Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -44,10 +44,10 @@ changes and made publicly available for download. The latest generic ISO is avai
|
||||
|
||||
Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fully encrypted, integrity-protected live medium**
|
||||
in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
|
||||
with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
|
||||
with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
|
||||
customised `verify-checksums` path providing fail-closed ISO-edge verification and runtime attestation of the exact final
|
||||
SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
|
||||
with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
|
||||
with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
|
||||
customised `verify-checksums` path providing fail-closed mounted-medium verification plus runtime attestation of the exact
|
||||
final SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
|
||||
baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the
|
||||
entire build process, see:
|
||||
**[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
|
||||
|
||||
Reference in New Issue
Block a user