msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m26s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:59:51 +01:00
parent a6d005e066
commit 4826801aff
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -48,10 +48,10 @@ participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C30 as CISS 0030 (early verify)
participant C25 as CISS 0025 (unlock)
participant C22 as CISS 0024 (unlock)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
participant C45 as CISS 0045 (late verify)
participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs
@@ -68,24 +68,24 @@ C30-x I: Abort boot
end
I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>RS: Assemble overlay, switch_root
I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0045 OK
C45-->>I: Verified
I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0042 OK
C42-->>I: Verified
else 0045 FAIL
C45-x I: Abort boot
C42-x I: Abort boot
end
```
# 6. LUKS/dm-integrity Layering
```mermaid
graph TD
A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
B --> C[dm-crypt<br/>AES-XTS-512]
A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB]
B --> C[dm-crypt\nAES-XTS-512]
C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs]
```
@@ -189,13 +189,13 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
# 13. Diagram: Trust Chain & Verification Paths
```mermaid
flowchart TD
A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
graph TD
A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig]
B --> C[Boot early (0030)\ngpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS]
E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)]
E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)]
F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)]
C -- FAIL --> X[Abort]
F -- FAIL --> X
G -- FAIL --> X