V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/graphviz/ciss.debian.installer.secure.boot.dot

@@ -0,0 +1,30 @@
+digraph boot_chain {
+  rankdir=LR;
+  node [shape=box style=filled fillcolor="#e3f2fd"];
+
+  UEFI [label="UEFI Firmware\n(SECURE BOOT)", fillcolor="#90caf9"];
+  GRUB [label="grubx64.efi\n(Secure Boot-signed)", fillcolor="#64b5f6"];
+  DecryptBoot [label="GRUB decrypts\n/boot (LUKS2)", fillcolor="#4fc3f7"];
+  GRUBCFG [label="Load grub.cfg\n(from decrypted /boot)"];
+  Kernel [label="Load Kernel:\n/boot/vmlinuz-<ver>"];
+  Initrd [label="Load Initrd:\n/boot/initrd.img-<ver>"];
+  Initramfs [label="initramfs:\nUnlock Root (/)", fillcolor="#81d4fa"];
+  PivotRoot [label="pivot_root/switch_root", fillcolor="#80cbc4"];
+  Systemd [label="systemd (PID 1)", fillcolor="#a5d6a7"];
+  MountRest [label="Decrypt + Mount:\n/home, /usr, /var, etc."];
+  Ephemeral [label="Create ephemeral\nswap & /tmp", fillcolor="#ffe082"];
+  Login [label="User login"];
+
+  UEFI -> GRUB [label="Launch EFI bootloader"];
+  GRUB -> DecryptBoot [label="Prompt for /boot passphrase"];
+  DecryptBoot -> GRUBCFG [label="Parse GRUB config"];
+  GRUBCFG -> Kernel;
+  GRUBCFG -> Initrd;
+  Kernel -> Initramfs [label="initrd is unpacked\nand executed"];
+  Initramfs -> PivotRoot [label="Root unlocked\n(mount /)"];
+  PivotRoot -> Systemd;
+  Systemd -> MountRest;
+  Systemd -> Ephemeral;
+  MountRest -> Login;
+  Ephemeral -> Login;
+}