V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/graphviz/ciss.debian.installer.bootflow.dot

@@ -0,0 +1,37 @@
+// SPDX-Version: 3.0
+// SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+// SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+// SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+// SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+// SPDX-FileType: SOURCE
+// SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+// SPDX-Comment: This file is part of the CISS.debian.installer.secure framework.
+// SPDX-PackageName: CISS.debian.installer
+// SPDX-Security-Contact: security@coresecret.eu
+
+digraph CISS_debian_installer_bootflow {
+  rankdir=LR;
+  node [shape=box, style=filled, fillcolor=lightgray, fontname="Helvetica"];
+
+  Initramfs [label="initramfs boot", fillcolor=lightblue];
+  Crypttab [label="/etc/crypttab", fillcolor=lightblue];
+  CryptrootScript [label="local-top/cryptroot", fillcolor=lightblue];
+  Cryptsetup [label="cryptsetup luksOpen", fillcolor=orange];
+  Keyscript [label="keyscript (e.g. nuke_aware.sh)", fillcolor=yellow];
+  Askpass [label="askpass (console/GUI/Dropbear)", fillcolor=white];
+  NukeCheck [label="if password matches NUKE_HASH → nuke()", fillcolor=red, fontcolor=white];
+  PASSPHRASEOut [label="printf '%s' \"$PASSPHRASE\" + exit 0", fillcolor=green];
+  Decryption [label="LUKS device unlocked", fillcolor=darkgreen, fontcolor=white];
+  RootFS [label="mount /dev/mapper/cryptroot → /", fillcolor=lightblue];
+
+  Initramfs -> Crypttab;
+  Crypttab -> CryptrootScript;
+  CryptrootScript -> Cryptsetup;
+  Cryptsetup -> Keyscript;
+  Keyscript -> Askpass;
+  Askpass -> NukeCheck;
+  NukeCheck -> PASSPHRASEOut [label="if no match"];
+  PASSPHRASEOut -> Cryptsetup [label="stdin"];
+  Cryptsetup -> Decryption;
+  Decryption -> RootFS;
+}