V8.13.440.2025.11.19

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -26,19 +26,19 @@ include_toc: true
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
 * **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
 
-# 4. Primitives & Parameters (concise)
+# 4. Primitives & Parameters
 
 | Component    | Primitive / Parameter                                     | Purpose                                                |
-|--------------|-----------------------------------------------------------|-------------------------------------------------------|
+|--------------|-----------------------------------------------------------|--------------------------------------------------------|
 | LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
-| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity/authenticity |
+| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
 | PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
 | Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                  |
 | Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
 | Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
 | Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
 
-# 5. Live ISO End-to-End Boot Flow
+# 5. Diagram: CISS Live ISO Boot Flow, complete
 ```mermaid
 flowchart TD
   subgraph Trusted HW Manufacturer
@@ -109,7 +109,7 @@ flowchart TD
 0142 -- FAIL --> X;
 ```
 
-# 6. LUKS/dm-integrity Layering
+# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete
 ```mermaid
 ---
 config:
@@ -127,7 +127,7 @@ flowchart TD
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
 
-# 7. Build-Time Core Step (LUKS)
+# 7. CISS Live ISO LUKS Build-Time Core Steps, complete
 ```sh
 cryptsetup luksFormat \
   --batch-mode \
@@ -190,7 +190,7 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 
 * **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
 
-# 11. Dropbear (Hardened Remotely Unlock)
+# 11. CISS Dropbear (Hardened Remotely Unlock)
 
 ```text
 • Public-key auth only, no passwords
@@ -221,8 +221,7 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
   * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
-# 13. Diagram: Build, Boot and Run Time Trust Chain & Verification Paths
+# 13. Diagram: CISS Live ISO Build, Boot and Run Time Trust Chain & Verification Paths
-
 ```mermaid
 flowchart TD