V8.13.432.2025.11.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -224,17 +224,29 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 
 ```mermaid
 flowchart TD
-
+A["ISO build time: embedded and pinned GPG FPR"] e1@--> B["ISO build time: generate sha512sum.txt and .sig"];
-
+B e2@--> C["ISO build time: LUKS2 dm-integrity encryption of filesystem.squashfs in ciss_rootfs.crypt"];
-A["Build time: pin EXP_FPR + embed ISO key"] --> B["ISO artifacts: sha512sum.txt + .sig"];
+C e3@--> D["ISO boot time: 0024 LUKS2, dm-integrity HMAC-SHA512"];
-B --> C["Boot early (0030): gpgv verify + FPR pin"];
+D e4@-->|SUCCESSFUL| E["ISO boot time: ciss_rootfs.crypt opened"];
-C -->|OK| D["LUKS open (0024)"];
+E e5@--> F["ISO boot time: mounting RootFS"];
-D --> E["Mount RootFS"];
+F e6@--> G["ISO boot time: 0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
-E --> F["Boot late (0042): gpgv verify + FPR pin (root key)"];
+G e7@-->|SUCCESSFUL| H["ISO boot time: ISO edge verified"];
-F --> G["dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)"];
+H e8@--> I["ISO boot time: 0042 verification of authenticity and integrity via embedded and pinned GPG of RootFS"];
-C -- FAIL --> X["Abort"];
+I e9@-->|SUCCESSFUL| J["ISO boot time: ISO RootFS verified"];
-F -- FAIL --> X;
+J e0@--> K{{"ISO run time: CISS.debian.live.builder ISO running"}};
+D -- FAIL --> X{{"Boot process halted"}};
 G -- FAIL --> X;
+I -- FAIL --> X;
+e0@{ animation: fast }
+e1@{ animation: fast }
+e2@{ animation: fast }
+e3@{ animation: fast }
+e4@{ animation: fast }
+e5@{ animation: fast }
+e6@{ animation: fast }
+e7@{ animation: fast }
+e8@{ animation: fast }
+e9@{ animation: fast }
 ```
 
 # 14. Closing Remark