msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m5s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-18 15:54:48 +00:00
parent 2a59f39435
commit 653f702169
1 changed files with 34 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -224,29 +224,42 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
```mermaid
flowchart TD
A["ISO build time: embedded and pinned GPG FPR"] e1@--> B["ISO build time: generate sha512sum.txt and .sig"];
B e2@--> C["ISO build time: LUKS2 dm-integrity encryption of filesystem.squashfs in ciss_rootfs.crypt"];
C e3@--> D["ISO boot time: 0024 LUKS2, dm-integrity HMAC-SHA512"];
D e4@-->|SUCCESSFUL| E["ISO boot time: ciss_rootfs.crypt opened"];
E e5@--> F["ISO boot time: mounting RootFS"];
F e6@--> G["ISO boot time: 0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
G e7@-->|SUCCESSFUL| H["ISO boot time: ISO edge verified"];
H e8@--> I["ISO boot time: 0042 verification of authenticity and integrity via embedded and pinned GPG of RootFS"];
I e9@-->|SUCCESSFUL| J["ISO boot time: ISO RootFS verified"];
J e0@--> K{{"ISO run time: CISS.debian.live.builder ISO running"}};
D -- FAIL --> X{{"Boot process halted"}};
subgraph ISO Build Time
direction TD
A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate ISO-edge sha512sum.txt and .sig"];
B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"];
e00@{ animation: fast }
e01@{ animation: fast }
end
subgraph ISO Boot Time
direction TD
C e02@--> D["0024 LUKS2, dm-integrity HMAC-SHA512"];
D e03@-->|SUCCESSFUL| E["ciss_rootfs.crypt opened"];
E e04@--> F["Mounting RootFS"];
F e05@--> G["0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
G e06@-->|SUCCESSFUL| H["ISO edge verified"];
H e07@--> I["0042 post-decrypt-attestation of RootFS"];
I e08@-->|SUCCESSFUL| J["RootFS attestation successful"];
e02@{ animation: fast }
e03@{ animation: fast }
e04@{ animation: fast }
e05@{ animation: fast }
e06@{ animation: fast }
e07@{ animation: fast }
e08@{ animation: fast }
end
subgraph ISO Run Time
direction TD
J e09@--> K{{"CISS.debian.live.builder ISO running"}};
X{{"Boot process halted"}};
e09@{ animation: fast }
end
D -- FAIL --> X;
G -- FAIL --> X;
I -- FAIL --> X;
e0@{ animation: fast }
e1@{ animation: fast }
e2@{ animation: fast }
e3@{ animation: fast }
e4@{ animation: fast }
e5@{ animation: fast }
e6@{ animation: fast }
e7@{ animation: fast }
e8@{ animation: fast }
e9@{ animation: fast }
```
# 14. Closing Remark