msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-18 13:46:46 +00:00
parent b19f356304
commit 163887e0f4
1 changed files with 63 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -42,39 +42,73 @@ include_toc: true
```mermaid ```mermaid
sequenceDiagram sequenceDiagram
autonumber autonumber
participant FW as UEFI/BIOS
participant GRUB as GRUB
participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C30 as CISS 0030 (early verify)
participant C22 as CISS 0024 (unlock)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs box lightgrey Trusted Manufacturer
GRUB->>K: Boot kernel participant 0000 as Power On
K->>I: Pivot to initramfs (live-boot phases) participant 0010 as POST
I->>D: (optional) Start Dropbear (remote unlock) participant 0020 as UEFI Initialisation
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
alt 0030 OK
C30-->>I: Verified
else 0030 FAIL
C30-x I: Abort boot
end end
I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS box lightblue Trusted Secure Boot
C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC) participant 0030 as Secure Boot Initialisation
participant 0040 as bootx64.efi
I->>RS: Assemble overlay, switch_root participant 0050 as grubx64.efi
I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0042 OK
C42-->>I: Verified
else 0045 FAIL
C42-x I: Abort boot
end end
box lightgreen Trusted CISS.debian.live.builder
participant 0060 as initrd.img
participant 0070 as Kernel Entry Point
participant 0080 as Kernel Decompress
participant 0090 as /init
participant 0100 as Dropbear Remote Unlock
participant 0110 as live-boot mounts ISO FS
participant 0122 as 0022-ciss
participant 0124 as 0024-ciss
participant LUKS as LUKS2 & dm-integrity
participant ROOT as RootFS (SquashFS/Overlay)
participant 0126 as 0026-ciss
participant 0130 as 0030-ciss
participant 0142 as 0042-ciss
participant 9000 as switch_root
participant 9010 as /sbin/init
participant 9020 as Target Units
participant 9030 as Login
end
0000->>0010: CPU reset 0xFFFFFFF0, POST
0010->>0020: UEFI DXE Phase enumerates devices
0020->>0030: Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM
0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI
0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI
0050->>0060: Loading initrd.img
0060->>0070: Transfer Controle to Kernel Entry Point
0070->>0080: Decompress Kernel
0080->>0090: /init Phase
0090->>0100: Starting CISS.hardened dropbear
0100->>9000: Living CISS.hardened dropbear
0100->>0110: Executing live-boot, mounting ISO FS
0110->>0122: Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work
0122->>0124: Executing 0024-ciss: LUKS open (dm-crypt & integrity)
0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512]
LUKS->>ROOT: Assemble RootFS OverlayFS
ROOT->>0126: Executing 0026-ciss: Hardening early sysctls
0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin)
alt 0130 SUCCESSFUL
0130->>0060: Verified authenticity and integrity of ISO edge
else 0130 FAIL
0130-x 0060: CISS boot process stopped
end
0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking
alt 0142 SUCCESSFUL
0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS
else 0142 FAIL
0142-x 0060: CISS boot process stopped
end
0142->>9000: Switching root
9000->>9010: Starting /sbin/init -> systemd
9010->>9020: Starting Target Units
9020->>9030: Waiting for Login
``` ```
# 6. LUKS/dm-integrity Layering # 6. LUKS/dm-integrity Layering