From 4826801aff6616d1a418644916a69dbb73391f65dca702e1d4facdbf90e8328d Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Thu, 13 Nov 2025 06:59:51 +0100
Subject: [PATCH] V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 docs/MAN_CISS_ISO_BOOT_CHAIN.md | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index a78ddba..573cb4d 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -48,10 +48,10 @@ participant K as Kernel
 participant I as initramfs + live-boot
 participant D as Dropbear (optional)
 participant C30 as CISS 0030 (early verify)
-participant C25 as CISS 0025 (unlock)
+participant C22 as CISS 0024 (unlock)
 participant LUKS as LUKS2 + dm-integrity
 participant RS as RootFS (SquashFS/Overlay)
-participant C45 as CISS 0045 (late verify)
+participant C42 as CISS 0042 (late attestation)
 
 
 FW->>GRUB: Load kernel + initramfs
@@ -68,24 +68,24 @@ C30-x I: Abort boot
 end
 
 
-I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
-C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
+I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
+C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
 
 
 I->>RS: Assemble overlay, switch_root
-I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
-alt 0045 OK
-C45-->>I: Verified
+I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
+alt 0042 OK
+C42-->>I: Verified
 else 0045 FAIL
-C45-x I: Abort boot
+C42-x I: Abort boot
 end
 ```
 
 # 6. LUKS/dm-integrity Layering
 ```mermaid
 graph TD
-A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
-B --> C[dm-crypt<br/>AES-XTS-512]
+A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB]
+B --> C[dm-crypt\nAES-XTS-512]
 C --> D[Mapped device /dev/mapper/crypt_liveiso]
 D --> E[SquashFS mount /run/live/rootfs]
 ```
@@ -189,13 +189,13 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 # 13. Diagram: Trust Chain & Verification Paths
 
 ```mermaid
-flowchart TD
-A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
-B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
+graph TD
+A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig]
+B --> C[Boot early (0030)\ngpgv verify + FPR pin]
 C -->|OK| D[LUKS open (0025)]
 D --> E[Mount RootFS]
-E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
-F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)]
+E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)]
+F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)]
 C -- FAIL --> X[Abort]
 F -- FAIL --> X
 G -- FAIL --> X