "\e[91m❌ Unsafe LUKS key filename rejected. \e[0m\n" >&2
  exit 42
 fi
 LUKS_KEY_FILE="${VAR_TMP_SECRET}/${LUKS_KEY_FILENAME}"
 if [[ -L "${LUKS_KEY_FILE}" || ! -f "${LUKS_KEY_FILE}" ]]; then
  printf "\e[91m❌ Unsafe LUKS key file rejected. \e[0m\n" >&2
  exit 42
 fi
 LUKS_KEY_OWNER="$(stat -c '%u' "${LUKS_KEY_FILE}")"
 LUKS_KEY_MODE="$(stat -c '%a' "${LUKS_KEY_FILE}")"
 LUKS_KEY_LINK_COUNT="$(stat -c '%h' "${LUKS_KEY_FILE}")"
 if [[ "${LUKS_KEY_OWNER}" != "${EUID}" || "${LUKS_KEY_LINK_COUNT}" != "1" \
  || ( "${LUKS_KEY_MODE}" != "400" && "${LUKS_KEY_MODE}" != "600" ) ]]; then
  printf "\e[91m❌ Unsafe LUKS key ownership, permissions, or link count rejected. \e[0m\n" >&2
  exit 42
 fi
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
@@ -78,7 +125,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) *
 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"
-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"
 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
@@ -127,11 +174,11 @@ declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"
 if (( LUKS_FREE >= SQUASH_FS )); then
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
 else
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42
 fi
@@ -142,14 +189,14 @@ cryptsetup close crypt_liveiso
 exec {KEYFD}<&-
-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
 rm -f -- "${ROOTFS}"
 umask "${__umask}"
 __umask=""
-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,396 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
 # complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
 # and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
 # Secure Boot key material in build artifact paths.
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="${1}"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="${1}"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="${1}"
  declare description="${2}"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
 # Globals:
 #   None
 # Arguments:
 #   1: live-build binary configuration file
 #   2: Output variable name for the kernel command line
 # Returns:
 #   0: on success
 #   42: if the file is missing, the entry is ambiguous, or the value is empty
 #######################################
 read_bootappend_live() {
  declare config_file="${1}"
  declare output_var="${2}"
  declare -a matches=()
  declare value=""
  require_file "${config_file}" "live-build binary configuration"
  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
  if (( ${#matches[@]} != 1 )); then
    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
  fi
  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
  if [[ "${value}" == \"*\" ]]; then
    value="${value#\"}"
    value="${value%\"}"
  fi
  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
  printf -v "${output_var}" "%s" "${value}"
  return 0
 }
 #######################################
 # Collects kernel and initrd candidates from one artifact directory.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected kernel path
 #   3: Output variable name for the selected initrd path
 # Returns:
 #   0: on success, including when the directory does not exist
 #   42: if more than one kernel or initrd candidate exists
 #######################################
 collect_artifacts_from_dir() {
  declare artifact_dir="${1}"
  declare kernel_output_var="${2}"
  declare initrd_output_var="${3}"
  declare -a kernels=()
  declare -a initrds=()
  if [[ ! -d "${artifact_dir}" ]]; then
    printf -v "${kernel_output_var}" "%s" ""
    printf -v "${initrd_output_var}" "%s" ""
    return 0
  fi
  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
  if (( ${#kernels[@]} > 1 )); then
    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  if (( ${#initrds[@]} > 1 )); then
    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
  return 0
 }
 #######################################
 # Selects the kernel/initrd pair used to build the UKI.
 # Globals:
 #   None
 # Arguments:
 #   1: Output variable name for the selected kernel path
 #   2: Output variable name for the selected initrd path
 # Returns:
 #   0: on success
 #   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
 #######################################
 select_kernel_initrd_pair() {
  declare kernel_output_var="$1"
  declare initrd_output_var="$2"
  declare binary_kernel=""
  declare binary_initrd=""
  declare fallback_kernel=""
  declare fallback_initrd=""
  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
    return 0
  fi
  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
  fi
  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
    return 0
  fi
  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
 }
 #######################################
 # Finds an optional separate early microcode cpio next to the selected initrd.
 # Globals:
 #   None
 # Arguments:
 #   1: Artifact directory
 #   2: Output variable name for the selected microcode cpio path
 # Returns:
 #   0: on success, including when no separate microcode cpio exists
 #   42: if more than one separate microcode cpio candidate exists
 #######################################
 collect_optional_microcode() {
  declare artifact_dir="${1}"
  declare output_var="${2}"
  declare -a microcode_candidates=()
  mapfile -d '' -t microcode_candidates < <(
    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
  )
  if (( ${#microcode_candidates[@]} > 1 )); then
    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
  fi
  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_EFI_KEY
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require a CISS UKI
 #   42: on validation, artifact selection, UKI build, signing, or verification failure
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
  declare os_release="chroot/usr/lib/os-release"
  declare kernel_path=""
  declare initrd_path=""
  declare kernel_base=""
  declare initrd_base=""
  declare kernel_version=""
  declare initrd_version=""
  declare cmdline=""
  declare microcode_initrd=""
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare unsigned_uki=""
  declare signed_uki=""
  declare manifest=""
  declare -a ukify_args=()
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
  cd "${build_dir}"
  require_command ukify
  require_command sbverify
  require_command sha512sum
  require_file "${stub}" "systemd EFI stub"
  require_file "${secureboot_key}" "CISS EFI image signing key"
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${os_release}" "target os-release metadata"
  guard_private_key_leaks
  select_kernel_initrd_pair kernel_path initrd_path
  kernel_base="${kernel_path##*/}"
  initrd_base="${initrd_path##*/}"
  kernel_version="${kernel_base#vmlinuz-}"
  initrd_version="${initrd_base#initrd.img-}"
  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
  fi
  read_bootappend_live "config/binary" cmdline
  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
  ukify_args=(
    build
    --stub="${stub}"
    --linux="${kernel_path}"
    --cmdline="${cmdline}"
    --os-release="@${os_release}"
    --uname="${kernel_version}"
  )
  if [[ -n "${microcode_initrd}" ]]; then
    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
    ukify_args+=(--initrd="${microcode_initrd}")
  else
    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
  fi
  ukify_args+=(--initrd="${initrd_path}")
  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
  ukify "${ukify_args[@]}" \
    --secureboot-private-key="${secureboot_key}" \
    --secureboot-certificate="${secureboot_cert}" \
    --output="${signed_uki}"
  require_file "${unsigned_uki}" "unsigned CISS UKI"
  require_file "${signed_uki}" "signed CISS UKI"
  {
    printf "CISS Secure Boot UKI build manifest\n"
    printf "Kernel: %s\n" "${kernel_path}"
    printf "Initrd: %s\n" "${initrd_path}"
    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
    printf "Uname: %s\n" "${kernel_version}"
    printf "OS release: %s\n" "${os_release}"
    printf "Command line: %s\n" "${cmdline}"
    printf "\nSHA512:\n"
    sha512sum "${unsigned_uki}" "${signed_uki}"
    printf "\nukify inspect:\n"
    ukify inspect "${signed_uki}"
    printf "\nsbverify:\n"
    sbverify --cert "${secureboot_cert}" "${signed_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
  return 0
 }
 main "$@"
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,347 @@
 #!/bin/bash
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
 # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
 # SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-FileType: SOURCE
 # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # shellcheck disable=SC2312
 set -Ceuo pipefail
 # Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
 # the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
 # mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
 # material in build artifact paths.
 declare TMP_DIR=""
 #######################################
 # Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
 # Globals:
 #   PWD
 #   TMP_DIR
 #   VAR_HANDLER_BUILD_DIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when no temporary directory exists
 #   42: if the temporary directory is outside the expected cleanup root
 #   non-zero: if removal of the expected temporary directory fails under strict mode
 #######################################
 cleanup() {
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
    case "${TMP_DIR}" in
      "${build_dir}/ciss.secureboot/"*)
        rm -rf -- "${TMP_DIR}"
        ;;
      *)
        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
        return 42
        ;;
    esac
  fi
  return 0
 }
 #######################################
 # Prints a fatal error message and terminates the hook.
 # Globals:
 #   None
 # Arguments:
 #   1: Error message
 # Returns:
 #   42: always exits with failure
 #######################################
 die() {
  declare message="$1"
  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
  exit 42
 }
 #######################################
 # Checks whether a required command exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Command name
 # Returns:
 #   0: on success
 #   42: if the command is missing
 #######################################
 require_command() {
  declare command_name="$1"
  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
  return 0
 }
 #######################################
 # Checks whether a required file exists.
 # Globals:
 #   None
 # Arguments:
 #   1: File path
 #   2: Human-readable file description
 # Returns:
 #   0: on success
 #   42: if the file is missing
 #######################################
 require_file() {
  declare file_path="$1"
  declare description="$2"
  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
  return 0
 }
 #######################################
 # Selects the single signed CISS UKI generated by the CISS UKI build hook.
 # Globals:
 #   None
 # Arguments:
 #   1: CISS UKI output directory
 #   2: Output variable name for the selected signed UKI path
 # Returns:
 #   0: on success
 #   42: if the UKI directory is missing or does not contain exactly one signed UKI
 #######################################
 select_signed_uki() {
  declare uki_dir="$1"
  declare output_var="$2"
  declare -a signed_ukis=()
  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
  if (( ${#signed_ukis[@]} != 1 )); then
    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
  fi
  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
  return 0
 }
 #######################################
 # Refuses private Secure Boot key material in generated artifact paths.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #   42: if a private Secure Boot key is found below a guarded path
 #######################################
 guard_private_key_leaks() {
  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
  declare guard_root=""
  declare private_file=""
  for guard_root in "${guard_roots[@]}"; do
    if [[ ! -d "${guard_root}" ]]; then
      continue
    fi
    while IFS= read -r -d '' private_file; do
      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
  done
  return 0
 }
 #######################################
 # Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
 # Globals:
 #   None
 # Arguments:
 #   1: Signed UKI path
 #   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
 # Returns:
 #   0: on success, including when no ISO EFI tree exists
 #   non-zero: if directory creation or file installation fails under strict mode
 #######################################
 install_iso_tree_bootx64() {
  declare signed_uki="$1"
  declare output_var="$2"
  declare iso_tree_bootx64=""
  if [[ -d "binary/EFI/boot" ]]; then
    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
  elif [[ -d "binary/EFI/BOOT" ]]; then
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  elif [[ -d "binary/EFI" ]]; then
    install -d -m 0755 "binary/EFI/BOOT"
    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
  fi
  if [[ -n "${iso_tree_bootx64}" ]]; then
    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
  else
    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
  fi
  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
  return 0
 }
 #######################################
 # Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
 # Globals:
 #   PWD
 #   SOURCE_DATE_EPOCH
 #   TMP_DIR
 #   VAR_CISS_SECUREBOOT_DIR
 #   VAR_CISS_SECUREBOOT_EFI_CERT
 #   VAR_CISS_SECUREBOOT_PROFILE
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_WORKDIR
 # Arguments:
 #   None
 # Returns:
 #   0: on success or when the active Secure Boot profile does not require CISS UKI installation
 #   42: on explicit validation, comparison, or signature verification failure
 #   non-zero: if an external tool, installation command, or manifest write fails under strict mode
 #######################################
 main() {
  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
  declare output_root=""
  declare uki_dir=""
  declare manifest_dir=""
  declare signed_uki=""
  declare efi_img="binary/boot/grub/efi.img"
  declare uki_name=""
  declare kernel_version=""
  declare manifest=""
  declare tmp_img=""
  declare extracted_uki=""
  declare iso_tree_bootx64=""
  declare uki_size=""
  declare -i uki_kib=0
  declare -i blocks=0
  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
  declare volid=""
  if [[ "${profile}" != "ciss-uki" ]]; then
    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
    return 0
  fi
  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
  cd "${build_dir}"
  require_command cmp
  require_command mcopy
  require_command mdir
  require_command mkfs.msdos
  require_command sbverify
  require_command sha512sum
  require_command stat
  require_command ukify
  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
  require_file "${efi_img}" "live-build EFI boot image"
  guard_private_key_leaks
  output_root="${build_dir}/ciss.secureboot"
  uki_dir="${output_root}/uki"
  manifest_dir="${output_root}/manifests"
  select_signed_uki "${uki_dir}" signed_uki
  uki_name="${signed_uki##*/}"
  kernel_version="${uki_name#CISS-LIVE-}"
  kernel_version="${kernel_version%.signed.efi}"
  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
  install -d -m 0755 "${manifest_dir}"
  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
  tmp_img="${TMP_DIR}/efi.img"
  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
  rm -f -- "${manifest}"
  uki_size="$(stat -c %s -- "${signed_uki}")"
  uki_kib=$(( (uki_size + 1023) / 1024 ))
  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
  if (( blocks < 32768 )); then
    blocks=32768
  fi
  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
    source_epoch="0"
  fi
  printf -v volid "%08x" "$((source_epoch % 4294967296))"
  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
  mmd -i "${tmp_img}" "::EFI"
  mmd -i "${tmp_img}" "::EFI/BOOT"
  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install -m 0644 "${tmp_img}" "${efi_img}"
  rm -f -- "${extracted_uki}"
  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
  if [[ -n "${iso_tree_bootx64}" ]]; then
    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
  fi
  guard_private_key_leaks
  {
    printf "CISS Secure Boot EFI image installation manifest\n"
    printf "EFI image: %s\n" "${efi_img}"
    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
    printf "Signed UKI: %s\n" "${signed_uki}"
    printf "FAT image blocks KiB: %s\n" "${blocks}"
    printf "FAT volume id: %s\n" "${volid}"
    printf "\nSHA512:\n"
    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
    if [[ -n "${iso_tree_bootx64}" ]]; then
      sha512sum "${iso_tree_bootx64}"
    fi
    printf "\nEFI directory:\n"
    mdir -i "${efi_img}" "::EFI/BOOT"
    printf "\nukify inspect installed BOOTX64.EFI:\n"
    ukify inspect "${extracted_uki}"
    printf "\nsbverify installed BOOTX64.EFI:\n"
    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
  } >| "${manifest}" 2>&1
  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
  return 0
 }
 main "$@"
 cleanup
 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V8.13.768.2025.12.06
+# Version Master V9.14.022.2026.06.10
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V8.13.768.2025.12.06"
+declare -gr VERSION="Master V9.14.022.2026.06.10"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V8.13.768.2025.12.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.022.2026.06.10 at: 10:18:37.9542
@@ -25,8 +25,8 @@ cat << 'EOF'
 EOF
 echo ""
-echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2026 \e[0m"
-echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2026 \e[0m"
 echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
 echo -e "\e[97m          https://coresecret.eu/ \e[0m"
 echo -e "\e[95m          Please consider making a donation: \e[0m"
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
 # - Mount it with restrictive flags and permissions before OverlayFS uses it.
 # - Prepare the upper and work directories required by the later live-boot overlay setup.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,13 +14,171 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs)
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
 # - Mount the live medium read-only and locate the encrypted SquashFS container.
 # - Attach the encrypted container through a read-only loop device.
 # - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
 # - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.
 _SAVED_SET_OPTS="$(set +o)"
 set -eu
 #######################################
 # Ensure the minimal device nodes required by this early boot script exist.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: Always. Device-node setup is best-effort only
 #######################################
 ensure_minimal_dev_nodes() {
  mknod_cmd=""
  busybox_cmd=""
  [ -d /dev ] || mkdir -p /dev || return 0
  if [ -c /dev/null ] && [ -c /dev/console ]; then
    return 0
  fi
  mknod_cmd="$(command -v mknod 2>&- || printf '')"
  if [ -z "${mknod_cmd}" ]; then
    busybox_cmd="$(command -v busybox 2>&- || printf '')"
  fi
  if [ ! -c /dev/null ]; then
    rm -f /dev/null || true
    if [ -n "${mknod_cmd}" ]; then
      "${mknod_cmd}" -m 666 /dev/null c 1 3 || true
    elif [ -n "${busybox_cmd}" ]; then
      "${busybox_cmd}" mknod -m 666 /dev/null c 1 3 || true
    fi
  fi
  if [ ! -c /dev/console ]; then
    rm -f /dev/console || true
    if [ -n "${mknod_cmd}" ]; then
      "${mknod_cmd}" -m 600 /dev/console c 5 1 || true
    elif [ -n "${busybox_cmd}" ]; then
      "${busybox_cmd}" mknod -m 600 /dev/console c 5 1 || true
    fi
  fi
  return 0
 }
 #######################################
 # Console logging helper that does not assume /dev/console is always present.
 # Globals:
 #   None
 # Arguments:
 #   1: printf format
 #   *: printf arguments
 # Returns:
 #   0: always, logging failure is not fatal
 #######################################
 console_printf() {
  console_format="$1"
  shift
  if [ -c /dev/console ]; then
    # shellcheck disable=SC2059
    printf "${console_format}" "$@" > /dev/console || :
  elif [ -e /proc/1/fd/1 ]; then
    # shellcheck disable=SC2059
    printf "${console_format}" "$@" > /proc/1/fd/1 || :
  fi
  return 0
 }
 #######################################
 # Clear the current console line without making cleanup fatal.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: Always. Console cleanup failure is not fatal.
 #######################################
 console_clear_line() {
  console_printf '\r\033[K'
  return 0
 }
 #######################################
 # Wait for an explicit local-console unlock activation.
 # Globals:
 #   None
 # Arguments:
 #   None
 # Returns:
 #   0: local console activation was requested
 #   1: console unavailable or activation read failed
 #######################################
 wait_for_local_unlock_activation() {
  LOCAL_UNLOCK_SAVED_STTY=""
  LOCAL_UNLOCK_READ_STATUS=0
  ensure_minimal_dev_nodes
  [ -c /dev/console ] || return 1
  exec 9<>/dev/console || return 1
  LOCAL_UNLOCK_SAVED_STTY=$(stty -g <&9 2>&- || printf '')
  trap 'if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :; fi; printf "\r\033[K" >&9 2>&- || :; exec 9>&-; exit 143' TERM INT HUP
  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
    stty -echo <&9 2>&- || :
  fi
  printf '\e[93m[INFO] CISS LUKS decryption : Press Enter for local unlock: \n\e[0m' >&9 || :
  IFS= read -r _ <&9
  LOCAL_UNLOCK_READ_STATUS="$?"
  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
    stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :
  fi
  printf '\r\033[K' >&9 || :
  exec 9>&-
  trap - TERM INT HUP
  [ "${LOCAL_UNLOCK_READ_STATUS}" -eq 0 ] || return 1
  return 0
 }
 ensure_minimal_dev_nodes
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"
 #######################################
@@ -37,11 +195,21 @@ ask_pass_console() {
  PASSPHRASE=""
  SAVED_STTY=""
  ensure_minimal_dev_nodes
  [ -c /dev/console ] || return 1
  exec 8<>/dev/console || return 1
  ### Save current console settings.
-  SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
+  SAVED_STTY=$(stty -g <&8 2>&- || printf '')
  ### Non-canonical mode, no echo, 1 byte at a time.
-  stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
+  if ! stty -echo -icanon time 0 min 1 <&8 2>&-; then
    exec 8>&-
    return 1
  fi
  cr=$(printf '\r')
  bs=$(printf '\b')
@@ -50,11 +218,11 @@ ask_pass_console() {
  while :; do
    ### Read exactly one byte from the console.
-    c=$(dd bs=1 count=1 2>/dev/null </dev/console)
+    c=$(dd bs=1 count=1 2>&- <&8)
    if [ -z "${c}" ]; then
-      printf '\n' > /dev/console
+      printf '\n' >&8
      break
    fi
@@ -66,7 +234,7 @@ ask_pass_console() {
      "${cr}")
      ### Enter: finish input.
-        printf '\n' > /dev/console
+        printf '\n' >&8
        break
        ;;
@@ -75,7 +243,7 @@ ask_pass_console() {
        if [ -n "${PASSPHRASE}" ]; then
          PASSPHRASE=${PASSPHRASE%?}
-          printf '\b \b' > /dev/console
+          printf '\b \b' >&8
        fi
        ;;
@@ -83,14 +251,20 @@ ask_pass_console() {
      *)
      ### Normal character: append and mask output.
        PASSPHRASE="${PASSPHRASE}${c}"
-        printf '*' > /dev/console
+        printf '*' >&8
        ;;
    esac
  done
-  [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
+  if [ -n "${SAVED_STTY}" ]; then
    stty "${SAVED_STTY}" <&8 2>&- || :
  fi
  exec 8>&-
  printf '%s' "${PASSPHRASE}"
@@ -126,7 +300,7 @@ _PARAMETER=""
 _dev=""
 ### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
-CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
+CMDLINE="$(cat /proc/cmdline 2>&- || printf '')"
 for _PARAMETER in ${CMDLINE}; do
@@ -149,8 +323,8 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
  fi
@@ -166,13 +340,13 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
    [ -b "${_dev}" ] || continue
    ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&- || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&-; then
-      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>&- && break
    else
-      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>&- || true
    fi
@@ -216,24 +390,24 @@ fi
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"
 ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
-mkdir -p /run 2>/dev/null || true
+mkdir -p /run 2>&- || true
-echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
+echo "${LOOP}" > /run/ciss-loopdev 2>&- || true
-chmod 0600 /run/ciss-loopdev 2>/dev/null || true
+chmod 0600 /run/ciss-loopdev 2>&- || true
 printf "\e[92m[INFO] Exposed LOOP         : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"
 ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
-mkdir -p /lib/cryptsetup 2>/dev/null || true
+mkdir -p /lib/cryptsetup 2>&- || true
 if [ -p /lib/cryptsetup/passfifo ]; then
-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true
 fi
-if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
+if ! mkfifo /lib/cryptsetup/passfifo 2>&-; then
  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
  sleep 60
@@ -242,7 +416,7 @@ if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
 fi
-chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
+chmod 0600 /lib/cryptsetup/passfifo 2>&- || true
 ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
 (
@@ -267,18 +441,29 @@ chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
    [ -n "${PASS}" ] || continue
-    printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+    console_printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}"
    KEYLEN=${#PASS}
    if [ -c /dev/console ]; then
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console
    else
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>&-
    fi
    if [ -b "${CDLB_MAPPER_DEV}" ]; then
-      printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+      console_printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}"
      break
    fi
@@ -305,12 +490,15 @@ PID_BROKER="$!"
    if [ "${PASS_SENT}" -eq 0 ]; then
-      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
+      # shellcheck disable=SC2310
      wait_for_local_unlock_activation || continue
      console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'
      # shellcheck disable=SC2310
      PASS="$(ask_pass_console)" || continue
-      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>&- || :
      PASS_SENT=1
      WAIT_LOOP=0
@@ -321,7 +509,7 @@ PID_BROKER="$!"
      if [ "${WAIT_LOOP}" -ge 160 ]; then
-        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
+        console_printf '\e[91m[WARN] Please try again     : \n\e[0m'
        PASS_SENT=0
        WAIT_LOOP=0
@@ -365,12 +553,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"
-  kill "${PID_PROMPT}" 2>/dev/null || true
+  kill "${PID_PROMPT}" 2>&- || true
-  kill "${PID_BROKER}" 2>/dev/null || true
+  kill "${PID_BROKER}" 2>&- || true
-  wait "${PID_PROMPT}" 2>/dev/null || true
+  wait "${PID_PROMPT}" 2>&- || true
-  wait "${PID_BROKER}" 2>/dev/null || true
+  wait "${PID_BROKER}" 2>&- || true
  console_clear_line
-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true
  sleep 60
@@ -379,12 +568,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
 fi
-kill "${PID_PROMPT}" 2>/dev/null || true
+kill "${PID_PROMPT}" 2>&- || true
-kill "${PID_BROKER}" 2>/dev/null || true
+kill "${PID_BROKER}" 2>&- || true
-wait "${PID_PROMPT}" 2>/dev/null || true
+wait "${PID_PROMPT}" 2>&- || true
-wait "${PID_BROKER}" 2>/dev/null || true
+wait "${PID_BROKER}" 2>&- || true
 console_clear_line
-rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+rm -f /lib/cryptsetup/passfifo 2>&- || true
 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -399,7 +589,7 @@ export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
-chmod 0444 /run/ciss-rootdev 2>/dev/null || true
+chmod 0444 /run/ciss-rootdev 2>&- || true
 ### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
 if [ ! -e /conf/param.conf ]; then
@@ -409,20 +599,28 @@ if [ ! -e /conf/param.conf ]; then
 fi
-if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>&-; then
  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
 fi
-if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^livefs_root=' /conf/param.conf 2>&-; then
  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
 fi
 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
-cat /conf/param.conf >/dev/console 2>&1 || :
+if [ -c /dev/console ]; then
  cat /conf/param.conf >/dev/console 2>&1 || :
 elif [ -e /proc/1/fd/1 ]; then
  cat /conf/param.conf >/proc/1/fd/1 2>&1 || :
 fi
 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Enforce early sysctls before services start.
+# Module summary:
-# Phase  : premount (executed by live-boot inside the initramfs).
+# - Runs during live-boot premount while the system is still inside the initramfs.
 # - Applies early kernel hardening before the real root and regular services are active.
 # - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
 #   exposure where supported.
 _SAVED_SET_OPTS="$(set +o)"
@@ -14,6 +14,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 # Module summary:
 # This live-boot component implements the verify-checksums mode for the mounted live medium.
 # It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
 # It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
 # optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
 # writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
 # authenticity verification fails.
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
@@ -77,6 +85,8 @@ Verify_checksums() {
  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"
  _CHECKSUM_LOG=""
  _KEYFILE=""
  _MP=""
@@ -249,7 +259,7 @@ Verify_checksums() {
            if /usr/bin/gpgv --keyring "${_KEYFILE}" --status-fd 1 "${_CHECKSUM_SIGNATURE}" "${_CHECKSUM}"; then
              _RETURN_PGP="${?}"
-              log_in "Checking signature of: [${_CHECKSUM}] successful."
+              log_ok "Checking signature of: [${_CHECKSUM}] successful."
            else
@@ -265,15 +275,22 @@ Verify_checksums() {
          fi
          # shellcheck disable=SC2312
-          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
+          _CHECKSUM_LOG="/run/ciss-${_DIGEST}sum-check.log"
          if grep -v '^#' "${_CHECKSUM}" | LC_ALL=C /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then
            _RETURN_SHA="${?}"
            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            log_ok "Found: [/usr/bin/${_DIGEST}sum] successful verified: [${_CHECKSUM}]"
          else
            _RETURN_SHA="${?}"
            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            log_er "Found: [/usr/bin/${_DIGEST}sum] unsuccessful verified: [${_CHECKSUM}]"
            log_er "Checksum verification failed. Failed entries:"
            if ! grep -E ': FAILED$|FAILED open or read|No such file or directory|WARNING:' "${_CHECKSUM_LOG}" >&2; then
              cat "${_CHECKSUM_LOG}" >&2
            fi
          fi
@@ -14,8 +14,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Purpose: Late rootfs attestation and dmsetup health checking.
+# Module summary:
-# Phase  : executed by live-boot inside the 9990-main.sh.
+# - Runs after the encrypted live root filesystem has been decrypted.
 # - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
 #   inside the decrypted rootfs.
 # - Verifies the attestation signature with gpgv against the pinned key material.
 # - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
 #   or mismatched evidence.
 _SAVED_SET_OPTS="$(set +o)"
@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
 export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"
 ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
 ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
 CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
 #######################################
 # Validate a boot-time attestation input file.
 # Globals:
 #   None
 # Arguments:
 #   1: Human-readable artifact label
 #   2: Absolute artifact path
 # Returns:
 #   0: on success
 #######################################
 require_attestation_file() {
  artifact_label="${1}"
  artifact_path="${2}"
  if [ ! -e "${artifact_path}" ]; then
    if [ -L "${artifact_path}" ]; then
      log_er "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
      panic  "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
    fi
    log_er "0042()              : ${artifact_label} missing: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} missing: [${artifact_path}]"
  fi
  if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
  fi
  if [ ! -s "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is empty: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is empty: [${artifact_path}]"
  fi
  if [ ! -r "${artifact_path}" ]; then
    log_er "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
    panic  "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
  fi
  return 0
 }
 HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
 SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
-if [ -s "${KEYFILE}" ]; then
+require_attestation_file "Public key"            "${KEYFILE}"
-
+require_attestation_file "Attestation data"      "${HASH_FILE}"
-  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"
  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
 fi
 if [ -s "${HASH_FILE}" ]; then
  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
 fi
 if [ -s "${SIGN_FILE}" ]; then
  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
 fi
 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
 if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
  log_er "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
  if [ -n "${_STATUS}" ]; then
    printf '%s\n' "${_STATUS}" >&2
  fi
  sleep 8
  panic  "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
 fi
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"
 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
--- a/Show More
+++ b/Show More
Author	SHA256	Message	Date
ahz	85ff080b40	V9.14.022.2026.06.11: document and test audit safeguards	2026-06-11 05:08:18 +02:00
ahz	9d3f283297	V9.14.022.2026.06.11: enforce secret and cleanup safeguards	2026-06-11 05:08:01 +02:00
ahz	74897d85b1	V9.14.022.2026.06.11: add path security helpers	2026-06-11 05:07:33 +02:00
msw	9ef535554a	V9.14.022.2026.06.10 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 18:57:46 +01:00
msw	800cd175fc	V9.14.022.2026.06.10 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 17:57:31 +01:00
msw	ae87d7ac54	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:11:15 +01:00
msw	0b1bfe2978	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:07:45 +01:00
msw	314c1178c3	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:04:02 +01:00
msw	9179031a80	V9.14.020.2026.06.08 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 16:41:50 +01:00
msw	7956e5861d	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 20:02:23 +01:00
msw	8c37efcff6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 19:58:06 +01:00
msw	a53d52bf38	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 17:06:05 +01:00
msw	250f1700cf	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:43:24 +01:00
msw	574411d9b0	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:23:19 +01:00
msw	a469dbf595	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:44:48 +01:00
msw	a37a16d86e	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:42:19 +01:00
msw	421589285f	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:59:37 +01:00
msw	0a091fb9a6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:54:44 +01:00
msw	3fc5003676	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 09:11:26 +01:00
msw	9cdcc0a9ec	V9.14.018.2026.06.07 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 07:24:22 +01:00
msw	8b6731f1be	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 18:37:43 +01:00
msw	fa1a31ef64	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 15:40:02 +01:00
msw	e42fdff89b	V9.14.016.2026.06.06 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 14:39:12 +01:00
msw	83f6f8488c	V9.14.008.2026.06.04 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 20:14:02 +01:00
msw	ec3aca7fc8	V9.14.008.2026.06.04 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 18:19:09 +01:00
msw	c80b45417f	V9.14.004.2026.05.17 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 14:28:12 +01:00
msw	6307bc2b7c	V9.14.002.2026.05.13 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-05-17 13:34:00 +01:00