msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m26s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:59:51 +01:00
parent a6d005e066
commit 4826801aff
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -48,10 +48,10 @@ participant K as Kernel
participant I as initramfs + live-boot participant I as initramfs + live-boot
participant D as Dropbear (optional) participant D as Dropbear (optional)
participant C30 as CISS 0030 (early verify) participant C30 as CISS 0030 (early verify)
participant C25 as CISS 0025 (unlock) participant C22 as CISS 0024 (unlock)
participant LUKS as LUKS2 + dm-integrity participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay) participant RS as RootFS (SquashFS/Overlay)
participant C45 as CISS 0045 (late verify) participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs FW->>GRUB: Load kernel + initramfs
@@ -68,24 +68,24 @@ C30-x I: Abort boot
end end
I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC) C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>RS: Assemble overlay, switch_root I->>RS: Assemble overlay, switch_root
I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0045 OK alt 0042 OK
C45-->>I: Verified C42-->>I: Verified
else 0045 FAIL else 0045 FAIL
C45-x I: Abort boot C42-x I: Abort boot
end end
``` ```
# 6. LUKS/dm-integrity Layering # 6. LUKS/dm-integrity Layering
```mermaid ```mermaid
graph TD graph TD
A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB] A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB]
B --> C[dm-crypt<br/>AES-XTS-512] B --> C[dm-crypt\nAES-XTS-512]
C --> D[Mapped device /dev/mapper/crypt_liveiso] C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs] D --> E[SquashFS mount /run/live/rootfs]
``` ```
@@ -189,13 +189,13 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
# 13. Diagram: Trust Chain & Verification Paths # 13. Diagram: Trust Chain & Verification Paths
```mermaid ```mermaid
flowchart TD graph TD
A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig] A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig]
B --> C[Boot early (0030)<br/>gpgv verify + FPR pin] B --> C[Boot early (0030)\ngpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)] C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS] D --> E[Mount RootFS]
E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)] E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)]
F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)] F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)]
C -- FAIL --> X[Abort] C -- FAIL --> X[Abort]
F -- FAIL --> X F -- FAIL --> X
G -- FAIL --> X G -- FAIL --> X