V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
--- a/docs/AUDIT_DNSSEC.md
+++ b/docs/AUDIT_DNSSEC.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. DNSSEC Status

--- a/docs/AUDIT_HAVEGED.md
+++ b/docs/AUDIT_HAVEGED.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

--- a/docs/AUDIT_LYNIS.md
+++ b/docs/AUDIT_LYNIS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Lynis Audit:

--- a/docs/AUDIT_SSH.md
+++ b/docs/AUDIT_SSH.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. SSH Audit by ssh-audit.com

@@ -18,18 +18,22 @@ include_toc: true

 ````text
 # general
-(gen) banner: SSH-2.0-OpenSSH_9.2p1
-(gen) software: OpenSSH 9.2p1
+(gen) banner: SSH-2.0-OpenSSH_10.0p2
+(gen) software: OpenSSH 10.0p2
 (gen) compatibility: OpenSSH 9.9+, Dropbear SSH 2020.79+
 (gen) compression: disabled

 # key exchange algorithms
+(kex) mlkem768x25519-sha256               -- [info] available since OpenSSH 9.9
+                                          `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
 (kex) sntrup761x25519-sha512@openssh.com  -- [info] available since OpenSSH 8.5
                                          `- [info] default key exchange from OpenSSH 9.0 to 9.8
                                          `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
 (kex) sntrup761x25519-sha512              -- [info] available since OpenSSH 9.9
                                          `- [info] default key exchange since OpenSSH 9.9
                                          `- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
+(kex) ext-info-s                          -- [info] available since OpenSSH 9.6
+                                          `- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
 (kex) kex-strict-s-v00@openssh.com        -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)

 # host-key algorithms
@@ -39,16 +43,10 @@ include_toc: true

 # encryption algorithms (ciphers)
 (enc) aes256-gcm@openssh.com              -- [info] available since OpenSSH 6.2
-(enc) aes256-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

 # message authentication code algorithms
 (mac) hmac-sha2-512-etm@openssh.com       -- [info] available since OpenSSH 6.2
 (mac) hmac-sha2-256-etm@openssh.com       -- [info] available since OpenSSH 6.2
-
-# algorithm recommendations (for OpenSSH 9.2)
-(rec) +aes128-ctr                         -- enc algorithm to append
-(rec) +aes128-gcm@openssh.com             -- enc algorithm to append
-(rec) +aes192-ctr                         -- enc algorithm to append
 ````

 ---
--- a/docs/AUDIT_TLS.md
+++ b/docs/AUDIT_TLS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. TLS Audit:
 ````text
--- a/docs/BOOTPARAMS.md
+++ b/docs/BOOTPARAMS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Hardened Kernel Boot Parameters

--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -8,10 +8,33 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Changelog

+## V8.13.408.2025.11.13
+* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
+* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
+* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
+* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
+* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
+* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
+* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.
+* **Bugfixes**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot) + mv original files to a safe backup location.
+* **Changed**: [9999_zzzz.chroot](../config/hooks/live/9999_zzzz.chroot) + securing ``/.ciss``, removing ``.keep``.
+* **Changed**: [unlock_wrapper.sh](../config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh) + integrated dynamic GPG FPR injection.
+* **Changed**: [9999_ciss_debian_live_builder.sh](../config/includes.chroot/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh) + ``dmsetup``.
+* **Changed**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) + integrated dynamic GPG FPR injection.
+* **Changed**: [lib_arg_parser.sh](../lib/lib_arg_parser.sh) + ``--signing_ca=*``.
+* **Changed**: [lib_check_secrets.sh](../lib/lib_check_secrets.sh) + updated shopt handling.
+* **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) + integrates and generates sha512sum and GPG signatures on CISS specific LIVE boot artifacts.
+* **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + integration of optional import of offline GPG CA public keys.
+* **Changed**: [lib_primordial.sh](../lib/lib_primordial.sh) + Updates for CISS and PhysNet primordial-workflow™.
+* **Changed**: [lib_usage.sh](../lib/lib_usage.sh) + ``--signing_ca=*``.
+* **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) + ``! -path './live/filesystem.squashfs'``
+* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) + increased verbosity.
+
 ## V8.13.404.2025.11.10
 * **Added**: [0020_dropbear_build.chroot](../config/hooks/live/0020_dropbear_build.chroot)
 * **Added**: [0021_dropbear_initramfs.chroot](../config/hooks/live/0021_dropbear_initramfs.chroot)
@@ -22,14 +45,14 @@ include_toc: true
 * **Added**: [0000_ciss_fixpath.sh](../config/includes.chroot/etc/initramfs-tools/scripts/init-top/0000_ciss_fixpath.sh)
 * **Added**: [dropbear](../config/includes.chroot/usr/share/initramfs-tools/scripts/init-premount/dropbear)
 * **Added**: [MAN_SSH_Host_Key_Policy.md](MAN_SSH_Host_Key_Policy.md)
-* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_luks_squash.hook.binary) + Preparing squashfs LUKS encryption
+* **Added**: [zzzz_luks_squash.hook.binary](../config/hooks/live/zzzz_ciss_crypt_squash.hook.binary) + Preparing squashfs LUKS encryption
 * **Bugfixes**: [generate_PRIVATE_trixie_0.yaml](../.gitea/workflows/generate_PRIVATE_trixie_0.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PRIVATE_trixie_1.yaml](../.gitea/workflows/generate_PRIVATE_trixie_1.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [generate_PUBLIC_iso.yaml](../.gitea/workflows/generate_PUBLIC_iso.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) + updated: Preparing SSH Setup, SSH Deploy Key, Known Hosts, .config.
-* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums)
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums)
 * **Changed**: [localoptions.h](../upgrades/dropbear/localoptions.h)
 * **Changed**: [.shellcheckrc](../.shellcheckrc)
 * **Changed**: [9940_hardening_memory.dump.chroot](../config/hooks/live/9940_hardening_memory.dump.chroot) + added: 9999-ciss-coredump-disable.conf
@@ -38,7 +61,7 @@ include_toc: true
 * **Updated**: [AUDIT_LYNIS.md](AUDIT_LYNIS.md) + updated: Lynis Version 3.1.6

 ## V8.13.400.2025.11.08
-* **Bugfixes**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) - GPG key handling
+* **Bugfixes**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) - GPG key handling
 * **Changed**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) - Unified naming scheme
 * **Changed**: [lib_gnupg.sh](../lib/lib_gnupg.sh) - Unified naming scheme
 * **Changed**: [binary_checksums.sh](../scripts/usr/lib/live/build/binary_checksums.sh) - Unified naming scheme, added verbosity output
@@ -55,16 +78,17 @@ include_toc: true
 * **Bugfixes**: [lib_gnupg.sh](../lib/lib_gnupg.sh) + modified passphrase handling

 ## V8.13.384.2025.11.06
+* **Global**: Debian bookworm support deprecated.
 * **Global**: Changed ``shred -vfzu -n 5`` to ``shred -fzu -n 5``.
 * **Global**: Live-hooks: ``apt-get`` commands safeguarded by ``export DEBIAN_FRONTEND="noninteractive" INITRD="No"``.
 * **Added**: [marc_s_weidner_msw+deploy@coresecet.dev_0x2CCF4601_public.asc](../.pubkey/marc_s_weidner_msw%2Bdeploy%40coresecet.dev_0x2CCF4601_public.asc)
 * **Added**: [0870_bashdb.chroot](../config/hooks/live/0870_bashdb.chroot) bashdb debugger https://github.com/Trepan-Debuggers/bashdb.git
-* **Added**: [0030-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
+* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Added**: [lib_ciss_upgrades_boot.sh](../lib/lib_ciss_upgrades_boot.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_ciss_upgrades_build.sh](../lib/lib_ciss_upgrades_build.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_gnupg.sh](../lib/lib_gnupg.sh) Updates for CISS and PhysNet primordial-workflow™.
 * **Added**: [lib_primordial.sh](../lib/lib_primordial.sh) Updates for CISS and PhysNet primordial-workflow™.
-* **Added**: [0030-verify-checksums](../scripts/usr/lib/live/boot/0030-verify-checksums) Unified handling via includes.chroot.
+* **Added**: [0030-ciss-verify-checksums](../scripts/usr/lib/live/boot/0030-ciss-verify-checksums) Unified handling via includes.chroot.
 * **Bugfixes**: [linter_char_scripts.yaml](../.gitea/workflows/linter_char_scripts.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-linter_char_scripts.yaml}"
 * **Bugfixes**: [render-dnssec-status.yaml](../.gitea/workflows/render-dnssec-status.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dnssec-status.yaml}"
 * **Bugfixes**: [render-dot-to-png.yaml](../.gitea/workflows/render-dot-to-png.yaml) - WORKFLOW_ID="${GITHUB_WORKFLOW:-render-dot-to-png.yaml}"
@@ -100,9 +124,6 @@ include_toc: true
 * **Changed**: [early.var.sh](../var/early.var.sh) Unified variable declaration.
 * **Changed**: [global.var.sh](../var/global.var.sh) Unified variable declaration.
 * **Changed**: [ciss_live_builder.sh](../ciss_live_builder.sh) Updated program workflow for deterministic environment creation.
-* **Removed**: [0002_verify_checksums.chroot](../.archive/0002_verify_checksums.chroot) Unified handling via includes.chroot.
-* **Removed**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot) Debian bookworm support deprecated.
-* **Removed**: [lib_lb_config_write.sh](../.archive/lib_lb_config_write.sh) Debian bookworm support deprecated.
 * **Updated**: [icon.lib](../.archive/icon.lib) + Emojis

 ## V8.13.298.2025.10.30
@@ -222,7 +243,6 @@ include_toc: true
 * **Updated**: [lib_trap_on_exit.sh](../lib/lib_trap_on_exit.sh)
 * **Updated**: [9999-cdi-starter](../scripts/usr/local/sbin/9999_cdi_starter.sh)
 * **Updated**: [9980_usb_guard.chroot](../config/hooks/live/9980_usb_guard.chroot)
-* **Updated**: [9998_sources_list_bookworm.chroot](../.archive/9998_sources_list_bookworm.chroot)
 * **Updated**: [9998_sources_list_trixie.chroot](../config/hooks/live/9998_sources_list_trixie.chroot)
 * **Updated**: [9999_interfaces_update.chroot](../config/hooks/live/9999_interfaces_update.chroot)
 * **Updated**: [lib_cdi.sh](../lib/lib_cdi.sh) Unified Kernel bootparameter.
@@ -241,7 +261,7 @@ include_toc: true
 * **Updated**: Debian 13 LIVE ISO workflows to use Kernel: ``6.12.48+deb13-amd64``

 ## V8.13.008.2025.08.22
-* **Removed**: [0003_install_backports.chroot](../.archive/0003_install_backports.chroot)
+* **Removed**: [0003_install_backports.chroot]

 ## V8.13.004.2025.08.21
 * **Added**: [makefile](../makefile)
--- a/docs/CNET.md
+++ b/docs/CNET.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Centurion Net - Developer Branch Overview

--- a/docs/CODING_CONVENTION.md
+++ b/docs/CODING_CONVENTION.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Coding Style

--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Contributing / participating

--- a/docs/CREDITS.md
+++ b/docs/CREDITS.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Credits

--- a/docs/DL_PUB_ISO.md
+++ b/docs/DL_PUB_ISO.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

--- a/docs/DOCUMENTATION.md
+++ b/docs/DOCUMENTATION.md
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V8.13.404.2025.11.10
+Master V8.13.408.2025.11.13
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2025
@@ -111,10 +111,11 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
    MUST be placed in:
    </dev/shm/cdlb_secrets/password.txt>

-  --signing_key=* and --signing_key_fpr=*; if desired then additionally --signing_key_pass=*
+  --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
    The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
    specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
    Specify the fingerprint of the key to use via '--signing_key_fpr=*'.
+    Optionally import an offline GPG CA signing public key via: '--signing_ca=*'.
    Change '*' to your desired files / fingerprint. Files MUST be placed in:
    </dev/shm/cdlb_secrets>

@@ -145,7 +146,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V8.13.404.2025.11.10                        2025-11-06                         CDLB(1)
+                        V8.13.408.2025.11.13                        2025-11-06                         CDLB(1)
 ````

 # 3. Booting
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -0,0 +1,185 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.live.builder
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
+**Master Version**: 8.13<br>
+**Build**: V8.13.408.2025.11.13<br>
+
+# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
+
+**Status:** 2025-11-12
+**Audience:** CICA CISO, CISS staff, technically proficient administrators
+**Summary:** The CISS.debian Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
+
+# 3. Overview
+
+* **Trust anchor:** Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
+* **Integrity & authenticity verification:**
+
+  1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
+  2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
+* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
+* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
+
+# 4. Primitives & Parameters (concise)
+
+| Component    | Primitive / Parameter                                     | Purpose                                               |
+|--------------|-----------------------------------------------------------|-------------------------------------------------------|
+| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                       |
+| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity/authenticity |
+| PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                     |
+| Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                 |
+| Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                      |
+| Hash lists   | `sha512sum` format                                        | Deterministic content verification                    |
+| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                 |
+
+# 5. End-to-End Boot Flow
+```mermaid
+sequenceDiagram
+  autonumber
+  participant FW as UEFI/BIOS
+  participant GRUB as GRUB
+  participant K as Kernel
+  participant I as initramfs + live-boot
+  participant D as Dropbear (optional)
+  participant C25 as CISS 0025 (live-premount)
+  participant C30 as CISS 0030 (live-bottom, early)
+  participant LUKS as LUKS2 + dm-integrity
+  participant RS as RootFS (SquashFS/Overlay)
+  participant C45 as CISS 0045 (live-bottom, late)
+
+  FW->>GRUB: Load kernel + initramfs
+  GRUB->>K: Boot kernel
+  K->>I: Pivot to initramfs (live-boot phases)
+  I->>D: (optional) Start Dropbear (remote unlock)
+  I->>C25: Run 0025: LUKS open (dm-crypt+integrity), mount SquashFS
+  C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
+  I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
+  C30-->>I: OK → continue; FAIL → abort
+  I->>RS: Assemble overlay, switch_root
+  I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
+  C45-->>I: OK → handoff to userspace; FAIL → abort
+```
+
+# 6. LUKS/dm-integrity Layering
+```mermaid
+graph TD
+  A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
+  B --> C[dm-crypt<br/>AES-XTS-512]
+  C --> D[Mapped device /dev/mapper/crypt_liveiso]
+  D --> E[SquashFS mount /run/live/rootfs]
+```
+
+**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
+
+# 7. Build-Time Core Step (LUKS)
+```sh
+cryptsetup luksFormat \
+  --batch-mode \
+  --cipher aes-xts-plain64 \
+  --integrity hmac-sha512 \
+  --iter-time 1000 \
+  --key-file "/proc/$$/fd/${KEYFD}" \
+  --key-size 512 \
+  --label crypt_liveiso \
+  --luks2-keyslots-size 16777216 \
+  --luks2-metadata-size 4194304 \
+  --pbkdf argon2id \
+  --sector-size 4096 \
+  --type luks2 \
+  --use-random \
+  --verbose \
+  "${LUKSFS}"
+```
+
+**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
+
+# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
+
+**Goal:** Before consuming any medium content, verify:
+
+1. **Detached signature of `sha512sum.txt`** using `gpgv` against the embedded public key.
+2. **FPR pinning:** Parse `VALIDSIG` and require exact match with the build-time pinned FPR.
+3. **Optional:** *Script self-IA* – hash the executed hook and compare against the signed list (drift/bitrot detector).
+
+**Core call (initramfs):**
+
+```sh
+/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt
+# parse [GNUPG:] VALIDSIG ... <FPR> ...
+```
+
+# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
+
+**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
+
+* **Attestation files:** `/.ciss/attest/rootfs.sha512[.sig]`
+* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
+* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
+
+**Core calls (initramfs):**
+
+```sh
+# 1) Signature and FPR pin (no agent)
+/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA"
+
+# 2) Optional: Content hash verification
+( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
+
+# 3) dmsetup health
+dmsetup table --showkeys /dev/mapper/crypt_liveiso
+dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
+```
+
+# 9. Failure Policy (fail-closed, deterministic)
+
+* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
+
+# 10. Dropbear (Hardened Remotely Unlock)
+
+```text
+• Public-key auth only, no passwords
+• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
+• No agent/X11/TCP forwarding, no SFTP
+• Strict timeouts/keep-alives, restricted cipher/KEX set
+• Port 42137 (per CISS convention)
+```
+
+*Concrete selection compiled via your `localoptions.h` at ISO build time.*
+
+# 11. Integration Points & Paths
+
+* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
+* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
+* **Key files:**
+  * ISO edge (for 0030): embedded public key blob (project-specific name)
+  * Root FS (for 0045): `/etc/ciss/keys/*.gpg`
+* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
+
+# 12. Diagram: Trust Chain & Verification Paths
+
+```mermaid
+flowchart TD
+  A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
+  B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
+  C -->|OK| D[LUKS open (0025)]
+  D --> E[Mount RootFS]
+  E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
+  F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
+  C -- FAIL --> X[Abort]
+  F -- FAIL --> X
+  G -- FAIL --> X
+```
+
+# 13. Closing Remark
+
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
--- a/docs/MAN_SSH_Host_Key_Policy.md
+++ b/docs/MAN_SSH_Host_Key_Policy.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

--- a/docs/REFERENCES.md
+++ b/docs/REFERENCES.md
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 8.13<br>
-**Build**: V8.13.404.2025.11.10<br>
+**Build**: V8.13.408.2025.11.13<br>

 # 2. Resources