// SPDX-Version: 3.0 // SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; // SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git // SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency // SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; // SPDX-FileType: SOURCE // SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 // SPDX-Comment: This file is part of the CISS.debian.installer.secure framework. // SPDX-PackageName: CISS.debian.installer // SPDX-Security-Contact: security@coresecret.eu digraph CISS_debian_installer_bootflow { rankdir=LR; node [shape=box, style=filled, fillcolor=lightgray, fontname="Helvetica"]; Initramfs [label="initramfs boot", fillcolor=lightblue]; Crypttab [label="/etc/crypttab", fillcolor=lightblue]; CryptrootScript [label="local-top/cryptroot", fillcolor=lightblue]; Cryptsetup [label="cryptsetup luksOpen", fillcolor=orange]; Keyscript [label="keyscript (e.g. nuke_aware.sh)", fillcolor=yellow]; Askpass [label="askpass (console/GUI/Dropbear)", fillcolor=white]; NukeCheck [label="if password matches NUKE_HASH → nuke()", fillcolor=red, fontcolor=white]; PASSPHRASEOut [label="printf '%s' \"$PASSPHRASE\" + exit 0", fillcolor=green]; Decryption [label="LUKS device unlocked", fillcolor=darkgreen, fontcolor=white]; RootFS [label="mount /dev/mapper/cryptroot → /", fillcolor=lightblue]; Initramfs -> Crypttab; Crypttab -> CryptrootScript; CryptrootScript -> Cryptsetup; Cryptsetup -> Keyscript; Keyscript -> Askpass; Askpass -> NukeCheck; NukeCheck -> PASSPHRASEOut [label="if no match"]; PASSPHRASEOut -> Cryptsetup [label="stdin"]; Cryptsetup -> Decryption; Decryption -> RootFS; }