38 lines
1.7 KiB
Plaintext
38 lines
1.7 KiB
Plaintext
// SPDX-Version: 3.0
|
|
// SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
// SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
|
|
// SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
|
// SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
|
|
// SPDX-FileType: SOURCE
|
|
// SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
|
// SPDX-Comment: This file is part of the CISS.debian.installer.secure framework.
|
|
// SPDX-PackageName: CISS.debian.installer
|
|
// SPDX-Security-Contact: security@coresecret.eu
|
|
|
|
digraph CISS_debian_installer_bootflow {
|
|
rankdir=LR;
|
|
node [shape=box, style=filled, fillcolor=lightgray, fontname="Helvetica"];
|
|
|
|
Initramfs [label="initramfs boot", fillcolor=lightblue];
|
|
Crypttab [label="/etc/crypttab", fillcolor=lightblue];
|
|
CryptrootScript [label="local-top/cryptroot", fillcolor=lightblue];
|
|
Cryptsetup [label="cryptsetup luksOpen", fillcolor=orange];
|
|
Keyscript [label="keyscript (e.g. nuke_aware.sh)", fillcolor=yellow];
|
|
Askpass [label="askpass (console/GUI/Dropbear)", fillcolor=white];
|
|
NukeCheck [label="if password matches NUKE_HASH → nuke()", fillcolor=red, fontcolor=white];
|
|
PASSPHRASEOut [label="printf '%s' \"$PASSPHRASE\" + exit 0", fillcolor=green];
|
|
Decryption [label="LUKS device unlocked", fillcolor=darkgreen, fontcolor=white];
|
|
RootFS [label="mount /dev/mapper/cryptroot → /", fillcolor=lightblue];
|
|
|
|
Initramfs -> Crypttab;
|
|
Crypttab -> CryptrootScript;
|
|
CryptrootScript -> Cryptsetup;
|
|
Cryptsetup -> Keyscript;
|
|
Keyscript -> Askpass;
|
|
Askpass -> NukeCheck;
|
|
NukeCheck -> PASSPHRASEOut [label="if no match"];
|
|
PASSPHRASEOut -> Cryptsetup [label="stdin"];
|
|
Cryptsetup -> Decryption;
|
|
Decryption -> RootFS;
|
|
}
|