V9.14.024.2026.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.022.2026.06.10-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.024.2026.06.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.022.2026.06.10<br>
+**Build**: V9.14.024.2026.06.11<br>
 
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -46,9 +46,10 @@ Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fu
 in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships 
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a 
-customised `verify-checksums` path providing both ISO-edge verification and runtime attestation of the live root. All components
-are aligned with the `CISS.debian.installer` baseline, ensuring a unified cryptographic and security posture from first boot to 
-an installed system. For an overview of the entire build process, see:
+customised `verify-checksums` path providing fail-closed ISO-edge verification and runtime attestation of the exact final
+SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
+baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the
+entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
 
 When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
@@ -60,12 +61,17 @@ and spoofing surfaces.
 
 Internally, the builder employs a dedicated secret-handling pipeline backed by a tmpfs-only secrets directory
 (`/dev/shm/cdlb_secrets`). Sensitive material such as root passwords, SSH keys, and signing keys never appears on the command
-line, is guarded by strict `0400 root:root` permissions, and any symlink inside the secret path is treated as a hard failure
-that aborts the run. Critical code paths temporarily disable Bash xtrace so that credentials never leak into debug logs, and
-transient secret files are shredded (`shred -fzu`) as soon as they are no longer needed. GNUPG homes used for signing are
-wiped, unencrypted chroot artifacts and includes are removed after `lb build`, and the final artifact is reduced to the
-encrypted SquashFS inside the LUKS2 container. At runtime, LUKS passphrases in the live ISO and installer are transported via
-named pipes inside the initramfs instead of process arguments, further minimizing exposure in process listings.
+line. The secret root must be an existing `root:root` tmpfs or ramfs directory with `0700` permissions and no symlinks or
+special files below it. Filename-only secret arguments are rejected when they contain path separators, traversal names, shell
+metacharacters, or unsafe leading dashes. Critical code paths temporarily disable Bash xtrace so that credentials never leak
+into debug logs; the final exact-value sanitization pass runs only after xtrace has been stopped and its debug file descriptor
+has been closed, then redacts still-known secret values from debug, variable, and error logs as defense in depth. Transient
+secret files are shredded (`shred -fzu`) as soon as they are no longer needed; this is best-effort on SSD/NVMe media, so the
+architecture relies primarily on tmpfs for secret staging. GNUPG homes used for signing are wiped,
+unencrypted chroot artifacts and includes are removed after `lb build`, and cleanup is intentionally destructive only inside
+the exact build directory carrying the `.ciss-live-builder-owned` marker. At runtime, LUKS passphrases in the live ISO and
+installer are transported via named pipes inside the initramfs instead of process arguments, further minimizing exposure in
+process listings.
 
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
@@ -123,7 +129,7 @@ lockstep avoids those mismatches and gives me predictable artifacts across build
 
 The live ISO acts as a sealed, immutable execution environment. All relevant configuration, all installation logic, and all 
 security decisions are rendered into the image at build time and treated as read-only at runtime. On top of that logical 
- immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
+immutability, I now layer cryptographic protection of the live root file system itself. The live image contains a LUKS2 container
 file with dm-integrity that wraps the SquashFS payload. The initramfs knows how to locate this container, unlock it, verify its 
 integrity, and then present the decrypted SquashFS as the root component of an OverlayFS stack. The detailed boot and 
 verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**<br>
@@ -131,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
 In compact form, my expectations for the system are:<br>
 
 * Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-* The live root runs out of a LUKS2 dm-integrity container so that a tampered or bit-rotted SquashFS never becomes a trusted root.
+* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root.
 * Verification steps are not advisory. Any anomaly causes a hard abort during boot.
 * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
 * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -175,7 +181,7 @@ installer toolchain.
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V9.14.022.2026.06.10`
+Example: `V9.14.024.2026.06.11`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -369,7 +375,7 @@ For further details see: **[90-ciss-local.hardened.md](docs/documentation/90-cis
   `--primordial-ssh <port>` configure the CDI Primordial overlay clone. `--primordial-ssh` also adds an outgoing-only UFW TCP
   exception for a bootstrap/recovery SSH port when the live system's UFW outgoing policy is `deny`. It adds no incoming firewall
   rule and does not replace `--ssh-port`. If the requested port already matches an existing outgoing SSH exception, the current
-  hook still emits the requested labelled rule because this repository has no separate UFW rule deduplication layer.
+  hook still emits the requested labeled rule because this repository has no separate UFW rule deduplication layer.
 * **Rationale**: Implements a default-deny firewall, reducing lateral movement and data exfiltration risks immediately after
   deployment.
 
@@ -493,10 +499,13 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
    
 2. Preparation:
    1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
+      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
    3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
    4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Make any other changes you need to.
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
+      to `0400` before use.
+   6. Make any other changes you need to.
 
 3. Run the config builder script `./ciss_live_builder.sh` and the integrated `lb build` command (example):
 
@@ -505,7 +514,7 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
    timestamp=$(date -u +%Y-%m-%dT%H:%M:%S%z)
    ./ciss_live_builder.sh \
      --architecture amd64 \
-     --autobuild=6.16.3+deb13-amd64 \
+     --autobuild=7.0.10+deb13-amd64 \
      --build-directory /opt/cdlb \
      --cdi \
      --change-splash hexagon \
@@ -525,9 +534,9 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
      --signing_key_pass=signing_key_pass.txt \
      --signing_key=signing_key.asc \
      --ssh-port 4242 \
-     --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \
-     --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \
-     --primordial-ssh 42842 \
+     --primordial-key SSH-key-filename-for-Primordial-overlay-clone \
+     --primordial-ssh SSH-port-for-Primordial-overlay-clone \
+     --primordial-url URL-to-Primordial-overlay-clone \
      --ssh-pubkey /dev/shm/cdlb_secrets \
      --sshfp \
      --trixie
@@ -559,10 +568,13 @@ preview it or run it.
 
 2. Preparation:
    1. Ensure you are root.
-   2. Create the build directory `mkdir /opt/cdlb` and the tmpfs secrets directory `mkdir /dev/shm/cdlb_secrets`.
+   2. Create the build directory `install -d -m 0755 -o root -g root /opt/cdlb` and the tmpfs secrets directory
+      `install -d -m 0700 -o root -g root /dev/shm/cdlb_secrets`.
    3. Place your desired SSH public key in the `authorized_keys` file, for example, in the `/dev/shm/cdlb_secrets` directory.
    4. Place your desired Password in the `password.txt` file, for example, in the `/dev/shm/cdlb_secrets` directory.
-   5. Copy and edit the sample and set your options (no spaces around commas in lists): 
+   5. Keep files below `/dev/shm/cdlb_secrets` as regular, non-symlink files owned by `root:root`; the builder normalizes them
+      to `0400` before use.
+   6. Copy and edit the sample and set your options (no spaces around commas in lists):
 
     ````bash
     cp config.mk.sample config.mk
@@ -577,9 +589,9 @@ preview it or run it.
     SSH_PUBKEY=/dev/shm/cdlb_secrets
 
     # Optional
-    PRIMORDIAL_URL=https://git.coresecret.dev/ahz/PhysNet.primordial.git
-    PRIMORDIAL_KEY=id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10
-    PRIMORDIAL_SSH_PORT=42842
+    PRIMORDIAL_KEY=SSH-key-filename-for-Primordial-overlay-clone
+    PRIMORDIAL_SSH_PORT=SSH-port-for-Primordial-overlay-clone
+    PRIMORDIAL_URL=URL-to-Primordial-overlay-clone
     PROVIDER_NETCUP_IPV6=2001:cdb::1
     # comma-separated; IPv6 in [] is fine
     JUMP_HOSTS=[2001:db8::1],[2001:db8::2]