diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index a78ddba..573cb4d 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -48,10 +48,10 @@ participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C30 as CISS 0030 (early verify)
-participant C25 as CISS 0025 (unlock)
+participant C22 as CISS 0024 (unlock)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
-participant C45 as CISS 0045 (late verify)
+participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs
@@ -68,24 +68,24 @@ C30-x I: Abort boot
end
-I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
-C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
+I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
+C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>RS: Assemble overlay, switch_root
-I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
-alt 0045 OK
-C45-->>I: Verified
+I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
+alt 0042 OK
+C42-->>I: Verified
else 0045 FAIL
-C45-x I: Abort boot
+C42-x I: Abort boot
end
```
# 6. LUKS/dm-integrity Layering
```mermaid
graph TD
-A[Plain device (rootfs.crypt)] --> B[dm-integrity
HMAC-SHA-512, 4 KiB]
-B --> C[dm-crypt
AES-XTS-512]
+A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB]
+B --> C[dm-crypt\nAES-XTS-512]
C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs]
```
@@ -189,13 +189,13 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
# 13. Diagram: Trust Chain & Verification Paths
```mermaid
-flowchart TD
-A[Build time
pin EXP_FPR + embed ISO key] --> B[ISO artifacts
sha512sum.txt + .sig]
-B --> C[Boot early (0030)
gpgv verify + FPR pin]
+graph TD
+A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig]
+B --> C[Boot early (0030)\ngpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS]
-E --> F[Boot late (0045)
gpgv verify + FPR pin (root key)]
-F --> G[dmsetup health
crypt(XTS) over integrity(HMAC-SHA-512)]
+E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)]
+F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)]
C -- FAIL --> X[Abort]
F -- FAIL --> X
G -- FAIL --> X