msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-18 13:46:46 +00:00
parent b19f356304
commit 163887e0f4
1 changed files with 63 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -42,39 +42,73 @@ include_toc: true
```mermaid
sequenceDiagram
autonumber
participant FW as UEFI/BIOS
participant GRUB as GRUB
participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C30 as CISS 0030 (early verify)
participant C22 as CISS 0024 (unlock)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs
GRUB->>K: Boot kernel
K->>I: Pivot to initramfs (live-boot phases)
I->>D: (optional) Start Dropbear (remote unlock)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
alt 0030 OK
C30-->>I: Verified
else 0030 FAIL
C30-x I: Abort boot
box lightgrey Trusted Manufacturer
participant 0000 as Power On
participant 0010 as POST
participant 0020 as UEFI Initialisation
end
I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>RS: Assemble overlay, switch_root
I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0042 OK
C42-->>I: Verified
else 0045 FAIL
C42-x I: Abort boot
box lightblue Trusted Secure Boot
participant 0030 as Secure Boot Initialisation
participant 0040 as bootx64.efi
participant 0050 as grubx64.efi
end
box lightgreen Trusted CISS.debian.live.builder
participant 0060 as initrd.img
participant 0070 as Kernel Entry Point
participant 0080 as Kernel Decompress
participant 0090 as /init
participant 0100 as Dropbear Remote Unlock
participant 0110 as live-boot mounts ISO FS
participant 0122 as 0022-ciss
participant 0124 as 0024-ciss
participant LUKS as LUKS2 & dm-integrity
participant ROOT as RootFS (SquashFS/Overlay)
participant 0126 as 0026-ciss
participant 0130 as 0030-ciss
participant 0142 as 0042-ciss
participant 9000 as switch_root
participant 9010 as /sbin/init
participant 9020 as Target Units
participant 9030 as Login
end
0000->>0010: CPU reset 0xFFFFFFF0, POST
0010->>0020: UEFI DXE Phase enumerates devices
0020->>0030: Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM
0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI
0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI
0050->>0060: Loading initrd.img
0060->>0070: Transfer Controle to Kernel Entry Point
0070->>0080: Decompress Kernel
0080->>0090: /init Phase
0090->>0100: Starting CISS.hardened dropbear
0100->>9000: Living CISS.hardened dropbear
0100->>0110: Executing live-boot, mounting ISO FS
0110->>0122: Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work
0122->>0124: Executing 0024-ciss: LUKS open (dm-crypt & integrity)
0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512]
LUKS->>ROOT: Assemble RootFS OverlayFS
ROOT->>0126: Executing 0026-ciss: Hardening early sysctls
0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin)
alt 0130 SUCCESSFUL
0130->>0060: Verified authenticity and integrity of ISO edge
else 0130 FAIL
0130-x 0060: CISS boot process stopped
end
0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking
alt 0142 SUCCESSFUL
0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS
else 0142 FAIL
0142-x 0060: CISS boot process stopped
end
0142->>9000: Switching root
9000->>9010: Starting /sbin/init -> systemd
9010->>9020: Starting Target Units
9020->>9030: Waiting for Login
```
# 6. LUKS/dm-integrity Layering