V9.14.028.2026.06.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
V9.14.026.2026.06.17
2026-06-18 10:49:41 +01:00 · 2026-06-18 06:46:41 +01:00 · 2026-06-17 21:55:52 +01:00 · 2026-06-17 18:44:12 +01:00 · 2026-06-17 17:14:45 +01:00 · 2026-06-17 16:31:47 +01:00
166 changed files with 5367 additions and 825 deletions
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ ! -d "${VAR_HANDLER_BUILD_DIR}"/config/includes.chroot/etc/dhcp ]]; then

@@ -107,7 +107,7 @@ options edns0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' successfully applied. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -46,11 +46,26 @@ Verify_checksums() {

  LIVE_VERIFY_CHECKSUMS_SIGNATURES="false"

+  _CHECKSUM_LOG_DIR="${LIVE_VERIFY_CHECKSUMS_LOG_DIR:-/run}"
+
  _KEYFILE=""

  _MP=""

+  _MANIFEST_FOUND="false"
+
+  _TOOL_FOUND="false"
+
+  _VERIFICATION_EXECUTED="false"
+
+  _VERIFICATION_SUCCEEDED="false"
+
+  _RETURN_PGP=""
+
+  _RETURN_SHA=""
+
  ### Parse commandline arguments ----------------------------------------------------------------------------------------------
+  # shellcheck disable=SC2154
  for _PARAMETER in ${LIVE_BOOT_CMDLINE}; do

    case "${_PARAMETER}" in
@@ -107,6 +122,14 @@ Verify_checksums() {

  done

+  if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ] && [ -z "${_KEYFILE}" ]; then
+
+    printf "\e[91m[FATAL] No pinned GPG key file found while checksum signature verification is enabled. \n\e[0m"
+    sleep 8
+    panic "No pinned GPG key file found while checksum signature verification is enabled."
+
+  fi
+
  # shellcheck disable=SC2164
  cd "${_MOUNTPOINT}"

@@ -203,10 +226,14 @@ Verify_checksums() {

      if [ -e "${_CHECKSUM}" ]; then

+        _MANIFEST_FOUND="true"
+
        printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "${_CHECKSUM}"

        if [ -e "/usr/bin/${_DIGEST}sum" ]; then

+          _TOOL_FOUND="true"
+
          printf "\e[95m[INFO] Found: [%s] ... \n\e[0m" "/usr/bin/${_DIGEST}sum"

          if [ "${LIVE_VERIFY_CHECKSUMS_SIGNATURES}" = "true" ]; then
@@ -234,18 +261,34 @@ Verify_checksums() {
          fi

          # shellcheck disable=SC2312
-          if grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_TTY}"; then
+          _VERIFICATION_EXECUTED="true"
+          _CHECKSUM_LOG="${_CHECKSUM_LOG_DIR}/ciss-${_DIGEST}sum-check.log"
+          if ! grep -v '^#' "${_CHECKSUM}" | grep -q '[^[:space:]]'; then
+
+            _RETURN_SHA="254"
+            : > "${_CHECKSUM_LOG}"
+            printf "\e[91m[FATAL] Checksum manifest has no checksum entries: [%s] \n\e[0m" "${_CHECKSUM}"
+
+          elif grep -v '^#' "${_CHECKSUM}" | /usr/bin/"${_DIGEST}"sum -c > "${_CHECKSUM_LOG}" 2>&1; then

            _RETURN_SHA="${?}"
+            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            printf "\e[92m[INFO] Found: [%s] successful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"

          else

            _RETURN_SHA="${?}"
+            cat "${_CHECKSUM_LOG}" > "${_TTY}"
            printf "\e[91m[FATAL] Found: [%s] unsuccessful verified: [%s] \n\e[0m" "/usr/bin/${_DIGEST}sum" "${_CHECKSUM}"

          fi

+          if { [ "${_RETURN_PGP}" = "0" ] || [ "${_RETURN_PGP}" = "na" ]; } && [ "${_RETURN_SHA}" = "0" ]; then
+
+            _VERIFICATION_SUCCEEDED="true"
+
+          fi
+
          # Stop after the first verification.
          break 2

@@ -265,6 +308,36 @@ Verify_checksums() {
  log_end_msg
  printf "\n"

+  if [ "${_MANIFEST_FOUND}" != "true" ]; then
+
+    printf "\e[91m[FATAL] No supported checksum manifest found. Checksum verification is fail-closed. \n\e[0m"
+    sleep 8
+    panic "No supported checksum manifest found. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_TOOL_FOUND}" != "true" ]; then
+
+    printf "\e[91m[FATAL] Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed. \n\e[0m"
+    sleep 8
+    panic "Checksum manifest found, but no supported checksum tool is available. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_VERIFICATION_EXECUTED}" != "true" ]; then
+
+    printf "\e[91m[FATAL] Checksum verification was not executed. Checksum verification is fail-closed. \n\e[0m"
+    sleep 8
+    panic "Checksum verification was not executed. Checksum verification is fail-closed."
+
+  fi
+
+  if [ "${_VERIFICATION_SUCCEEDED}" != "true" ]; then
+
+    printf "\e[91m[FATAL] Checksum verification did not complete successfully. Evaluating fail-closed failure state. \n\e[0m"
+
+  fi
+
  case "${_RETURN_PGP},${_RETURN_SHA}" in

    "0,0")
@@ -304,6 +377,12 @@ Verify_checksums() {
      panic "Verification of checksum file failed."
      ;;

+    *)
+      printf "\e[91m[FATAL] Unknown checksum verification state: [%s,%s]. \n\e[0m" "${_RETURN_PGP:-unset}" "${_RETURN_SHA:-unset}"
+      sleep 8
+      panic "Unknown checksum verification state. Checksum verification is fail-closed."
+      ;;
+
  esac
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -296,7 +296,7 @@ ln -sf /etc/systemd/system/ciss-memwipe.service /etc/systemd/system/multi-user.t

 systemctl enable ciss-memwipe.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /etc/systemd/system/clamav-daemon.service.d
 cat << 'EOF' >| /etc/systemd/system/clamav-daemon.service.d/override.conf
@@ -69,7 +69,7 @@ CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SYS_NICE
 EOF
 chmod 0644 /etc/systemd/system/clamav-freshclam.service.d/override.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -63,7 +63,7 @@ EOF

 chmod 0644 /etc/network/interfaces

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.004.2026.05.17"
+      placeholder: "e.g., Master V9.14.028.2026.06.18"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.004.2026.05.17
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 name: 🔁 Render Graphviz Diagrams.

@@ -16,5 +16,11 @@ target/
 *.log
 *.ps1
 config.mk
+ciss.secureboot/private/*
+!ciss.secureboot/private/README.md
+ciss.secureboot/manifests/*
+!ciss.secureboot/manifests/.gitkeep
+ciss.secureboot/uki/*
+!ciss.secureboot/uki/.gitkeep
 Thumbs.db
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.004.2026.05.17"
+properties_version="V9.14.028.2026.06.18"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -1,85 +1,124 @@
 # AGENTS.md

-## Repository purpose
+## Purpose

-This repository builds and maintains Debian-based live/installer infrastructure.
-Treat changes as security-sensitive and boot-chain-sensitive.
-Follow `docs/CODING_CONVENTION.md` for coding style and `code_review.md` for reviews.
+This repository builds and maintains the CISS Debian Live Builder for Debian 13 Trixie.
+Treat every change as security-sensitive and boot-chain-sensitive.
+
+Persistent coding details live in `docs/CODING_CONVENTION.md`.
+Review-only instructions live in `code_review.md`.
+
+## Instruction precedence for this repository
+
+Use this order when instructions differ:
+
+1. The current user task prompt defines the immediate objective and task-specific acceptance criteria.
+2. This `AGENTS.md` defines repository-wide constraints and routing guidance.
+3. `docs/CODING_CONVENTION.md` defines detailed coding conventions.
+4. `code_review.md` applies when performing a review or final self-review.
+5. Personal/global Codex instructions apply only where they do not conflict with repository rules.
+
+When in doubt, choose the safer, smaller, more easily reviewable change and explain the uncertainty.

 ## Non-negotiable constraints

- Target distribution: Debian 13 Trixie unless explicitly stated otherwise.
+- Target Debian 13 Trixie unless the task explicitly states otherwise.
 - Do not introduce Ubuntu-specific assumptions.
- Do not invent live-build, initramfs, cryptsetup, systemd, GRUB, or Debian package behavior. Verify against existing files or
-  official documentation.
- Do not add phase-argument gates to live-boot/initramfs scripts. Script execution is controlled by Debian hook placement.
- Preserve encrypted-root / encrypted-SquashFS architecture unless the task explicitly changes it.
- Prefer simple, inspectable Bash over clever abstractions.
+- Do not invent live-build, live-boot, initramfs, cryptsetup, systemd, GRUB, Debian package, or upstream tool behavior.
+- Verify uncertain behavior against existing repository code or authoritative upstream documentation.
+- Do not add phase-argument gates to live-boot or initramfs scripts. Execution phase is controlled by Debian hook placement.
+- Preserve encrypted-root and encrypted-SquashFS architecture unless the task explicitly changes it.
+- Prefer simple, explicit, inspectable Bash over clever abstraction.
+- Do not use `eval`.
+- Do not print secrets, private keys, passphrases, tokens, or sensitive environment values.

-## Repository workflow
+## Repository map
+
+Common areas:
+
+- `ciss_live_builder.sh`, `lib/*.sh`: host-side orchestration and argument handling.
+- `makefile`: local wrapper for composing and executing builder invocations.
+- `config/hooks/live/*.chroot`: live-build chroot hooks.
+- `config/hooks/live/*.binary`: live-build binary-image hooks.
+- `config/includes.chroot/etc/initramfs-tools/hooks/*`: initramfs build hooks.
+- `config/includes.chroot/etc/initramfs-tools/scripts/*`: initramfs boot scripts.
+- `config/includes.chroot/usr/lib/live/boot/*`: live-boot runtime scripts.
+- `scripts/*`: helper scripts or files copied into the generated image.
+- `docs/*`: project documentation and conventions.
+
+## Working method

 Before editing:
- Inspect the relevant scripts, hooks, config files, README files, and existing naming conventions.
- Identify the exact boot/build phase affected by the change.
- Explain the minimal intended change.

-Boot/build phases:
- host-side orchestration: `ciss_live_builder.sh`, `lib/*.sh`, `makefile`
- live-build hooks: `config/hooks/live/*.chroot` and `config/hooks/live/*.binary`
- initramfs hooks/scripts: `config/includes.chroot/etc/initramfs-tools/*`
- live-boot runtime scripts: `config/includes.chroot/usr/lib/live/boot/*`
+1. Inspect the relevant scripts, hooks, configuration files, documentation, tests, and naming conventions.
+2. Identify the affected build or boot phase.
+3. Give a concise implementation plan and list the likely files to touch, unless the change is trivial.
+
+While editing:
+
+- Keep changes minimal and local to the task.
+- Preserve existing architecture, naming style, error handling, formatting, and security posture.
+- Do not perform unrelated cleanup or formatting churn.
+- Reuse existing helper functions for logging, fatal errors, validation, downloads, temporary files, and tool checks where available.
+- Do not introduce new runtime dependencies unless technically necessary and justified.

 After editing:
- Run the most relevant available checks.
- At minimum, run syntax checks for changed shell scripts:
-  - `bash -n <file>`
-  - `shellcheck <file>` if available
- If POSIX shell scripts are changed, run `sh -n <file>` where Bash syntax is not expected.
- If the make wrapper or builder argument composition changes, run `make dry-run`.
- If Python files are introduced or changed:
-  - `ruff check`
-  - `mypy`
-  - `pytest` if tests exist
- If CLI options or user-facing behavior change, update `usage()` and the relevant README/docs.
- If live-build, initramfs, or ISO behavior changes, describe the required Debian Trixie live-build or ISO validation command.

-## Bash conventions
+- Run only the narrowest checks that prove the change.
+- Changed Bash files: run `bash -n <file>` and `shellcheck <file>` if ShellCheck is available.
+- Changed POSIX shell files, if any exist and must remain POSIX: run `sh -n <file>`.
+- Make wrapper or builder argument-composition changes: run the relevant dry-run or help/parser check, usually `make dry-run` if available.
+- Changed Python files: run the repository's relevant Python checks if present.
+- CLI or user-facing behavior changes: update `usage()` and relevant documentation.
+- Live-build, initramfs, or ISO behavior changes: state the required Debian Trixie validation command. Do not run a full live build unless requested or necessary.

- Use explicit error handling.
- Quote expansions.
- Prefer arrays where word splitting matters.
- Avoid `eval`.
+## Bash conventions summary
+
+See `docs/CODING_CONVENTION.md` for detail.
+
+- Use Bash for new and modified project scripts unless an existing Debian interface file explicitly requires POSIX shell.
+- Prefer `set -Ceuo pipefail` where feasible.
+- Use `declare` for variables inside functions.
+- Quote expansions unless word splitting or globbing is explicitly required.
+- Prefer arrays where argument boundaries matter.
+- Use `[[ ... ]]` for Bash conditionals.
+- Use `case` for option dispatch and multi-branch string handling.
 - Avoid parsing `ls`.
+- Prefer `command -v` over `which`.
 - Keep functions small and readable.
- Use English comments.
- Explain security-sensitive fallbacks.
- Fail closed where possible.
+- End functions explicitly with `return 0` where consistent with surrounding code.
+- Code comments must be in English.

-## Python conventions
-
- Use Python 3.14-compatible code unless the project states otherwise.
- Use pathlib.
- Add type hints.
- Keep ruff and mypy compatibility.
- Avoid broad `except Exception` unless justified and logged.
- Prefer explicit models/config objects over unstructured dictionaries for durable interfaces.
-
-## Security review checklist
+## Security-sensitive areas

 Before finalizing a change, check whether it affects:
+
 - boot trust
 - initramfs behavior
+- live-boot runtime behavior
 - cryptsetup/LUKS handling
+- encrypted SquashFS handling
 - key material
 - remote unlock
- TLS/mTLS verification
- signature/hash verification
+- TLS, mTLS, signature, checksum, or provenance verification
+- package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values

-If affected, document the risk and mitigation in the final response.
+If affected, document the concrete risk and mitigation in the final response.
+
+## Final response
+
+Return a concise implementation report:
+
+- changed files
+- what changed
+- checks run and result
+- real remaining risks or follow-up steps
+
+Do not claim success for checks that were not run.

 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.004.2026.05.17
+PackageVersion: Master V9.14.028.2026.06.18
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -12,9 +12,9 @@ include_toc: true
 [![Static Badge](https://badges.coresecret.dev/badge/Shellstyle-Google-white?style=plastic&logo=google&logoColor=white&logoSize=auto&label=Shellstyle&color=%234285F4)](https://google.github.io/styleguide/shellguide.html)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Gitea-1.26.1-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=gitea&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.3-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.1-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
-[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.11-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/Runner-1.0.8-white?style=plastic&logo=gitea&logoColor=white&logoSize=auto&label=runner&color=%23609926)](https://docs.gitea.com/) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/IntelliJ-2026.1.3-white?style=plastic&logo=intellijidea&logoColor=white&logoSize=auto&label=IntelliJ&color=%23000000)](https://www.jetbrains.com/store/?section=personal&billing=yearly) &nbsp;
+[![Static Badge](https://badges.coresecret.dev/badge/keepassxc-2.7.12-white?style=plastic&logo=keepassxc&logoColor=white&logoSize=auto&label=KeePassXC&color=%236CAC4D)](https://keepassxc.org/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/netcup-Netcup-white?style=plastic&logo=netcup&logoColor=white&logoSize=auto&label=powered&color=%23056473)](https://www.netcup.com/de) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/powered-Centurion-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=powered&color=%230F243E)](https://coresecret.eu/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/SocialMedia-@coresecret_eu-white?style=plastic&logo=x&logoColor=white&logoSize=auto&label=SocialMedia&color=%23000000)](https://x.com/coresecret_eu) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.028.2026.06.18<br>

 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -46,9 +46,10 @@ Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fu
 in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
-customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
-are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
-an installed system. For an overview of the entire build process, see:
+customised `verify-checksums` path providing fail-closed mounted-medium verification plus runtime attestation of the exact
+final SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
+baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the
+entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**

 When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
@@ -60,12 +61,17 @@ and spoofing surfaces.

 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+line. The secret root must be an existing `root:root` tmpfs or ramfs directory with `0700` permissions and no symlinks or
+special files below it. Filename-only secret arguments are rejected when they contain path separators, traversal names, shell
+metacharacters, or unsafe leading dashes. Critical code paths temporarily disable Bash xtrace so that credentials never leak
+into debug logs; the final exact-value sanitization pass runs only after xtrace has been stopped and its debug file descriptor
+has been closed, then redacts still-known secret values from debug, variable, and error logs as defense in depth. Transient
+secret files are shredded (`shred -fzu`) as soon as they are no longer needed; this is best-effort on SSD/NVMe media, so the
+architecture relies primarily on tmpfs for secret staging. GNUPG homes used for signing are wiped,
+unencrypted chroot artifacts and includes are removed after `lb build`, and cleanup is intentionally destructive only inside
+the exact build directory carrying the `.ciss-live-builder-owned` marker. At runtime, LUKS passphrases in the live ISO and
+installer are transported via named pipes inside the initramfs instead of process arguments, further minimizing exposure in
+process listings.

 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -123,7 +129,7 @@ lockstep avoids those mismatches and gives me predictable artifacts across build

 The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
 security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
- immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
 file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
 integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
 verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
@@ -131,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
 In compact form, my expectations for the system are:<br>

 * Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/<FPR>.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`.
 * Verification steps are not advisory. Any anomaly causes a hard abort during boot.
 * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
 * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -175,7 +181,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V9.14.004.2026.05.17`
+Example: `V9.14.028.2026.06.18`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -237,7 +243,7 @@ deliberate design decision.

 ### 2.1.2. CPU Vulnerability Mitigations

-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -365,6 +371,11 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
 ## 2.9. UFW Hardening

 * **Description**: Defaults to `deny incoming` and (optionally) `deny outgoing`; automatically opens only whitelisted ports.
+* **Primordial SSH exception**: `--primordial-url <https-git-url>`, `--primordial-key <ssh-identity-filename>` and
+  `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
+  exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
+  rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
+  hook still emits the requested labeled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
  deployment.

@@ -488,10 +499,13 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
   
 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
+      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Make any other changes you need to.
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
+      to `0400` before use.
+   6. Make any other changes you need to.

 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):

@@ -500,7 +514,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
   timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
   ./ciss_live_builder.sh \
     --architecture amd64 \
-     --autobuild=6.16.3+deb13-amd64 \
+     --autobuild=7.0.10+deb13-amd64 \
     --build-directory /opt/cdlb \
     --cdi \
     --change-splash hexagon \
@@ -514,15 +528,25 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
     --reionice-priority 1 2 \
     --renice-priority "-19" \
     --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --secure-boot-profile debian-shim \
+     --sops-version 3.13.1 \
     --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
     --signing_key_pass=signing_key_pass.txt \
     --signing_key=signing_key.asc \
     --ssh-port 4242 \
+     --primordial-key SSH-key-filename-for-Primordial-overlay-clone \
+     --primordial-ssh SSH-port-for-Primordial-overlay-clone \
+     --primordial-url URL-to-Primordial-overlay-clone \
     --ssh-pubkey /dev/shm/cdlb_secrets \
     --sshfp \
     --trixie
   ````

+   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
+   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
+   both the newer Sigstore bundle asset, and the legacy-split certificate/signature assets before checking the downloaded
+   SOPS binary with `sha256sum -c --ignore-missing`.
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -544,10 +568,13 @@ preview it or run it.

 2. Preparation:
   1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
+      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
   3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
   4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
+      to `0400` before use.
+   6. Copy and edit the sample and set your options (no spaces around commas in lists):

    ````bash
    cp config.mk.sample config.mk
@@ -556,10 +583,15 @@ preview it or run it.
    ````bash
    BUILD_DIR=/opt/cdlb
    ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
+    SECURE_BOOT_PROFILE=debian-shim
+    SOPS_VERSION=3.13.1
    SSH_PORT=4242
    SSH_PUBKEY=/dev/shm/cdlb_secrets

    # Optional
+    PRIMORDIAL_KEY=SSH-key-filename-for-Primordial-overlay-clone
+    PRIMORDIAL_SSH_PORT=SSH-port-for-Primordial-overlay-clone
+    PRIMORDIAL_URL=URL-to-Primordial-overlay-clone
    PROVIDER_NETCUP_IPV6=2001:cdb::1
    # comma-separated; IPv6 in [] is fine
    JUMP_HOSTS=[2001:db8::1],[2001:db8::2]     
@@ -569,7 +601,31 @@ preview it or run it.

 4. Execute the build: ````make live````

-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
+
+The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
+``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
+standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
+
+The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
+Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
+builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
+``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
+``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
+live-build created one.
+
+Required files for ``ciss-uki``:
+
+````text
+ciss.secureboot/private/ciss-efi-image.key
+ciss.secureboot/public/ciss-efi-image.crt
+````
+
+The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
+``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
+``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
+
+## 5.4. CI/CD Gitea Runner Workflow Example

 1. Clone the repository:

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.028.2026.06.18<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.004.2026.05.17** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -0,0 +1,33 @@
+                                          .-=+*###%%###*+=-:.
+                                      :=*%%@@@@@@@@@@@@@@@@@%#*-.
+                                   :+%@@@@%%%%@@@@@@@@%%%%%%@@@@@%*:
+                                 -#@@@%%%%@@@@%#****#%%@@@%%@@%#+=-:.
+                               .#@@%%%%%@@#+:..:::-::::-=#@@%=.
+                              -%@%%%%%%@#: .=*%@@@@@@%#+-.:=
+                             =@%%%%%%%@= .*@@@@%%%%%%%@@@%=
+                            :@%%%%%%%@+ :%@%%%%%%%%%%%%%%@@#%+
+                            #%%%%%%%%%  #@%%%%%%%%%%%%%%%%%@@%.
+                           -@%%%%%%%@#  %%%%%%%%%%%%%%%%%@@@%@*
+                           *%%%%%%%%@%  *@%%%%%%%%%%%%%%%#*#%%@:
+                           *@%%%%%%%%@- :@%%%%%%%%%%%%%%%%-   ..
+                           *%%%%%%%%%%#. +@%%%%%%%%%%%%%%@@*.
+                           -@%%%%%%%%%@-  #%%%%%%%%@@@@@%%%@@%%%+
+                            %%%%%%%%%%:   -@%%%%%@@%**#%@%%%%@%@%
+                            -@%%%%%%@+    :@%%%@@*:     =@%%%%%%:
+                             +@%%%%%@.    +@%%@#:        #@%%%@-
+                              *@%%@@=    :%%@@+          *%%%@#
+                               =@%#-    :%@@#-          :@@%%%-
+                                ..     =@%*-            .+#%@%.
+                                      :+-.                 .=*
+
+  ____ ___ ____ ____      _      _     _               _ _             _           _ _     _
+ / ___|_ _/ ___/ ___|  __| | ___| |__ (_) __ _ _ __   | (_)_   _____  | |__  _   _(_) | __| | ___ _ __
+| |    | |\___ \___ \ / _` |/ _ \ '_ \| |/ _` | '_ \  | | \ \ / / _ \ | '_ \| | | | | |/ _` |/ _ \ '__|
+| |___ | | ___) |__) | (_| |  __/ |_) | | (_| | | | |_| | |\ V /  __/_| |_) | |_| | | | (_| |  __/ |
+ \____|___|____/____(_)__,_|\___|_.__/|_|\__,_|_| |_(_)_|_| \_/ \___(_)_.__/ \__,_|_|_|\__,_|\___|_|
+
+Debian Trixie | Hardened Live ISO Builder | Encrypted Root Path | Verified Boot Chain | LUKS Integrity
+
+Preparing Builder...
+
+Please wait...
@@ -0,0 +1,37 @@
+                              .:-=++***#####***+==-:.
+                        .-=*#%%@@@@@@@@@@@@@@@@@@@@@%%#*=-.
+                    .=*#@@@@@@@%%%%%%%%%%%%%%%%%%%%%@@@@@@@%*=:
+                 :+#@@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@%*=.
+              .+#@@@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@#=:
+            :*%@@%%%%%%%%%%%%%%%%@@@@@@@@@@@@@%%%%%%%%%%%%%%%%@@@@%%%*=
+          :*@@%%%%%%%%%%%%%%@@@@@%%#*******#%%@@@@%%%%%%%%%@@%#+-:.
+        .+@@%%%%%%%%%%%%%%@@%#+-.             .-+#%@@%%%%@@#=.
+       -%@%%%%%%%%%%%%%@@%*-.    :-+**####**+-:   .-*%@@@*:
+      +@@%%%%%%%%%%%%%@%+.   :+#%@@@@@@@@@@@@@@%#+:  .+#:
+     *@%%%%%%%%%%%%%%@*.   =#@@@@%%%%%%%%%%%%%%@@@@#-
+    *@%%%%%%%%%%%%%%@-   -%@@%%%%%%%%%%%%%%%%%%%%%%@@#-
+   +@%%%%%%%%%%%%%%@-   +@@%%%%%%%%%%%%%%%%%%%%%%%%%%@@+-*#
+  -@%%%%%%%%%%%%%%@+   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@-
+  %%%%%%%%%%%%%%%%%   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+ -@%%%%%%%%%%%%%%@*   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@=
+ #%%%%%%%%%%%%%%%@=   *@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+.%%%%%%%%%%%%%%%%@+   +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@%%%%%%%=
+-@%%%%%%%%%%%%%%%@*   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@@@.
+=@%%%%%%%%%%%%%%%%%.   #@%%%%%%%%%%%%%%%%%%%%%%%%%%%*..:--==+*-
+=@%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%@#:
+=@%%%%%%%%%%%%%%%%%%.   +@%%%%%%%%%%%%%%%%%%%%%%%%%%%@@+
+:@%%%%%%%%%%%%%%%%%@#    #%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#::::.
+ %@%%%%%%%%%%%%%%%%%@=   :@%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@@@@@@%#:
+ *%%%%%%%%%%%%%%%%%%-     *@%%%%%%%%%%%%%%%@@@@%%%%%%%%%%%%%%%@@@.
+ :@%%%%%%%%%%%%%%%@-      -@%%%%%%%%%%%%@@@%%%%%@@%%%%%%%%%%%%%%%.
+  *@%%%%%%%%%%%%%@+       .%%%%%%%%%%%@@*=:.   .-*@%%%%%%%%%%%%@=
+  .%%%%%%%%%%%%%%%.       .%%%%%%%%%@@*:          :%%%%%%%%%%%@+
+   =@%%%%%%%%%%%@*        -@%%%%%%%@#:             =@%%%%%%%%@*
+    +@%%%%%%%%%%@.        *@%%%%%@@+               .@%%%%%%%%%.
+     *@%%%%%%%%@+        -@%%%%%@%-                .@%%%%%%%@=
+      +@%%%%%@@*        :%%%%%@@*.                 -@%%%%%%%%
+       =@@@@@#-        :%%%%@@%-                   #%%%%%%%@+
+        :#*+:         :%%%@@%+                    -@@@%%%%%@:
+                     =@@@@#=.                      :+#@@@@%%.
+                   .*%#*=.                            .=*%@%
+                   ::.                                   .-+
@@ -0,0 +1 @@
+
@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.028.2026.06.18<br>
+
+# 2. CISS Secure Boot Private Material
+
+This directory is intentionally ignored except for this README.
+
+On the air-gapped build host, place the private EFI image signing key here:
+
+* `ciss-efi-image.key`
+
+Do not commit private keys. The custom UKI hooks fail if this key is copied into `binary/`, `chroot/`, or
+`config/includes.*`.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1,26 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 9.14<br>
+**Build**: V9.14.028.2026.06.18<br>
+
+# 2. CISS Secure Boot Public Material
+
+Place public CISS Secure Boot certificates here on the air-gapped build host.
+
+Expected file for the `ciss-uki` build profile:
+
+* `ciss-efi-image.crt`
+
+Public CA and module-signing certificates may also live here, for example `ciss-secureboot-ca.crt` and
+`ciss-module-signing.crt`, but they are not copied into the ISO by the current UKI hooks.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -0,0 +1 @@
+
@@ -41,6 +41,8 @@ declare -grx  VAR_SETUP_PATH="$(cd "$(dirname "${0}")" && pwd)"          # '/roo
 declare -grx  VAR_TMP_SECRET="/dev/shm/cdlb_secrets"                     # Fixed tmpfs path to store securely build artifacts.
 declare -grx  VAR_WORKDIR="$(dirname "${VAR_SETUP_FULL}")"               # '/root/git/CISS.debian.live.builder'

+clear
+
 ### PRELIMINARY CHECKS.
 ### No ash, dash, ksh, sh.
 # shellcheck disable=SC2292
@@ -111,11 +113,16 @@ source_guard "./var/bash.var.sh"
 ### CHECK FOR CONTACT, HELP, VERSION STRING, AND XTRACE DEBUG.
 for arg in "$@"; do case "${arg,,}" in -c|--contact) . ./lib/lib_contact.sh   ; contact; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -h|--help)    . ./lib/lib_usage.sh     ; usage  ; exit 0;; esac; done
+for arg in "$@"; do case "${arg,,}" in -l|--logo)    . ./lib/lib_logo.sh      ; logo   ; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -v|--version) . ./lib/lib_version.sh   ; version; exit 0;; esac; done
 for arg in "$@"; do case "${arg,,}" in -d|--debug)   . ./meta_sources_debug.sh; debugger "${@}";; esac; done

 ### ALL CHECKS DONE. READY TO START THE SCRIPT.
-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
+printf '\033[95m'
+cat bootscreen.txt
+printf '\033[0m\n'
+sleep 4
+printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
 declare -grx VAR_SETUP="true"

 ### SECURING SECRETS ARTIFACTS.
@@ -137,6 +144,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
 [[ "${VAR_SETUP}" == true ]] && {
  source_guard "./lib/lib_arg_parser.sh"
  source_guard "./lib/lib_arg_priority_check.sh"
+  source_guard "./lib/lib_build_dir_safety.sh"
  source_guard "./lib/lib_boot_screen.sh"
  source_guard "./lib/lib_cdi.sh"
  source_guard "./lib/lib_change_splash.sh"
@@ -154,6 +162,7 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_clean_screen.sh"
  source_guard "./lib/lib_clean_up.sh"
  source_guard "./lib/lib_copy_integrity.sh"
+  source_guard "./lib/lib_debug_sanitize.sh"
  source_guard "./lib/lib_gnupg.sh"
  source_guard "./lib/lib_hardening_root_pw.sh"
  source_guard "./lib/lib_hardening_ssh_tcp.sh"
@@ -167,6 +176,8 @@ find "${VAR_TMP_SECRET}" -type f -exec chown root:root {} +
  source_guard "./lib/lib_provider_netcup.sh"
  source_guard "./lib/lib_run_analysis.sh"
  source_guard "./lib/lib_sanitizer.sh"
+  source_guard "./lib/lib_secret_validation.sh"
+  source_guard "./lib/lib_secureboot_profile.sh"
  source_guard "./lib/lib_trap_on_err.sh"
  source_guard "./lib/lib_trap_on_exit.sh"
  source_guard "./lib/lib_update_microcode.sh"
@@ -198,8 +209,30 @@ if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen; fi
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nInitialization done ... \nXXX\n15\n" >&3; fi

 ### Updating Status of Dialog Gauge Bar.
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nActivate traps ... \nXXX\n50\n" >&3; fi
-### Following the CISS Bash naming and ordering scheme:
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidating secrets artifacts ... \nXXX\n20\n" >&3; fi
+validate_secret_root "${VAR_TMP_SECRET}"
+harden_secret_root_files "${VAR_TMP_SECRET}"
+
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nPre-Scan Secure-Boot ... \nXXX\n30\n" >&3; fi
+### PRE-SCAN SECURE BOOT PROFILE FOR BUILD-HOST PACKAGE CHECKS.
+### Formal validation still happens in arg_parser().
+for ((idx=0; idx<${#ARY_PARAM_ARRAY[@]}; idx++)); do
+  case "${ARY_PARAM_ARRAY[idx],,}" in
+    --secure-boot-profile=*)
+      declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx]#*=}"
+      ;;
+    --secure-boot-profile)
+      if [[ -n "${ARY_PARAM_ARRAY[idx + 1]:-}" ]]; then
+        declare -gx VAR_CISS_SECUREBOOT_PROFILE="${ARY_PARAM_ARRAY[idx + 1]}"
+      fi
+      ;;
+  esac
+done
+unset idx
+
+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nTraps active ... \nXXX\n50\n" >&3; fi
 trap 'trap_on_exit "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' EXIT
 trap 'trap_on_err  "$?" "${BASH_SOURCE[0]}" "${LINENO}" "${FUNCNAME[0]:-main}" "${BASH_COMMAND}"' ERR

@@ -210,9 +243,13 @@ declare -ar  ARY_ARG_SANITIZED=("$@")
 declare -grx VAR_ARG_SANITIZED="${ARY_ARG_SANITIZED[*]}"

 ### Updating Status of Dialog Gauge Bar.
-if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n90\n" >&3; fi
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nParsing Arguments ... \nXXX\n80\n" >&3; fi
 arg_parser "$@"

+### Updating Status of Dialog Gauge Bar.
+if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nValidate secret Arguments ... \nXXX\n95\n" >&3; fi
+validate_selected_secret_inputs
+
 ### Updating Status of Dialog Gauge Bar.
 if ! ${VAR_HANDLER_AUTOBUILD}; then printf "XXX\nFinal checks ... \nXXX\n95\n" >&3; fi
 clean_ip
@@ -248,6 +285,7 @@ init_primordial
 ### Integrate the CISS.debian.live.builder repository into the build directory.
 ### Modifications from this point onwards must be placed under 'VAR_HANDLER_BUILD_DIR'.
 hardening_ultra
+secureboot_profile_apply

 ### CISS.debian.installer 'GRUB' and 'autostart' generator.
 cdi
@@ -1,49 +1,78 @@
 # code_review.md

-Review priorities, in order:
+Use this file for explicit review tasks and final self-review after implementation.
+Do not treat it as a mandate for an unlimited audit unless the user asks for one.
+
+## Review priorities
+
+Review findings in this order:

 1. Correctness
 2. Security regressions
 3. Boot/build reproducibility
 4. Data loss risk
 5. Error handling
-6. Test coverage
+6. Test or validation coverage
 7. Maintainability
 8. Minimality of diff
 9. Style consistency

-Finding classes:
- BLOCKER: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before
-  merge
- RISK: plausible issue or security concern that is not fully proven from the available context
- CLEANUP: maintainability, readability, or consistency improvement that is not required for correctness
- NOTE: observation only; no change requested
+## Finding classes

-Review output format:
- List findings first, ordered by severity.
- Cite file paths and line numbers where possible.
- For each finding, explain the concrete impact, and the smallest reasonable fix.
- Separate observations, inferences, and recommendations.
- After findings, list missing checks or residual risks.
- If there are no findings, say so explicitly and still mention relevant test gaps.
+- `BLOCKER`: proven correctness bug, security regression, build break, boot break, or data loss risk that must be fixed before merge.
+- `RISK`: plausible issue or security concern that is not fully proven from the available context.
+- `CLEANUP`: maintainability, readability, or consistency improvement that is not required for correctness.
+- `NOTE`: observation only; no change requested.

-Do not nitpick formatting if automated tooling exists.
-Do not invent requirements not present in the task, repository, or documentation.
+## Review output format
+
+List findings first, ordered by severity.
+
+For each finding include:
+
+- class
+- file path and line number where possible
+- observation
+- concrete impact
+- smallest reasonable fix
+
+Then include:
+
+- missing checks or validation gaps
+- residual risks
+- concise final recommendation
+
+If there are no findings, say so explicitly and still mention relevant validation gaps.
+
+## Scope control
+
+- Do not nitpick formatting when automated tooling exists.
+- Do not invent requirements not present in the task, repository, or documentation.
+- Do not expand a small implementation task into a broad quality-management audit.
+- Do not request a full live build unless the changed code path affects image generation in a way that cannot be checked narrowly.
+- Prefer a small actionable finding over a broad speculative warning.
+
+## Security-sensitive checklist
+
+Check whether the change affects:

-Security-sensitive review checklist:
 - boot trust
 - initramfs behavior
+- live-boot runtime behavior
 - cryptsetup/LUKS handling
 - encrypted SquashFS handling
 - key material
- remotely unlock
- TLS/mTLS verification
- signature/hash verification
+- remote unlock
+- TLS or mTLS verification
+- signature, checksum, or provenance verification
+- package sources or remote downloads
 - network exposure
 - file permissions
 - persistence
 - logging of sensitive values

+For affected areas, separate observation, inference, and recommendation.
+
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
 <!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
@@ -13,8 +13,16 @@ BUILD_DIR            ?=

 ### Optional Dropbear source override; empty uses VAR_DROPBEAR_VERSION from var/global.var.sh:
 DROPBEAR_VERSION     ?=
+### Optional SOPS release override; empty uses VAR_SOPS_VERSION from var/global.var.sh:
+SOPS_VERSION         ?=
+### Optional Primordial CDI overlay settings; all three values are required for automatic overlay bootstrap:
+PRIMORDIAL_URL       ?=
+PRIMORDIAL_KEY       ?=
+PRIMORDIAL_SSH_PORT  ?=
 PROVIDER_NETCUP_IPV6 ?=
 ROOT_PASSWORD_FILE   ?=
+### Secure Boot profile; debian-shim or ciss-uki:
+SECURE_BOOT_PROFILE  ?= debian-shim
 SSH_PORT             ?=
 SSH_PUBKEY           ?=

@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -gx VAR_DATE="$(date +%F)"
@@ -284,7 +284,7 @@ LLMNR=no
 MulticastDNS=no
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 #######################################
 # Get all NIC drivers of the current Host machine.
@@ -345,7 +345,7 @@ chmod 0755 /etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-premount/1000_ciss_fixpath.sh
 chmod 0755 /etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 VAR_DATE="$(date +%F)"

@@ -45,8 +45,10 @@ EOF

 mkdir -p /etc/systemd/system/tmp.mount.d
 cat << EOF >| /etc/systemd/system/tmp.mount.d/override.conf
+# The live ISO runs CISS.debian.installer and must support at least 12 raw plus encrypted LUKS header backups in the installer
+# scratch path.
 [Mount]
-Options=mode=1777,strictatime,nosuid,nodev,noexec,size=1%
+Options=mode=1777,strictatime,nosuid,nodev,noexec,size=2G
 EOF

 mkdir -p /etc/systemd/system/dev-shm.mount.d
@@ -57,7 +59,7 @@ EOF

 systemctl enable ciss-remount-root.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ -f /root/.cdi ]]; then

@@ -48,7 +48,7 @@ EOF

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -72,7 +72,7 @@ include /etc/logrotate.d
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -30,7 +30,7 @@ EOF

 install -d -m 0755 /var/cache/apparmor

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -20,7 +20,7 @@ export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }

@@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env"
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }

@@ -39,7 +39,7 @@ declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"
 mkdir -p "/root/build"

 [[ -r "${var_tar}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
  exit 43
 }

@@ -86,7 +86,7 @@ if ! setsid bash -c '
  ' >| "${var_logfile}" 2>&1
 then

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
+  printf "\e[91m❌ Dropbear build failed. See [%s] \e[0m\n" "${var_logfile}" >&2
  tail -n 42 "${var_logfile}" >&2 || true
  exit 42

@@ -94,7 +94,7 @@ fi

  rm -rf /root/dropbear

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -20,7 +20,7 @@ export INITRD="No"
 ### Declare Arrays, HashMaps, and Variables.
 declare var_dropbear_env="/root/dropbear.env"
 [[ -r "${var_dropbear_env}" ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  printf "\e[91m❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
  exit 43
 }

@@ -28,7 +28,7 @@ declare var_dropbear_env="/root/dropbear.env"
 . "${var_dropbear_env}"
 declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
 [[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  printf "\e[91m❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
  exit 43
 }

@@ -143,7 +143,7 @@ EOF

 systemctl mask dropbear.service dropbear.socket

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -154,7 +154,7 @@ readonly -f write_dropbear_conf

 dropbear_setup

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf
 # SPDX-Version: 3.0
@@ -38,7 +38,7 @@ Host git.coresecret.dev
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,13 +11,13 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if [[ ! -f /root/.pwd ]]; then

-  printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ /root/.pwd NOT found. \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Exiting Hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
+  printf "\e[92m❌ /root/.pwd NOT found. \e[0m\n"
+  printf "\e[92m❌ Exiting Hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' done. Nothing changed. \e[0m\n" "${0}"
  exit 0

 fi
@@ -39,15 +39,15 @@ unset hashed_pwd safe_hashed_pwd

 if shred -fzu -n 5 /root/.pwd; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"
+  printf "\e[92m✅ Password file /root/.pwd: shred -fzu -n 5 >> done. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ Password file /root/.pwd: shred -fzu -n 5 >> NOT successful. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cat << 'EOF' >| /etc/default/keyboard
 XKBMODEL="pc105"
@@ -26,7 +26,7 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"
 dpkg-reconfigure -f noninteractive keyboard-configuration

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -28,7 +28,7 @@ ExecStart=
 ExecStart=/usr/sbin/jitterentropy-rngd --osr=2
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mv /etc/hostname /root/.ciss/cdlb/backup/hostname.bak
 mv /etc/mailname /root/.ciss/cdlb/backup/mailname.bak
@@ -26,7 +26,7 @@ localhost.local

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root
 if [[ -f /var/lib/dbus/machine-id ]]; then
@@ -32,7 +32,7 @@ b08dfa6083e7567a1921a715000001fb
 EOF
 chmod 644 /etc/machine-id

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -147,7 +147,7 @@ unzip /tmp/nerd/Hack.zip -d /root/.local/share/fonts
 fc-cache -fv
 rm -rf /tmp/nerd

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | tee /etc/apt/sources.list.d/cisofy-lynis.list
@@ -463,7 +463,7 @@ upload-options=
 #EOF
 EOF_LYNIS

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /var/log/chrony

@@ -114,7 +114,7 @@ fi

 chronyd -Q -f /etc/chrony/chrony.conf 2>&1

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/a13xp0p0v/kernel-hardening-checker.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /etc/systemd/system/ssh.service.d

@@ -24,7 +24,7 @@ Wants=network-online.target
 ExecStartPre=/bin/sleep 5
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone --depth 1 -b master https://github.com/major/MySQLTuner-perl.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq
 chmod +x /usr/bin/yq

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/testssl/testssl.sh.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -22,7 +22,7 @@ apt-get install -y nodejs
 cd /root/git
 git clone https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/hardenedlinux/harbian-audit.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/jtesta/ssh-audit.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,12 +11,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root/git
 git clone https://github.com/dnsviz/dnsviz.git

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,47 +11,307 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

-SOPS_VER="v3.13.0"
-ARCH="$(dpkg --print-architecture)"
-case "${ARCH}" in
-  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
-  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
-  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
-esac
+declare SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP="https://github.com/getsops"
+declare SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER="https://token.actions.githubusercontent.com"

-cd /tmp
+#######################################
+# Print a fatal error and abort the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Message string
+# Returns:
+#   None
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ ERROR: %s \e[0m\n" "${message}" >&2
+  exit 43
+}

-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
-curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"
+#######################################
+# Require an executable tool.
+# Globals:
+#   None
+# Arguments:
+#   1: Tool name
+# Returns:
+#   0: on success
+#######################################
+require_tool() {
+  declare tool_name="$1"

-cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
-  --certificate    "sops-${SOPS_VER}.checksums.pem" \
-  --signature      "sops-${SOPS_VER}.checksums.sig" \
-  --certificate-identity-regexp="https://github.com/getsops" \
-  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
+  command -v "${tool_name}" >/dev/null 2>&1 || die "Required tool not found: ${tool_name}"

-sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing
+  return 0
+}

-install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
-sops --version --check-for-updates >| /root/.ciss/cdlb/log/sops.log
-age --version                      >| /root/.ciss/cdlb/log/age.log
+#######################################
+# Validate and normalize a SOPS semantic version.
+# Globals:
+#   None
+# Arguments:
+#   1: SOPS version string
+# Outputs:
+#   Normalized bare semantic version
+# Returns:
+#   0: on success
+#######################################
+normalize_sops_version() {
+  declare sops_version="${1#v}"

-rm -f "/tmp/${SOPS_FILE}"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
-rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"
+  [[ "${sops_version}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] || \
+    die "Invalid SOPS version '${1}'. Expected '<MAJOR>.<MINOR>.<PATCH>' without prerelease metadata."

-chmod 0400 /root/.config/sops/age/keys.txt
+  printf '%s' "${sops_version}"

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  return 0
+}
+
+#######################################
+# Download a mandatory release asset.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: on success
+#######################################
+download_required_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+
+  if ! curl -fsSLo "${target_file}" "${asset_url}"; then
+    die "Failed to download required SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  [[ -s "${target_file}" ]] || die "Downloaded SOPS asset is empty: ${target_file}"
+
+  return 0
+}
+
+#######################################
+# Download an optional release asset and distinguish absence from download errors.
+# Globals:
+#   None
+# Arguments:
+#   1: Asset URL
+#   2: Target filename
+# Returns:
+#   0: asset was downloaded
+#   1: asset is absent upstream
+#######################################
+download_optional_asset() {
+  declare asset_url="$1"
+  declare target_file="$2"
+  declare http_code=""
+
+  if ! http_code=$(curl -sSLo "${target_file}" -w '%{http_code}' "${asset_url}"); then
+    rm -f -- "${target_file}"
+    die "Failed to query optional SOPS asset '${target_file}' from '${asset_url}'."
+  fi
+
+  case "${http_code}" in
+    200)
+      [[ -s "${target_file}" ]] || die "Optional SOPS asset is empty after HTTP 200: ${target_file}"
+      return 0
+      ;;
+    404)
+      rm -f -- "${target_file}"
+      return 1
+      ;;
+    *)
+      rm -f -- "${target_file}"
+      die "Unexpected HTTP status ${http_code} for optional SOPS asset '${target_file}' from '${asset_url}'."
+      ;;
+  esac
+}
+
+#######################################
+# Verify the SOPS checksums file with Cosign.
+# Globals:
+#   SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP
+#   SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER
+# Arguments:
+#   1: Checksums filename
+#   2: Bundle filename
+#   3: Certificate filename
+#   4: Signature filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_checksums_signature() {
+  declare checksums_file="$1"
+  declare bundle_file="$2"
+  declare certificate_file="$3"
+  declare signature_file="$4"
+
+  if [[ -f "${bundle_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign bundle: %s \e[0m\n" "${bundle_file}"
+    cosign verify-blob "${checksums_file}" \
+      --bundle "${bundle_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in bundle mode for '${checksums_file}' using '${bundle_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" && -f "${signature_file}" ]]; then
+    printf "\e[95m[INFO] Verifying SOPS checksums with Cosign split certificate/signature: %s %s \e[0m\n" "${certificate_file}" "${signature_file}"
+    cosign verify-blob "${checksums_file}" \
+      --certificate "${certificate_file}" \
+      --signature "${signature_file}" \
+      --certificate-identity-regexp="${SOPS_COSIGN_CERTIFICATE_IDENTITY_REGEXP}" \
+      --certificate-oidc-issuer="${SOPS_COSIGN_CERTIFICATE_OIDC_ISSUER}" || \
+      die "SOPS checksum signature verification failed in legacy split mode for '${checksums_file}' using '${certificate_file}' and '${signature_file}'."
+    return 0
+  fi
+
+  if [[ -f "${certificate_file}" || -f "${signature_file}" ]]; then
+    die "Incomplete legacy SOPS signature layout for '${checksums_file}'. Expected both '${certificate_file}' and '${signature_file}'."
+  fi
+
+  die "No supported SOPS checksum signature layout found for '${checksums_file}'. Expected bundle or split certificate/signature assets."
+}
+
+#######################################
+# Verify the SOPS artifact checksum and ensure the expected artifact was covered.
+# Globals:
+#   None
+# Arguments:
+#   1: Checksums filename
+#   2: Artifact filename
+# Returns:
+#   0: on success
+#######################################
+verify_sops_artifact_checksum() {
+  declare checksums_file="$1"
+  declare artifact_file="$2"
+  declare checksum_output=""
+
+  if ! checksum_output=$(sha256sum -c "${checksums_file}" --ignore-missing 2>&1); then
+    printf '%s\n' "${checksum_output}" >&2
+    die "SOPS artifact checksum verification failed for '${artifact_file}' using '${checksums_file}'."
+  fi
+
+  printf '%s\n' "${checksum_output}"
+
+  if ! grep -Fxq "${artifact_file}: OK" <<< "${checksum_output}" && \
+     ! grep -Fxq "./${artifact_file}: OK" <<< "${checksum_output}"; then
+    die "SOPS checksum verification did not cover expected artifact '${artifact_file}' from '${checksums_file}'."
+  fi
+
+  return 0
+}
+
+#######################################
+# Install SOPS from an upstream GitHub release after signature and checksum verification.
+# Globals:
+#   CISS_SOPS_VERSION
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#######################################
+main() {
+  require_tool curl
+  require_tool cosign
+  require_tool sha256sum
+
+  declare sops_env="/root/sops.env"
+  [[ -r "${sops_env}" ]] || die "Missing SOPS environment file: ${sops_env}"
+
+  # shellcheck disable=SC1090
+  . "${sops_env}"
+
+  declare ciss_sops_version
+  ciss_sops_version=$(normalize_sops_version "${CISS_SOPS_VERSION:?CISS_SOPS_VERSION is not set}")
+
+  declare architecture
+  architecture="$(dpkg --print-architecture)"
+
+  declare sops_tag="v${ciss_sops_version}"
+  declare sops_file=""
+  case "${architecture}" in
+    amd64)
+      sops_file="sops-${sops_tag}.linux.amd64"
+      ;;
+    arm64)
+      sops_file="sops-${sops_tag}.linux.arm64"
+      ;;
+    *)
+      die "Unsupported architecture '${architecture}' for SOPS version '${ciss_sops_version}'. Expected amd64 or arm64."
+      ;;
+  esac
+
+  declare release_base_url="https://github.com/getsops/sops/releases/download/${sops_tag}"
+  declare checksums_file="sops-${sops_tag}.checksums.txt"
+  declare bundle_file="sops-${sops_tag}.checksums.sigstore.json"
+  declare certificate_file="sops-${sops_tag}.checksums.pem"
+  declare signature_file="sops-${sops_tag}.checksums.sig"
+  declare bundle_available="false"
+  declare certificate_available="false"
+  declare signature_available="false"
+
+  cd /tmp
+
+  printf "\e[95m[INFO] Downloading SOPS %s asset: %s \e[0m\n" "${ciss_sops_version}" "${sops_file}"
+  download_required_asset "${release_base_url}/${sops_file}" "${sops_file}"
+  download_required_asset "${release_base_url}/${checksums_file}" "${checksums_file}"
+
+  # shellcheck disable=SC2310
+  if download_optional_asset "${release_base_url}/${bundle_file}" "${bundle_file}"; then
+    bundle_available="true"
+  fi
+
+  if [[ "${bundle_available}" == "false" ]]; then
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${certificate_file}" "${certificate_file}"; then
+      certificate_available="true"
+    fi
+
+    # shellcheck disable=SC2310
+    if download_optional_asset "${release_base_url}/${signature_file}" "${signature_file}"; then
+      signature_available="true"
+    fi
+
+    if [[ "${certificate_available}" != "${signature_available}" ]]; then
+      die "Incomplete legacy SOPS signature assets for version '${ciss_sops_version}'. Expected both '${certificate_file}' and '${signature_file}'."
+    fi
+  fi
+
+  verify_sops_checksums_signature "${checksums_file}" "${bundle_file}" "${certificate_file}" "${signature_file}"
+  verify_sops_artifact_checksum "${checksums_file}" "${sops_file}"
+
+  install -m 0755 "${sops_file}" /usr/local/bin/sops
+  sops --version >| /root/.ciss/cdlb/log/sops.log
+  age --version  >| /root/.ciss/cdlb/log/age.log
+
+  rm -f -- "/tmp/${sops_file}"
+  rm -f -- "/tmp/${checksums_file}"
+  rm -f -- "/tmp/${bundle_file}"
+  rm -f -- "/tmp/${certificate_file}"
+  rm -f -- "/tmp/${signature_file}"
+
+  if [[ -f /root/.config/sops/age/keys.txt ]]; then
+    chmod 0400 /root/.config/sops/age/keys.txt
+  fi
+
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+  return 0
+}
+
+if [[ "${CISS_SOPS_TEST_MODE:-false}" != "true" ]]; then
+  main "$@"
+  exit 0
+fi

-exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -21,7 +21,7 @@ wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O

 yq --version

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 umask 0077

@@ -31,7 +31,7 @@ apt-get purge -y texinfo
 apt-get autoremove --purge -y
 apt-get autoclean -y

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,10 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -r UFW_OUT_POLICY="deny"
 declare -r SSHPORT="SSHPORT_MUST_BE_SET"
+# PRIMORDIAL_SSH_PORT_DECLARATION_MUST_BE_SET

 ufw --force reset

@@ -44,7 +45,8 @@ if [[ ${UFW_OUT_POLICY,,} == "deny"  ]]; then
  ufw allow out  853/tcp comment 'Outgoing DoT'
  ufw allow out  993/tcp comment 'Outgoing IMAPS'
  ufw allow out 4460/tcp comment 'Outgoing NTS'
-  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH (Custom-Port)'
+  ufw allow out "${SSHPORT}"/tcp comment 'Outgoing SSH Custom-Port'
+  # PRIMORDIAL_SSH_RULE_MUST_BE_SET
  ufw allow out   53/udp comment 'Outgoing DNS'
  ufw allow out  123/udp comment 'Outgoing NTP'
  ufw allow out  443/udp comment 'Outgoing QUIC'
@@ -61,7 +63,7 @@ sed -i "/# ok icmp code for FORWARD/i \-A ufw-before-output -p icmp --icmp-type
 sed -i 's/^ENABLED=no/ENABLED=yes/' /etc/ufw/ufw.conf
 ln -sf /lib/systemd/system/ufw.service /etc/systemd/system/multi-user.target.wants/ufw.service

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -26,15 +26,15 @@ fi

 if ln -s /lib/systemd/system/acct.service /etc/systemd/system/multi-user.target.wants/acct.service; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'Process Accounting' enabled successful. \e[0m\n"
+  printf "\e[92m✅ 'Process Accounting' enabled successful. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'Process Accounting' already enabled. \e[0m\n" >&2
+  printf "\e[91m❌ 'Process Accounting' already enabled. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /root/.ciss/cdlb/backup/update-motd.d
 cp -af /etc/update-motd.d/* /root/.ciss/cdlb/backup/update-motd.d
@@ -23,7 +23,7 @@ EOF

 chmod 0755 /etc/update-motd.d/10-uname

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare -a search_dirs=("/etc/ssl/certs" "/usr/local/share/ca-certificates" "/usr/share/ca-certificates" "/etc/letsencrypt")
 declare backup_dir="/root/.ciss/cdlb/backup/certificates"
@@ -29,7 +29,7 @@ declare -ax expired_certificates=()
 #   None
 #######################################
 create_backup() {
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"
+  printf "\e[95m🧪 Backup Certificate: '%s' ... \e[0m\n" "${backup_dir}"

  mkdir -p "${backup_dir}"
  declare dir=""
@@ -44,7 +44,7 @@ create_backup() {

  done

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
+  printf "\e[92m✅ Backup Certificate: '%s' done.\e[0m\n" "${backup_dir}"
 }

 #######################################
@@ -104,7 +104,7 @@ delete_expired_from_all_bundles() {

    if [[ -f ${bundle} ]]; then

-      printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
+      printf "\e[95m🧪 Checking Root-CA Bundle: '%s' ...\e[0m\n" "${bundle}"
      declare tmp_bundle="${bundle}.tmp"
      declare -a block=()
      declare expired=0
@@ -149,7 +149,7 @@ delete_expired_from_all_bundles() {

          else

-            printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"
+            printf "\e[92m✅  Certificate deleted: '%s' (Expired: %s)\e[0m\n" "${bundle}" "${enddate}"

          fi

@@ -161,29 +161,29 @@ delete_expired_from_all_bundles() {

      mv -f "${tmp_bundle}" "${bundle}"

-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"
+      printf "\e[92m✅ Checking Root-CA Bundle: '%s' done. \e[0m\n" "${bundle}"

    fi

  done
 }

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
+printf "\e[95m🧪 Check certificates in: '%s'.\e[0m\n" "${search_dirs[*]}"
 create_backup
 delete_expired_from_all_bundles
 check_certificates

 if [[ ${#expired_certificates[@]} -eq 0 ]]; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No expired certificates found.\e[0m\n"
+  printf "\e[92m✅ No expired certificates found.\e[0m\n"

 else

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Expired certificates found:\e[0m\n"
+  printf "\e[95m🧪 Expired certificates found:\e[0m\n"

  for exp_cert in "${expired_certificates[@]}"; do

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ '%s'. \e[0m\n" "${exp_cert}"
+    printf "\e[92m'%s'. \e[0m\n" "${exp_cert}"

  done

@@ -191,7 +191,7 @@ else

    rm -f "${exp_cert}"

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
+    printf "\e[92m✅ Certificate deleted: '%s'.\e[0m\n" "${exp_cert}"
    basename=$(basename "${exp_cert}")
    mozilla_entry="mozilla/${basename%.pem}.crt"
    mozilla_entry="${mozilla_entry%.crt}.crt"
@@ -200,19 +200,19 @@ else
    if grep -Fxq "${mozilla_entry}" "${ca_conf}"; then

      sed -i "s|^${mozilla_entry}$|#${mozilla_entry}|" "${ca_conf}"
-      printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"
+      printf "\e[92m✅ Entry in ca-certificates.conf deselected: '#%s'.\e[0m\n" "${mozilla_entry}"

    fi

  done

-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache ... \e[0m\n"
+  printf "\e[95m✅ Updating the certificate cache ... \e[0m\n"
  update-ca-certificates --fresh
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Updating the certificate cache done.\e[0m\n"
+  printf "\e[92m✅ Updating the certificate cache done.\e[0m\n"

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"


 exit 0
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"
 declare _key=""

 cd /etc/ssh
@@ -115,7 +115,7 @@ fi

 /usr/sbin/sshd -t || exit 42

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 mkdir -p /root/.ciss/cdlb/backup/etc/ssl

@@ -439,7 +439,7 @@ SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_ps
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cp -u /etc/security/limits.conf /root/.ciss/cdlb/backup/limits.conf.bak
 chmod 0644 /root/.ciss/cdlb/backup/limits.conf.bak
@@ -82,7 +82,7 @@ KeepFree=0
 EOF
 chmod 0644 /etc/systemd/coredump.conf.d/9999-ciss-coredump-disable.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -235,7 +235,7 @@ EOF
 touch /var/log/fail2ban/fail2ban.log
 chmod 0640 /var/log/fail2ban/fail2ban.log

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 ###########################################################################################
 # Remarks: Turn off Energy saving mode and ctrl-alt-del                                   #
@@ -23,7 +23,7 @@ done

 unset target

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -33,7 +33,7 @@ if [[ -d /etc/exim4 ]]; then
  rm -rf /etc/exim4
 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -41,7 +41,7 @@ cp -a /etc/usbguard/usbguard-daemon.conf /root/.ciss/cdlb/backup/usbguard-daemon

 rm -f /tmp/rules.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh

@@ -29,7 +29,7 @@ dpkg --get-selections | grep deinstall >| /tmp/deinstall.log || true
 if [[ -s /tmp/deinstall.log ]]; then

  printf "\n"
-  printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 Packages to purge ... \e[0m\n"
+  printf "\e[95m🧪 Packages to purge ... \e[0m\n"
  sed -i 's!deinstall!!' /tmp/deinstall.log

  while IFS= read -r line; do
@@ -37,16 +37,16 @@ if [[ -s /tmp/deinstall.log ]]; then
    declare trimmed_string
    trimmed_string=$(echo "${line}" | awk '{$1=$1};1')
    echo "y" | apt-get purge "${trimmed_string}"
-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"
+    printf "\e[92m✅ Package '%s' purged. \e[0m\n" "${trimmed_string}"

  done < /tmp/deinstall.log

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Packages to purge done. \e[0m\n"
+  printf "\e[92m✅ Packages to purge done. \e[0m\n"

 else

  printf "\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No Packages to purge, proceeding with clean up. \e[0m\n"
+  printf "\e[92m✅ No Packages to purge, proceeding with clean up. \e[0m\n"

 fi

@@ -60,7 +60,7 @@ apt-get autopurge -y

 updatedb

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 chmod 0644 /etc/banner
 chmod 0644 /etc/issue
@@ -26,8 +26,8 @@ fi
 touch /etc/motd
 cat << EOF >| /etc/motd

-      (c) Marc S. Weidner, 2018 - 2025
-      (p) Centurion Press, 2018 - 2025
+      (c) Marc S. Weidner, 2018 - 2026
+      (p) Centurion Press, 2018 - 2026
          Centurion Intelligence Consulting Agency (tm)
          https://coresecret.eu/
          Please consider making a donation:
@@ -109,7 +109,7 @@ find /root -xdev -exec chown -h root:root {} +

 rm -f /etc/tmpfiles.d/legacy.conf

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' successfully applied. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -10,6 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
+
 #######################################
 # Iterates all '/etc/shadow' entries and sets:
 #   4=min age=0, 5=max age=16384, 6=warn=128, 7=inactive=42, 8=expire=17.09.2102
@@ -92,12 +93,12 @@ update_shadow() {
 # shellcheck disable=SC2034
 readonly -f update_shadow

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 if ! command -v chage &>/dev/null; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ Info: 'chage' NOT found. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

  exit 0

@@ -111,8 +112,8 @@ mapfile -t users_to_update < <(

 if [[ ${#users_to_update[@]} -eq 0 ]]; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+  printf "\e[92m✅ No enabled-login accounts found in /etc/shadow. Exiting hook ... \e[0m\n"
+  printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

  exit 0

@@ -120,7 +121,7 @@ fi

 declare user
 for user in "${users_to_update[@]}"; do
-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
+  printf "\e[92m✅ Setting max password age for user '%s' to '%s' days. \e[0m\n" "${user}" "${max_days}"
  chage --maxdays "${max_days}" "${user}"
 done

@@ -128,11 +129,11 @@ unset max_days user users_to_update

 awk -F: '$2 !~ /^\$[0-9]/ && length($2)==13 { print $1,$2 }' /etc/shadow

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ All applicable accounts have been updated. \e[0m\n"
+printf "\e[92m✅ All applicable accounts have been updated. \e[0m\n"

 update_shadow

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -23,15 +23,15 @@ sed -i "s/Checksums = H/Checksums = sha512/" /etc/aide/aide.conf

 if aideinit > /dev/null 2>&1; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'aideinit' successful. \e[0m\n"
+  printf "\e[92m✅ 'aideinit' successful. \e[0m\n"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'aideinit' NOT successful. \e[0m\n" >&2
+  printf "\e[91m❌ 'aideinit' NOT successful. \e[0m\n" >&2

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -15,7 +15,7 @@

 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 # shellcheck disable=SC2155
 declare -r VAR_DATE="$(date +%F)"
@@ -130,7 +130,7 @@ local_users_only

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,11 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 sed -i 's#^\(ENABLED=\).*#\1"true"#' /etc/default/sysstat

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -21,7 +21,7 @@ set -Ceuo pipefail
 #######################################
 log() { printf '[auditd-build] %s\n' "${*}" >&2; }

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -42,13 +42,13 @@ cat << EOF >| /etc/audit/rules.d/00-base-config.rules

 ## Increase the buffers to survive stress events.
 ## Make this bigger for busy systems.
-b 16384
+-b 262144

 ## Rate Limit. Cap kernel->userspace message rate (0 = unlimited).
 -r 200

 ## This determine how long to wait in burst of events. How long to wait in bursts (us).
--backlog_wait_time 1024
+--backlog_wait_time 16384

 ## Set failure mode to syslog.
 -f 1
@@ -374,7 +374,7 @@ ExecStart=/usr/sbin/augenrules --load

 EOF

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 cd /root

@@ -26,16 +26,16 @@ sed -i "s/CRON_CHECK=never/CRON_CHECK=monthly/" /etc/default/debsums

 if debsums -g > /dev/null 2>&1; then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'debsums -g' successful. \e[0m\n"
+  printf "\e[92m✅ 'debsums -g' successful. \e[0m\n"

 else

  # Omit false negative error output to stdout and stderr, as no problematic errors occur on startup.
-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1
+  printf "\e[91m❌ 'debsums -g' NOT successful. \e[0m\n"  > /dev/null 2>&1

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
@@ -130,7 +130,7 @@ apt-get dist-upgrade -y        # (= apt full-upgrade) allow installs/replacement
 apt-get autoremove --purge -y  # 'autopurge' == 'autoremove --purge'.
 apt-get clean -y               # Stronger than autoclean: removes the entire '.deb'-cache.

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 ### Declare Arrays, HashMaps, and Variables.
 declare -ar ary_logrotate=(
@@ -53,15 +53,15 @@ done

 if ! logrotate -d /etc/logrotate.conf; then

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"
+  printf "\e[91m✅ 'logrotate -d /etc/logrotate.conf' failed. \e[0m\n"

 else

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"
+  printf "\e[92m✅ 'logrotate -d /etc/logrotate.conf' successful. \e[0m\n"

 fi

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,7 +11,11 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+# Final live-build chroot cleanup hook. Removes transient build artifacts, tightens permissions on CISS root/key material,
+# regenerates initramfs images, prepares systemd-resolved DNS configuration, and forces the live system to boot into
+# multi-user.target by masking common display managers.
+
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 declare var_dm="" var_unit_dir="" var_link="/etc/systemd/system/default.target"

@@ -92,7 +96,7 @@ for var_dm in "${ary_dm_units[@]}"; do

 done

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# shellcheck disable=SC2154
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
 # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
@@ -11,9 +12,12 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

-# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+# Final live-build binary hook for encrypted root filesystem packaging. It creates and signs a deterministic attestation
+# manifest for the final filesystem.squashfs byte stream, preallocates a LUKS2 container, formats it with the generated build
+# secret, copies the generated filesystem.squashfs into the opened encrypted mapping, then closes the container, shreds the
+# temporary LUKS secret, and removes the plaintext SquashFS from the ISO payload.

-printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+printf "\e[95m🧪 '%s' starting ... \e[0m\n" "${0}"

 __umask=$(umask)
 umask 0077
@@ -36,23 +40,23 @@ preallocate() {

  if fallocate -l "${size}" -- "${file}" 2>/dev/null; then

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[92m✅ [fallocate -l %s -- %s] successful. \e[0m\n" "${size}" "${file}"
    return 0

  else

-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"
+    printf "\e[91m❌ [fallocate -l %s -- %s] NOT successful. \e[0m\n" "${size}" "${file}"

  fi

  if dd if=/dev/zero of="${file}" bs="${blocksize}" count="${blockcounter}" status=progress conv=fsync; then

-    printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[92m✅ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 0

  else

-    printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
+    printf "\e[91m❌ [dd if=/dev/zero of=%s bs=%s count=%s status=progress conv=fsync] NOT successful. \e[0m\n" "${file}" "${blocksize}" "${blockcounter}"
    return 42

  fi
@@ -61,12 +65,163 @@ preallocate() {
 # shellcheck disable=SC2034
 readonly -f preallocate

-declare ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
-declare LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
-declare KEYFD=""
+#######################################
+# Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
+# Globals:
+#   None
+# Arguments:
+#   1: Rootfs attestation manifest path
+# Returns:
+#   0: on success
+#   42: on failure
+#######################################
+require_rootfs_attestation_artifacts() {
+  declare manifest="${1}"
+  declare signature="${manifest}.sig"
+  declare artifact=""

+  for artifact in "${manifest}" "${signature}"; do
+
+    if [[ ! -e "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ ! -s "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+    if [[ ! -r "${artifact}" ]]; then
+
+      printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
+      return 42
+
+    fi
+
+  done
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f require_rootfs_attestation_artifacts
+
+#######################################
+# Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
+# Globals:
+#   VAR_SIGNING_KEY_FPR
+#   VAR_SIGNING_KEY_PASSFILE
+#   VAR_VERIFY_KEYRING
+# Arguments:
+#   1: Final SquashFS payload file
+#   2: Manifest path below binary/live
+# Returns:
+#   0: on success
+#   42: on failure
+#######################################
+create_attestation() {
+  declare rootfs_file="${1}"
+  declare rootfs_attestation="${2}"
+  declare rootfs_hash=""
+  declare rootfs_size=""
+
+  rootfs_size="$(stat -c%s -- "${rootfs_file}")"
+  rootfs_hash="$(LC_ALL=C sha512sum "${rootfs_file}")"
+  rootfs_hash="${rootfs_hash%% *}"
+
+  if printf '%s  %s\n' "${rootfs_hash}" "${rootfs_file}" | LC_ALL=C sha512sum -c --strict --quiet; then
+
+    printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${rootfs_file}"
+
+  else
+
+    printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${rootfs_file}"
+    return 42
+
+  fi
+
+  # The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many
+  # bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload.
+  cat << EOF >| "${rootfs_attestation}"
+# CISS.debian.live.builder Master ${VAR_VERSION}
+# Attestation file for filesystem.squashfs Version 1.0.0
+# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
+# Bytes    : Final filesystem.squashfs ${rootfs_size}
+${rootfs_hash}  filesystem.squashfs
+EOF
+
+  chmod 0444 "${rootfs_attestation}"
+
+  if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
+    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
+
+    printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${rootfs_attestation}"
+
+  else
+
+    printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${rootfs_attestation}"
+    return 42
+
+  fi
+
+  chmod 0444 "${rootfs_attestation}.sig"
+
+  if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
+
+    printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${rootfs_attestation}.sig"
+
+  else
+
+    printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${rootfs_attestation}.sig"
+    return 42
+
+  fi
+
+  return 0
+}
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f create_attestation
+
+declare    LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
+declare    ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
+declare    ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
+declare    LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
+declare    ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
+declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
+declare    DM_LAB="crypt_liveiso"
+declare    DEVMAP="/dev/mapper/${DM_LAB}"
+declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
+declare    KEYFD=""
+# Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
+declare -i LUKS_PBKDF_MEMORY_KIB=262144
+declare -i LUKS_PBKDF_PARALLEL=1
 # shellcheck disable=SC2155
-declare -i VAR_ROOTFS_SIZE=$(stat -c%s -- "${ROOTFS}")
+declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
+
+### Attestation Boundary
+#   - The attested boundary is the final SquashFS byte stream before LUKS wrapping.
+#   - The boot verifier reads exactly this many bytes from the decrypted mapper and intentionally excludes the LUKS allocation
+#     slack after the SquashFS payload.
+printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
+
+create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
+require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
+
+printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
+  "${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"

 ### Safety margin:
 #   - LUKS2-Header and Metadata
@@ -80,7 +235,7 @@ declare -i VAR_LUKSFS_SIZE=$(( ( (BASE_SIZE + ALIGN_BYTES - 1) / ALIGN_BYTES ) *

 preallocate "${LUKSFS}" "${VAR_LUKSFS_SIZE}"

-exec {KEYFD}<"${VAR_TMP_SECRET}/luks.txt"
+exec {KEYFD}<"${LUKS_KEY_FILE}"

 if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then

@@ -91,10 +246,12 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
-    --label crypt_liveiso \
+    --label "${DM_LAB}" \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
+    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
+    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -106,13 +263,16 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
  cryptsetup luksFormat \
    --batch-mode \
    --cipher aes-xts-plain64 \
+    --integrity hmac-sha512 \
    --iter-time 1000 \
    --key-file "/proc/$$/fd/${KEYFD}" \
    --key-size 512 \
-    --label crypt_liveiso \
+    --label "${DM_LAB}" \
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
+    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
+    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -121,37 +281,39 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then

 fi

-cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" crypt_liveiso
+cryptsetup open --key-file "/proc/$$/fd/${KEYFD}" "${LUKSFS}" "${DM_LAB}"

 # shellcheck disable=SC2155
-declare -i LUKS_FREE=$(blockdev --getsize64 /dev/mapper/crypt_liveiso)
+declare -i LUKS_FREE=$(blockdev --getsize64 "${DEVMAP}")
 declare -i SQUASH_FS="${VAR_ROOTFS_SIZE}"

 if (( LUKS_FREE >= SQUASH_FS )); then

-  printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"
+  printf "\e[92m✅ LUKS_FREE '%s' >= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}"

 else

-  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
+  printf "\e[91m❌ LUKS_FREE '%s' <= SQUASH_FS '%s' \e[0m\n" "${LUKS_FREE}" "${SQUASH_FS}" >&2
  exit 42

 fi

-dd if="${ROOTFS}" of=/dev/mapper/crypt_liveiso bs=8M status=progress conv=fsync
+dd if="${ROOTFS}" of="${DEVMAP}" bs=8M status=progress conv=fsync
 sync
-cryptsetup close crypt_liveiso
+cryptsetup close "${DM_LAB}"

 exec {KEYFD}<&-

-shred -fzu -n 5 -- "${VAR_TMP_SECRET}/luks.txt"
+shred -fzu -n 5 -- "${LUKS_KEY_FILE}"

 rm -f -- "${ROOTFS}"

+require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
+
 umask "${__umask}"
 __umask=""

-printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+printf "\e[92m✅ '%s' applied successfully. \e[0m\n" "${0}"

 exit 0
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,396 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for the CISS UKI build. When the ciss-uki Secure Boot profile is active, this hook selects the
+# complete kernel/initrd pair, reads the live kernel command line, optionally embeds separate early microcode, creates unsigned
+# and signed Unified Kernel Images with ukify, verifies the signed UKI with 'sbverify', writes a manifest, and refuses private
+# Secure Boot key material in build artifact paths.
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="${1}"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="${1}"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="${1}"
+  declare description="${2}"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Reads the single LB_BOOTAPPEND_LIVE value from a live-build binary configuration file.
+# Globals:
+#   None
+# Arguments:
+#   1: live-build binary configuration file
+#   2: Output variable name for the kernel command line
+# Returns:
+#   0: on success
+#   42: if the file is missing, the entry is ambiguous, or the value is empty
+#######################################
+read_bootappend_live() {
+  declare config_file="${1}"
+  declare output_var="${2}"
+  declare -a matches=()
+  declare value=""
+
+  require_file "${config_file}" "live-build binary configuration"
+
+  mapfile -t matches < <(grep -E '^LB_BOOTAPPEND_LIVE=' "${config_file}" || true)
+
+  if (( ${#matches[@]} != 1 )); then
+    die "Expected exactly one LB_BOOTAPPEND_LIVE entry in '${config_file}', found '${#matches[@]}'."
+  fi
+
+  value="${matches[0]#LB_BOOTAPPEND_LIVE=}"
+  if [[ "${value}" == \"*\" ]]; then
+    value="${value#\"}"
+    value="${value%\"}"
+  fi
+
+  [[ -n "${value}" ]] || die "LB_BOOTAPPEND_LIVE in '${config_file}' is empty."
+
+  printf -v "${output_var}" "%s" "${value}"
+
+  return 0
+}
+
+#######################################
+# Collects kernel and initrd candidates from one artifact directory.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected kernel path
+#   3: Output variable name for the selected initrd path
+# Returns:
+#   0: on success, including when the directory does not exist
+#   42: if more than one kernel or initrd candidate exists
+#######################################
+collect_artifacts_from_dir() {
+  declare artifact_dir="${1}"
+  declare kernel_output_var="${2}"
+  declare initrd_output_var="${3}"
+  declare -a kernels=()
+  declare -a initrds=()
+
+  if [[ ! -d "${artifact_dir}" ]]; then
+    printf -v "${kernel_output_var}" "%s" ""
+    printf -v "${initrd_output_var}" "%s" ""
+    return 0
+  fi
+
+  mapfile -d '' -t kernels < <(find "${artifact_dir}" -maxdepth 1 -type f -name "vmlinuz-*" -print0 | LC_ALL=C sort -z)
+  mapfile -d '' -t initrds < <(find "${artifact_dir}" -maxdepth 1 -type f -name "initrd.img-*" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#kernels[@]} > 1 )); then
+    die "Ambiguous kernel candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  if (( ${#initrds[@]} > 1 )); then
+    die "Ambiguous initrd candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${kernel_output_var}" "%s" "${kernels[0]:-}"
+  printf -v "${initrd_output_var}" "%s" "${initrds[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Selects the kernel/initrd pair used to build the UKI.
+# Globals:
+#   None
+# Arguments:
+#   1: Output variable name for the selected kernel path
+#   2: Output variable name for the selected initrd path
+# Returns:
+#   0: on success
+#   42: if no complete pair exists, the final pair is incomplete, or candidates are ambiguous
+#######################################
+select_kernel_initrd_pair() {
+  declare kernel_output_var="$1"
+  declare initrd_output_var="$2"
+  declare binary_kernel=""
+  declare binary_initrd=""
+  declare fallback_kernel=""
+  declare fallback_initrd=""
+
+  collect_artifacts_from_dir "binary/live" binary_kernel binary_initrd
+
+  if [[ -n "${binary_kernel}" && -n "${binary_initrd}" ]]; then
+    printf "\e[92m✅ Using final binary/live kernel and initrd artifacts. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${binary_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${binary_initrd}"
+    return 0
+  fi
+
+  if [[ -n "${binary_kernel}" || -n "${binary_initrd}" ]]; then
+    die "Incomplete binary/live kernel/initrd pair. Refusing to mix final and fallback artifacts."
+  fi
+
+  printf "\e[93m❌ No complete binary/live kernel/initrd pair found; checking chroot/boot fallback. \e[0m\n"
+  collect_artifacts_from_dir "chroot/boot" fallback_kernel fallback_initrd
+
+  if [[ -n "${fallback_kernel}" && -n "${fallback_initrd}" ]]; then
+    printf "\e[93m❌ Using chroot/boot fallback artifacts because binary/live has no complete pair. \e[0m\n"
+    printf -v "${kernel_output_var}" "%s" "${fallback_kernel}"
+    printf -v "${initrd_output_var}" "%s" "${fallback_initrd}"
+    return 0
+  fi
+
+  die "No complete kernel/initrd pair found in binary/live or chroot/boot."
+}
+
+#######################################
+# Finds an optional separate early microcode cpio next to the selected initrd.
+# Globals:
+#   None
+# Arguments:
+#   1: Artifact directory
+#   2: Output variable name for the selected microcode cpio path
+# Returns:
+#   0: on success, including when no separate microcode cpio exists
+#   42: if more than one separate microcode cpio candidate exists
+#######################################
+collect_optional_microcode() {
+  declare artifact_dir="${1}"
+  declare output_var="${2}"
+  declare -a microcode_candidates=()
+
+  mapfile -d '' -t microcode_candidates < <(
+    find "${artifact_dir}" -maxdepth 1 -type f \( -name "*microcode*.cpio" -o -name "*ucode*.cpio" \) -print0 | LC_ALL=C sort -z
+  )
+
+  if (( ${#microcode_candidates[@]} > 1 )); then
+    die "Ambiguous separate early microcode cpio candidates in '${artifact_dir}'. Refusing to select automatically."
+  fi
+
+  printf -v "${output_var}" "%s" "${microcode_candidates[0]:-}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Builds unsigned and signed CISS UKIs for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_EFI_KEY
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require a CISS UKI
+#   42: on validation, artifact selection, UKI build, signing, or verification failure
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_key="${VAR_CISS_SECUREBOOT_EFI_KEY:-${secureboot_dir}/private/ciss-efi-image.key}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare stub="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+  declare os_release="chroot/usr/lib/os-release"
+  declare kernel_path=""
+  declare initrd_path=""
+  declare kernel_base=""
+  declare initrd_base=""
+  declare kernel_version=""
+  declare initrd_version=""
+  declare cmdline=""
+  declare microcode_initrd=""
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare unsigned_uki=""
+  declare signed_uki=""
+  declare manifest=""
+  declare -a ukify_args=()
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI build. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Building CISS Secure Boot UKI ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command ukify
+  require_command sbverify
+  require_command sha512sum
+  require_file "${stub}" "systemd EFI stub"
+  require_file "${secureboot_key}" "CISS EFI image signing key"
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${os_release}" "target os-release metadata"
+  guard_private_key_leaks
+
+  select_kernel_initrd_pair kernel_path initrd_path
+
+  kernel_base="${kernel_path##*/}"
+  initrd_base="${initrd_path##*/}"
+  kernel_version="${kernel_base#vmlinuz-}"
+  initrd_version="${initrd_base#initrd.img-}"
+
+  [[ -n "${kernel_version}" && "${kernel_base}" != "${kernel_version}" ]] || die "Kernel artifact name does not match vmlinuz-<version>: '${kernel_path}'."
+  [[ -n "${initrd_version}" && "${initrd_base}" != "${initrd_version}" ]] || die "Initrd artifact name does not match initrd.img-<version>: '${initrd_path}'."
+
+  if [[ "${kernel_version}" != "${initrd_version}" ]]; then
+    die "Kernel/initrd version mismatch: kernel='${kernel_version}', initrd='${initrd_version}'."
+  fi
+
+  read_bootappend_live "config/binary" cmdline
+  collect_optional_microcode "${initrd_path%/*}" microcode_initrd
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  unsigned_uki="${uki_dir}/CISS-LIVE-${kernel_version}.unsigned.efi"
+  signed_uki="${uki_dir}/CISS-LIVE-${kernel_version}.signed.efi"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.uki-build.txt"
+
+  install -d -m 0755 "${uki_dir}" "${manifest_dir}"
+  rm -f -- "${unsigned_uki}" "${signed_uki}" "${manifest}"
+
+  ukify_args=(
+    build
+    --stub="${stub}"
+    --linux="${kernel_path}"
+    --cmdline="${cmdline}"
+    --os-release="@${os_release}"
+    --uname="${kernel_version}"
+  )
+
+  if [[ -n "${microcode_initrd}" ]]; then
+    printf "\e[92m✅ Embedding separate early microcode cpio before normal initrd: '%s'. \e[0m\n" "${microcode_initrd}"
+    ukify_args+=(--initrd="${microcode_initrd}")
+  else
+    printf "\e[92m✅ No separate early microcode cpio found; using normal initrd only. \e[0m\n"
+  fi
+
+  ukify_args+=(--initrd="${initrd_path}")
+
+  printf "\e[95m🧪 Creating unsigned UKI: '%s'. \e[0m\n" "${unsigned_uki}"
+  ukify "${ukify_args[@]}" --output="${unsigned_uki}"
+
+  printf "\e[95m🧪 Creating signed UKI: '%s'. \e[0m\n" "${signed_uki}"
+  ukify "${ukify_args[@]}" \
+    --secureboot-private-key="${secureboot_key}" \
+    --secureboot-certificate="${secureboot_cert}" \
+    --output="${signed_uki}"
+
+  require_file "${unsigned_uki}" "unsigned CISS UKI"
+  require_file "${signed_uki}" "signed CISS UKI"
+
+  {
+    printf "CISS Secure Boot UKI build manifest\n"
+    printf "Kernel: %s\n" "${kernel_path}"
+    printf "Initrd: %s\n" "${initrd_path}"
+    printf "Microcode initrd: %s\n" "${microcode_initrd:-none}"
+    printf "Uname: %s\n" "${kernel_version}"
+    printf "OS release: %s\n" "${os_release}"
+    printf "Command line: %s\n" "${cmdline}"
+    printf "\nSHA512:\n"
+    sha512sum "${unsigned_uki}" "${signed_uki}"
+    printf "\nukify inspect:\n"
+    ukify inspect "${signed_uki}"
+    printf "\nsbverify:\n"
+    sbverify --cert "${secureboot_cert}" "${signed_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ UKI inspection and signature verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS Secure Boot UKI build completed. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -0,0 +1,347 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+# shellcheck disable=SC2312
+set -Ceuo pipefail
+
+# Final live-build binary hook for CISS UKI installation. When the ciss-uki Secure Boot profile is active, this hook selects
+# the single signed CISS UKI, rebuilds the FAT EFI boot image with it as EFI/BOOT/BOOTX64.EFI, verifies the installed copy,
+# mirrors it into the ISO EFI tree when available, writes an installation manifest, and refuses private Secure Boot key
+# material in build artifact paths.
+
+declare TMP_DIR=""
+
+#######################################
+# Removes the temporary EFI image work directory if it is inside the expected Secure Boot output tree.
+# Globals:
+#   PWD
+#   TMP_DIR
+#   VAR_HANDLER_BUILD_DIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when no temporary directory exists
+#   42: if the temporary directory is outside the expected cleanup root
+#   non-zero: if removal of the expected temporary directory fails under strict mode
+#######################################
+cleanup() {
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+
+  if [[ -n "${TMP_DIR}" && -d "${TMP_DIR}" ]]; then
+    case "${TMP_DIR}" in
+      "${build_dir}/ciss.secureboot/"*)
+        rm -rf -- "${TMP_DIR}"
+        ;;
+      *)
+        printf "\e[91m❌ Refusing to clean unexpected temporary path: '%s'. \e[0m\n" "${TMP_DIR}" >&2
+        return 42
+        ;;
+    esac
+  fi
+
+  return 0
+}
+
+#######################################
+# Prints a fatal error message and terminates the hook.
+# Globals:
+#   None
+# Arguments:
+#   1: Error message
+# Returns:
+#   42: always exits with failure
+#######################################
+die() {
+  declare message="$1"
+  printf "\e[91m❌ %s \e[0m\n" "${message}" >&2
+  exit 42
+}
+
+#######################################
+# Checks whether a required command exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Command name
+# Returns:
+#   0: on success
+#   42: if the command is missing
+#######################################
+require_command() {
+  declare command_name="$1"
+
+  command -v "${command_name}" >/dev/null 2>&1 || die "Required command not found: '${command_name}'."
+
+  return 0
+}
+
+#######################################
+# Checks whether a required file exists.
+# Globals:
+#   None
+# Arguments:
+#   1: File path
+#   2: Human-readable file description
+# Returns:
+#   0: on success
+#   42: if the file is missing
+#######################################
+require_file() {
+  declare file_path="$1"
+  declare description="$2"
+
+  [[ -f "${file_path}" ]] || die "Missing ${description}: '${file_path}'."
+
+  return 0
+}
+
+#######################################
+# Selects the single signed CISS UKI generated by the CISS UKI build hook.
+# Globals:
+#   None
+# Arguments:
+#   1: CISS UKI output directory
+#   2: Output variable name for the selected signed UKI path
+# Returns:
+#   0: on success
+#   42: if the UKI directory is missing or does not contain exactly one signed UKI
+#######################################
+select_signed_uki() {
+  declare uki_dir="$1"
+  declare output_var="$2"
+  declare -a signed_ukis=()
+
+  [[ -d "${uki_dir}" ]] || die "Missing CISS UKI output directory: '${uki_dir}'."
+
+  mapfile -d '' -t signed_ukis < <(find "${uki_dir}" -maxdepth 1 -type f -name "CISS-LIVE-*.signed.efi" -print0 | LC_ALL=C sort -z)
+
+  if (( ${#signed_ukis[@]} != 1 )); then
+    die "Expected exactly one signed CISS UKI in '${uki_dir}', found '${#signed_ukis[@]}'."
+  fi
+
+  printf -v "${output_var}" "%s" "${signed_ukis[0]}"
+
+  return 0
+}
+
+#######################################
+# Refuses private Secure Boot key material in generated artifact paths.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   42: if a private Secure Boot key is found below a guarded path
+#######################################
+guard_private_key_leaks() {
+  declare -a guard_roots=(binary chroot config/includes.binary config/includes.chroot config/includes.installer)
+  declare guard_root=""
+  declare private_file=""
+
+  for guard_root in "${guard_roots[@]}"; do
+
+    if [[ ! -d "${guard_root}" ]]; then
+      continue
+    fi
+
+    while IFS= read -r -d '' private_file; do
+      die "Refusing private Secure Boot key inside build artifact path: '${private_file}'."
+    done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
+
+  done
+
+  return 0
+}
+
+#######################################
+# Mirrors the signed UKI into the ISO EFI tree as the removable-media bootloader when that tree exists.
+# Globals:
+#   None
+# Arguments:
+#   1: Signed UKI path
+#   2: Output variable name for the ISO EFI tree BOOTX64 path, or an empty value when no tree exists
+# Returns:
+#   0: on success, including when no ISO EFI tree exists
+#   non-zero: if directory creation or file installation fails under strict mode
+#######################################
+install_iso_tree_bootx64() {
+  declare signed_uki="$1"
+  declare output_var="$2"
+  declare iso_tree_bootx64=""
+
+  if [[ -d "binary/EFI/boot" ]]; then
+    iso_tree_bootx64="binary/EFI/boot/bootx64.efi"
+  elif [[ -d "binary/EFI/BOOT" ]]; then
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  elif [[ -d "binary/EFI" ]]; then
+    install -d -m 0755 "binary/EFI/BOOT"
+    iso_tree_bootx64="binary/EFI/BOOT/BOOTX64.EFI"
+  fi
+
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    install -m 0644 "${signed_uki}" "${iso_tree_bootx64}"
+    printf "\e[92m✅ Mirrored signed UKI into ISO EFI tree: '%s'. \e[0m\n" "${iso_tree_bootx64}"
+  else
+    printf "\e[93m❌ No binary/EFI tree found; only EFI boot image was updated. \e[0m\n"
+  fi
+
+  printf -v "${output_var}" "%s" "${iso_tree_bootx64}"
+
+  return 0
+}
+
+#######################################
+# Installs the signed CISS UKI into the EFI boot image for the ciss-uki Secure Boot profile.
+# Globals:
+#   PWD
+#   SOURCE_DATE_EPOCH
+#   TMP_DIR
+#   VAR_CISS_SECUREBOOT_DIR
+#   VAR_CISS_SECUREBOOT_EFI_CERT
+#   VAR_CISS_SECUREBOOT_PROFILE
+#   VAR_HANDLER_BUILD_DIR
+#   VAR_WORKDIR
+# Arguments:
+#   None
+# Returns:
+#   0: on success or when the active Secure Boot profile does not require CISS UKI installation
+#   42: on explicit validation, comparison, or signature verification failure
+#   non-zero: if an external tool, installation command, or manifest write fails under strict mode
+#######################################
+main() {
+  declare profile="${VAR_CISS_SECUREBOOT_PROFILE:-debian-shim}"
+  declare build_dir="${VAR_HANDLER_BUILD_DIR:-${PWD}}"
+  declare secureboot_dir="${VAR_CISS_SECUREBOOT_DIR:-${VAR_WORKDIR:-${build_dir}}/ciss.secureboot}"
+  declare secureboot_cert="${VAR_CISS_SECUREBOOT_EFI_CERT:-${secureboot_dir}/public/ciss-efi-image.crt}"
+  declare output_root=""
+  declare uki_dir=""
+  declare manifest_dir=""
+  declare signed_uki=""
+  declare efi_img="binary/boot/grub/efi.img"
+  declare uki_name=""
+  declare kernel_version=""
+  declare manifest=""
+  declare tmp_img=""
+  declare extracted_uki=""
+  declare iso_tree_bootx64=""
+  declare uki_size=""
+  declare -i uki_kib=0
+  declare -i blocks=0
+  declare source_epoch="${SOURCE_DATE_EPOCH:-0}"
+  declare volid=""
+
+  if [[ "${profile}" != "ciss-uki" ]]; then
+    printf "\e[92m✅ Secure Boot profile '%s'; skipping CISS UKI EFI installation. \e[0m\n" "${profile}"
+    return 0
+  fi
+
+  printf "\e[95m🧪 Installing CISS signed UKI into EFI boot image ... \e[0m\n"
+
+  cd "${build_dir}"
+
+  require_command cmp
+  require_command mcopy
+  require_command mdir
+  require_command mkfs.msdos
+  require_command sbverify
+  require_command sha512sum
+  require_command stat
+  require_command ukify
+  require_file "${secureboot_cert}" "CISS EFI image signing certificate"
+  require_file "${efi_img}" "live-build EFI boot image"
+  guard_private_key_leaks
+
+  output_root="${build_dir}/ciss.secureboot"
+  uki_dir="${output_root}/uki"
+  manifest_dir="${output_root}/manifests"
+  select_signed_uki "${uki_dir}" signed_uki
+
+  uki_name="${signed_uki##*/}"
+  kernel_version="${uki_name#CISS-LIVE-}"
+  kernel_version="${kernel_version%.signed.efi}"
+  [[ -n "${kernel_version}" && "${kernel_version}" != "${uki_name}" ]] || die "Signed UKI name does not match CISS-LIVE-<version>.signed.efi: '${signed_uki}'."
+
+  install -d -m 0755 "${manifest_dir}"
+  TMP_DIR="$(mktemp -d -p "${output_root}" "efi-img.XXXXXXXX")"
+  tmp_img="${TMP_DIR}/efi.img"
+  extracted_uki="${TMP_DIR}/BOOTX64.EFI"
+  manifest="${manifest_dir}/CISS-LIVE-${kernel_version}.efi-install.txt"
+  rm -f -- "${manifest}"
+
+  uki_size="$(stat -c %s -- "${signed_uki}")"
+  uki_kib=$(( (uki_size + 1023) / 1024 ))
+  blocks=$(( (uki_kib + 8192 + 31) / 32 * 32 ))
+  if (( blocks < 32768 )); then
+    blocks=32768
+  fi
+
+  if [[ ! "${source_epoch}" =~ ^[0-9]+$ ]]; then
+    source_epoch="0"
+  fi
+  printf -v volid "%08x" "$((source_epoch % 4294967296))"
+
+  printf "\e[95m🧪 Rebuilding EFI boot image with signed UKI as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+  mkfs.msdos -C "${tmp_img}" "${blocks}" -i "${volid}" >/dev/null
+  mmd -i "${tmp_img}" "::EFI"
+  mmd -i "${tmp_img}" "::EFI/BOOT"
+  mcopy -m -o -i "${tmp_img}" "${signed_uki}" "::EFI/BOOT/BOOTX64.EFI"
+  mcopy -o -i "${tmp_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Extracted BOOTX64.EFI differs from signed UKI before EFI image installation."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install -m 0644 "${tmp_img}" "${efi_img}"
+
+  rm -f -- "${extracted_uki}"
+  mcopy -o -i "${efi_img}" "::EFI/BOOT/BOOTX64.EFI" "${extracted_uki}"
+  cmp -s "${signed_uki}" "${extracted_uki}" || die "Installed EFI/BOOT/BOOTX64.EFI differs from signed UKI."
+  sbverify --cert "${secureboot_cert}" "${extracted_uki}" >/dev/null
+
+  install_iso_tree_bootx64 "${signed_uki}" iso_tree_bootx64
+  if [[ -n "${iso_tree_bootx64}" ]]; then
+    cmp -s "${signed_uki}" "${iso_tree_bootx64}" || die "ISO EFI tree BOOTX64.EFI differs from signed UKI."
+    sbverify --cert "${secureboot_cert}" "${iso_tree_bootx64}" >/dev/null
+  fi
+
+  guard_private_key_leaks
+
+  {
+    printf "CISS Secure Boot EFI image installation manifest\n"
+    printf "EFI image: %s\n" "${efi_img}"
+    printf "Installed path: EFI/BOOT/BOOTX64.EFI\n"
+    printf "ISO EFI tree mirror: %s\n" "${iso_tree_bootx64:-none}"
+    printf "Signed UKI: %s\n" "${signed_uki}"
+    printf "FAT image blocks KiB: %s\n" "${blocks}"
+    printf "FAT volume id: %s\n" "${volid}"
+    printf "\nSHA512:\n"
+    sha512sum "${efi_img}" "${signed_uki}" "${extracted_uki}"
+    if [[ -n "${iso_tree_bootx64}" ]]; then
+      sha512sum "${iso_tree_bootx64}"
+    fi
+    printf "\nEFI directory:\n"
+    mdir -i "${efi_img}" "::EFI/BOOT"
+    printf "\nukify inspect installed BOOTX64.EFI:\n"
+    ukify inspect "${extracted_uki}"
+    printf "\nsbverify installed BOOTX64.EFI:\n"
+    sbverify --cert "${secureboot_cert}" "${extracted_uki}"
+  } >| "${manifest}" 2>&1
+
+  printf "\e[92m✅ EFI image installation verification written to '%s'. \e[0m\n" "${manifest}"
+  printf "\e[92m✅ CISS signed UKI installed as EFI/BOOT/BOOTX64.EFI. \e[0m\n"
+
+  return 0
+}
+
+main "$@"
+cleanup
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -39,7 +39,7 @@ install -d -m 0755  "${DESTDIR}/usr/sbin"


 ### Include binaries -----------------------------------------------------------------------------------------------------------
-for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
+for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do

  path="$(command -v "${bin}" 2>/dev/null || true)"

@@ -123,7 +123,6 @@ if [ -d "${src_dir}" ]; then

 fi

-
 ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
@@ -146,6 +145,13 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/ba
 install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"

+### Ensure live-boot runtime scripts in the initramfs are executable -----------------------------------------------------------
+if [ -d "${DESTDIR}/usr/lib/live/boot" ]; then
+
+  find "${DESTDIR}/usr/lib/live/boot" -type f -exec chmod +x -- {} +
+  printf "\e[92mSuccessfully executed: [find %s/usr/lib/live/boot -type f -exec chmod +x -- {} +] \n\e[0m" "${DESTDIR}"
+
+fi
 ### EOS

 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.004.2026.05.17
+# Version Master V9.14.028.2026.06.18

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V9.14.004.2026.05.17"
+declare -gr VERSION="Master V9.14.028.2026.06.18"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.004.2026.05.17 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542
@@ -25,8 +25,8 @@ cat << 'EOF'
 EOF

 echo ""
-echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2025 \e[0m"
-echo -e "\e[97m      (p) Centurion Press, 2018 - 2025 \e[0m"
+echo -e "\e[97m      (c) Marc S. Weidner, 2018 - 2026 \e[0m"
+echo -e "\e[97m      (p) Centurion Press, 2018 - 2026 \e[0m"
 echo -e "\e[97m          Centurion Intelligence Consulting Agency (tm) \e[0m"
 echo -e "\e[97m          https://coresecret.eu/ \e[0m"
 echo -e "\e[95m          Please consider making a donation: \e[0m"
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
+# - Mount it with restrictive flags and permissions before OverlayFS uses it.
+# - Prepare the upper and work directories required by the later live-boot overlay setup.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,13 +14,171 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
-# Phase  : premount (executed by live-boot inside the initramfs)
+# Module summary:
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
+# - Mount the live medium read-only and locate the encrypted SquashFS container.
+# - Attach the encrypted container through a read-only loop device.
+# - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
+# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.

 _SAVED_SET_OPTS="$(set +o)"

 set -eu

+#######################################
+# Ensure the minimal device nodes required by this early boot script exist.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: Always. Device-node setup is best-effort only
+#######################################
+ensure_minimal_dev_nodes() {
+  mknod_cmd=""
+  busybox_cmd=""
+
+  [ -d /dev ] || mkdir -p /dev || return 0
+
+  if [ -c /dev/null ] && [ -c /dev/console ]; then
+
+    return 0
+
+  fi
+
+  mknod_cmd="$(command -v mknod 2>&- || printf '')"
+  if [ -z "${mknod_cmd}" ]; then
+
+    busybox_cmd="$(command -v busybox 2>&- || printf '')"
+
+  fi
+
+  if [ ! -c /dev/null ]; then
+
+    rm -f /dev/null || true
+    if [ -n "${mknod_cmd}" ]; then
+
+      "${mknod_cmd}" -m 666 /dev/null c 1 3 || true
+
+    elif [ -n "${busybox_cmd}" ]; then
+
+      "${busybox_cmd}" mknod -m 666 /dev/null c 1 3 || true
+
+    fi
+
+  fi
+
+  if [ ! -c /dev/console ]; then
+
+    rm -f /dev/console || true
+    if [ -n "${mknod_cmd}" ]; then
+
+      "${mknod_cmd}" -m 600 /dev/console c 5 1 || true
+
+    elif [ -n "${busybox_cmd}" ]; then
+
+      "${busybox_cmd}" mknod -m 600 /dev/console c 5 1 || true
+
+    fi
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Console logging helper that does not assume /dev/console is always present.
+# Globals:
+#   None
+# Arguments:
+#   1: printf format
+#   *: printf arguments
+# Returns:
+#   0: always, logging failure is not fatal
+#######################################
+console_printf() {
+  console_format="$1"
+  shift
+
+  if [ -c /dev/console ]; then
+
+    # shellcheck disable=SC2059
+    printf "${console_format}" "$@" > /dev/console || :
+
+  elif [ -e /proc/1/fd/1 ]; then
+
+    # shellcheck disable=SC2059
+    printf "${console_format}" "$@" > /proc/1/fd/1 || :
+
+  fi
+
+  return 0
+}
+
+#######################################
+# Clear the current console line without making cleanup fatal.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: Always. Console cleanup failure is not fatal.
+#######################################
+console_clear_line() {
+  console_printf '\r\033[K'
+
+  return 0
+}
+
+#######################################
+# Wait for an explicit local-console unlock activation.
+# Globals:
+#   None
+# Arguments:
+#   None
+# Returns:
+#   0: local console activation was requested
+#   1: console unavailable or activation read failed
+#######################################
+wait_for_local_unlock_activation() {
+  LOCAL_UNLOCK_SAVED_STTY=""
+  LOCAL_UNLOCK_READ_STATUS=0
+
+  ensure_minimal_dev_nodes
+
+  [ -c /dev/console ] || return 1
+  exec 9<>/dev/console || return 1
+
+  LOCAL_UNLOCK_SAVED_STTY=$(stty -g <&9 2>&- || printf '')
+  trap 'if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :; fi; printf "\r\033[K" >&9 2>&- || :; exec 9>&-; exit 143' TERM INT HUP
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty -echo <&9 2>&- || :
+
+  fi
+
+  printf '\e[93m[INFO] CISS LUKS decryption : Press Enter for local unlock: \n\e[0m' >&9 || :
+  IFS= read -r _ <&9
+  LOCAL_UNLOCK_READ_STATUS="$?"
+
+  if [ -n "${LOCAL_UNLOCK_SAVED_STTY}" ]; then
+
+    stty "${LOCAL_UNLOCK_SAVED_STTY}" <&9 2>&- || :
+
+  fi
+
+  printf '\r\033[K' >&9 || :
+  exec 9>&-
+  trap - TERM INT HUP
+
+  [ "${LOCAL_UNLOCK_READ_STATUS}" -eq 0 ] || return 1
+
+  return 0
+}
+
+ensure_minimal_dev_nodes
+
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0024-ciss-crypt-squash] \n\e[0m"

 #######################################
@@ -37,11 +195,21 @@ ask_pass_console() {
  PASSPHRASE=""
  SAVED_STTY=""

+  ensure_minimal_dev_nodes
+
+  [ -c /dev/console ] || return 1
+  exec 8<>/dev/console || return 1
+
  ### Save current console settings.
-  SAVED_STTY=$(stty -g </dev/console 2>/dev/null || printf '')
+  SAVED_STTY=$(stty -g <&8 2>&- || printf '')

  ### Non-canonical mode, no echo, 1 byte at a time.
-  stty -echo -icanon time 0 min 1 </dev/console 2>/dev/null || return 1
+  if ! stty -echo -icanon time 0 min 1 <&8 2>&-; then
+
+    exec 8>&-
+    return 1
+
+  fi

  cr=$(printf '\r')
  bs=$(printf '\b')
@@ -50,11 +218,11 @@ ask_pass_console() {
  while :; do

    ### Read exactly one byte from the console.
-    c=$(dd bs=1 count=1 2>/dev/null </dev/console)
+    c=$(dd bs=1 count=1 2>&- <&8)

    if [ -z "${c}" ]; then

-      printf '\n' > /dev/console
+      printf '\n' >&8
      break

    fi
@@ -66,7 +234,7 @@ ask_pass_console() {

      "${cr}")
      ### Enter: finish input.
-        printf '\n' > /dev/console
+        printf '\n' >&8
        break
        ;;

@@ -75,7 +243,7 @@ ask_pass_console() {
        if [ -n "${PASSPHRASE}" ]; then

          PASSPHRASE=${PASSPHRASE%?}
-          printf '\b \b' > /dev/console
+          printf '\b \b' >&8

        fi
        ;;
@@ -83,14 +251,20 @@ ask_pass_console() {
      *)
      ### Normal character: append and mask output.
        PASSPHRASE="${PASSPHRASE}${c}"
-        printf '*' > /dev/console
+        printf '*' >&8
        ;;

    esac

  done

-  [ -n "${SAVED_STTY}" ] && stty "${SAVED_STTY}" </dev/console 2>/dev/null || :
+  if [ -n "${SAVED_STTY}" ]; then
+
+    stty "${SAVED_STTY}" <&8 2>&- || :
+
+  fi
+
+  exec 8>&-

  printf '%s' "${PASSPHRASE}"

@@ -121,12 +295,16 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_MNT_MEDIUM="/run/live/medium"
 export CDLB_MNT_ROOTFS="/run/live/rootfs"
+export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
+export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
+export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
+export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
 export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""

 ### Read the kernel cmdline once. ----------------------------------------------------------------------------------------------
-CMDLINE="$(cat /proc/cmdline 2>/dev/null || printf '')"
+CMDLINE="$(cat /proc/cmdline 2>&- || printf '')"

 for _PARAMETER in ${CMDLINE}; do

@@ -149,8 +327,8 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then

  if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then

-    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
-      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
+    mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
+      || mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>&- \
      || log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"

  fi
@@ -166,13 +344,13 @@ if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
    [ -b "${_dev}" ] || continue

    ### Try ISO9660 first, then UDF; only unmount on failure.
-    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
+    if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&- || mount -r -t udf   "${_dev}" "${CDLB_MNT_MEDIUM}" 2>&-; then

-      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
+      mountpoint -q "${CDLB_MNT_MEDIUM}" 2>&- && break

    else

-      umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
+      umount "${CDLB_MNT_MEDIUM}" 2>&- || true

    fi

@@ -203,6 +381,66 @@ fi

 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"

+### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
+CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
+CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
+
+if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
+
+  printf "\e[91m[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+  panic "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+
+fi
+
+if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
+   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true
+
+printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
+  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
+
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then

@@ -216,24 +454,24 @@ fi
 printf "\e[92m[INFO] Loop device          : [%s] \n\e[0m" "${LOOP}"

 ### Expose the loop device for unlock-wrapper.sh, dropbear forced-command. -----------------------------------------------------
-mkdir -p /run 2>/dev/null || true
+mkdir -p /run 2>&- || true

-echo "${LOOP}" > /run/ciss-loopdev 2>/dev/null || true
+echo "${LOOP}" > /run/ciss-loopdev 2>&- || true

-chmod 0600 /run/ciss-loopdev 2>/dev/null || true
+chmod 0600 /run/ciss-loopdev 2>&- || true

 printf "\e[92m[INFO] Exposed LOOP         : [/run/ciss-loopdev] -> [%s]\n\e[0m" "${LOOP}"

 ### Prepare fifo for passphrase. -----------------------------------------------------------------------------------------------
-mkdir -p /lib/cryptsetup 2>/dev/null || true
+mkdir -p /lib/cryptsetup 2>&- || true

 if [ -p /lib/cryptsetup/passfifo ]; then

-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true

 fi

-if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
+if ! mkfifo /lib/cryptsetup/passfifo 2>&-; then

  printf "\e[92m[WARN] Boot failure         : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
  sleep 60
@@ -242,7 +480,7 @@ if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then

 fi

-chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true
+chmod 0600 /lib/cryptsetup/passfifo 2>&- || true

 ### Background broker: read FIFO, try cryptsetup per line. ---------------------------------------------------------------------
 (
@@ -267,18 +505,29 @@ chmod 0600 /lib/cryptsetup/passfifo 2>/dev/null || true

    [ -n "${PASS}" ] || continue

-    printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+    console_printf "\e[93m[INFO] CISS LUKS decryption : LUKS mapper [%s] trying to unlock via cryptsetup ... \n\e[0m" "${CDLB_MAPPER_DEV}"

    KEYLEN=${#PASS}

+    if [ -c /dev/console ]; then
+
      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
        --type luks \
        --keyfile-size="${KEYLEN}" \
        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>/dev/console

+    else
+
+      printf '%s' "${PASS}" | cryptsetup open --tries 1 \
+        --type luks \
+        --keyfile-size="${KEYLEN}" \
+        --readonly "${LOOP}" "${CDLB_MAPPER_NAME}" --key-file - 2>&-
+
+    fi
+
    if [ -b "${CDLB_MAPPER_DEV}" ]; then

-      printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}" >/dev/console 2>/dev/null || true
+      console_printf "\e[92m[INFO] CISS LUKS decryption : LUKS mapper [%s] successfully opened. \n\e[0m" "${CDLB_MAPPER_DEV}"
      break

    fi
@@ -305,12 +554,15 @@ PID_BROKER="$!"

    if [ "${PASS_SENT}" -eq 0 ]; then

-      printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m' > /dev/console
+      # shellcheck disable=SC2310
+      wait_for_local_unlock_activation || continue
+
+      console_printf '\e[93m[INFO] Enter LUKS passphrase: \n\e[0m'

      # shellcheck disable=SC2310
      PASS="$(ask_pass_console)" || continue

-      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>/dev/null || :
+      printf '%s\n' "${PASS}" >| /lib/cryptsetup/passfifo 2>&- || :

      PASS_SENT=1
      WAIT_LOOP=0
@@ -321,7 +573,7 @@ PID_BROKER="$!"

      if [ "${WAIT_LOOP}" -ge 160 ]; then

-        printf '\e[91m[WARN] Please try again     : \n\e[0m' > /dev/console
+        console_printf '\e[91m[WARN] Please try again     : \n\e[0m'

        PASS_SENT=0
        WAIT_LOOP=0
@@ -365,12 +617,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then

  printf "\e[91m[WARN] CISS LUKS decryption : Timeout LUKS mapper [%s] not present after %s seconds. \n\e[0m" "${CDLB_MAPPER_DEV}" "${CDLB_REMOTE_WAIT_SECS}"

-  kill "${PID_PROMPT}" 2>/dev/null || true
-  kill "${PID_BROKER}" 2>/dev/null || true
-  wait "${PID_PROMPT}" 2>/dev/null || true
-  wait "${PID_BROKER}" 2>/dev/null || true
+  kill "${PID_PROMPT}" 2>&- || true
+  kill "${PID_BROKER}" 2>&- || true
+  wait "${PID_PROMPT}" 2>&- || true
+  wait "${PID_BROKER}" 2>&- || true
+  console_clear_line

-  rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+  rm -f /lib/cryptsetup/passfifo 2>&- || true

  sleep 60

@@ -379,12 +632,13 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then

 fi

-kill "${PID_PROMPT}" 2>/dev/null || true
-kill "${PID_BROKER}" 2>/dev/null || true
-wait "${PID_PROMPT}" 2>/dev/null || true
-wait "${PID_BROKER}" 2>/dev/null || true
+kill "${PID_PROMPT}" 2>&- || true
+kill "${PID_BROKER}" 2>&- || true
+wait "${PID_PROMPT}" 2>&- || true
+wait "${PID_BROKER}" 2>&- || true
+console_clear_line

-rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
+rm -f /lib/cryptsetup/passfifo 2>&- || true

 printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"

@@ -397,9 +651,13 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
+export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
+export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
+export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
+export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
-chmod 0444 /run/ciss-rootdev 2>/dev/null || true
+chmod 0444 /run/ciss-rootdev 2>&- || true

 ### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
 if [ ! -e /conf/param.conf ]; then
@@ -409,20 +667,28 @@ if [ ! -e /conf/param.conf ]; then

 fi

-if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>&-; then

  printf 'PLAIN_ROOT=1\n' >> /conf/param.conf

 fi

-if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
+if ! grep -q '^livefs_root=' /conf/param.conf 2>&-; then

  printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf

 fi

 printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
-cat /conf/param.conf >/dev/console 2>&1 || :
+if [ -c /dev/console ]; then
+
+  cat /conf/param.conf >/dev/console 2>&1 || :
+
+elif [ -e /proc/1/fd/1 ]; then
+
+  cat /conf/param.conf >/proc/1/fd/1 2>&1 || :
+
+fi

 log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
 printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Enforce early sysctls before services start.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Runs during live-boot premount while the system is still inside the initramfs.
+# - Applies early kernel hardening before the real root and regular services are active.
+# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
+#   exposure where supported.

 _SAVED_SET_OPTS="$(set +o)"

--- a/Show More
+++ b/Show More
Author	SHA256	Message	Date
msw	a8454eeadf	V9.14.028.2026.06.18 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 10:49:41 +01:00
msw	f31ac3503f	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 06:46:41 +01:00
msw	0f28dad6c2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 21:55:52 +01:00
msw	784c088c0e	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 18:44:12 +01:00
msw	1d130a7027	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 17:14:45 +01:00
msw	7fb6ca2cd2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 16:31:47 +01:00
msw	009f92aea1	V9.14.026.2026.06.17 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 15:49:17 +01:00
msw	e11b6285ca	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 06:26:46 +01:00
msw	b59bca727e	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:30:51 +01:00
msw	7bb871e3f7	V9.14.026.2026.06.12 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:24:03 +01:00
msw	4633ff5ea7	V9.14.026.2026.06.12 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 04:52:18 +01:00
msw	bd5c7729a2	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 21:15:37 +01:00
msw	666111df0e	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:39:50 +01:00
msw	5cc2110ecb	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:14:31 +01:00
msw	f6ca83fb26	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:54:19 +01:00
msw	ab827e9c05	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:13:13 +01:00
msw	b81b9bf836	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:29:59 +01:00
msw	487d2b3ba8	V9.14.024.2026.06.11 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:12:23 +01:00
msw	97596fbcba	V9.14.024.2026.06.11 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:11:22 +01:00
msw	9ef535554a	V9.14.022.2026.06.10 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 18:57:46 +01:00
msw	800cd175fc	V9.14.022.2026.06.10 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-10 17:57:31 +01:00
msw	ae87d7ac54	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:11:15 +01:00
msw	0b1bfe2978	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:07:45 +01:00
msw	314c1178c3	V9.14.020.2026.06.08 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 18:04:02 +01:00
msw	9179031a80	V9.14.020.2026.06.08 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-09 16:41:50 +01:00
msw	7956e5861d	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 20:02:23 +01:00
msw	8c37efcff6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 19:58:06 +01:00
msw	a53d52bf38	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 17:06:05 +01:00
msw	250f1700cf	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:43:24 +01:00
msw	574411d9b0	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 15:23:19 +01:00
msw	a469dbf595	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:44:48 +01:00
msw	a37a16d86e	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 11:42:19 +01:00
msw	421589285f	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:59:37 +01:00
msw	0a091fb9a6	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 10:54:44 +01:00
msw	3fc5003676	V9.14.018.2026.06.07 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 09:11:26 +01:00
msw	9cdcc0a9ec	V9.14.018.2026.06.07 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-07 07:24:22 +01:00
msw	8b6731f1be	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 18:37:43 +01:00
msw	fa1a31ef64	V9.14.016.2026.06.06 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 15:40:02 +01:00
msw	e42fdff89b	V9.14.016.2026.06.06 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-06 14:39:12 +01:00
msw	83f6f8488c	V9.14.008.2026.06.04 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 20:14:02 +01:00
msw	ec3aca7fc8	V9.14.008.2026.06.04 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-04 18:19:09 +01:00