diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 6566fee..f55bb44 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -26,19 +26,19 @@ include_toc: true * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB). * **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding. -# 4. Primitives & Parameters (concise) +# 4. Primitives & Parameters -| Component | Primitive / Parameter | Purpose | -|--------------|-----------------------------------------------------------|-------------------------------------------------------| -| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) | -| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity/authenticity | -| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic | -| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | -| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs | -| Hash lists | `sha512sum` format | Deterministic content verification | -| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock | +| Component | Primitive / Parameter | Purpose | +|--------------|-----------------------------------------------------------|--------------------------------------------------------| +| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) | +| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity, authenticity | +| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic | +| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | +| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs | +| Hash lists | `sha512sum` format | Deterministic content verification | +| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock | -# 5. Live ISO End-to-End Boot Flow +# 5. Diagram: CISS Live ISO Boot Flow, complete ```mermaid flowchart TD subgraph Trusted HW Manufacturer @@ -109,7 +109,7 @@ flowchart TD 0142 -- FAIL --> X; ``` -# 6. LUKS/dm-integrity Layering +# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete ```mermaid --- config: @@ -127,7 +127,7 @@ flowchart TD **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error. -# 7. Build-Time Core Step (LUKS) +# 7. CISS Live ISO LUKS Build-Time Core Steps, complete ```sh cryptsetup luksFormat \ --batch-mode \ @@ -190,7 +190,7 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096 * **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology. -# 11. Dropbear (Hardened Remotely Unlock) +# 11. CISS Dropbear (Hardened Remotely Unlock) ```text • Public-key auth only, no passwords @@ -221,8 +221,7 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096 * Root FS (for 0042): `/etc/ciss/keys/.gpg` * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay` -# 13. Diagram: Build, Boot and Run Time Trust Chain & Verification Paths - +# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths ```mermaid flowchart TD