msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m22s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 07:03:39 +01:00
parent 72e006479c
commit 9bc91b5e04
1 changed files with 6 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -53,13 +53,11 @@ participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay) participant RS as RootFS (SquashFS/Overlay)
participant C42 as CISS 0042 (late attestation) participant C42 as CISS 0042 (late attestation)
FW->>GRUB: Load kernel + initramfs FW->>GRUB: Load kernel + initramfs
GRUB->>K: Boot kernel GRUB->>K: Boot kernel
K->>I: Pivot to initramfs (live-boot phases) K->>I: Pivot to initramfs (live-boot phases)
I->>D: (optional) Start Dropbear (remote unlock) I->>D: (optional) Start Dropbear (remote unlock)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin) I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
alt 0030 OK alt 0030 OK
C30-->>I: Verified C30-->>I: Verified
@@ -67,11 +65,9 @@ else 0030 FAIL
C30-x I: Abort boot C30-x I: Abort boot
end end
I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC) C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>RS: Assemble overlay, switch_root I->>RS: Assemble overlay, switch_root
I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
alt 0042 OK alt 0042 OK
@@ -84,8 +80,8 @@ end
# 6. LUKS/dm-integrity Layering # 6. LUKS/dm-integrity Layering
```mermaid ```mermaid
graph TD graph TD
A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB] A[Plain device (rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)]
B --> C[dm-crypt\nAES-XTS-512] B --> C[dm-crypt (AES-XTS-512)]
C --> D[Mapped device /dev/mapper/crypt_liveiso] C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs] D --> E[SquashFS mount /run/live/rootfs]
``` ```
@@ -190,12 +186,12 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
```mermaid ```mermaid
graph TD graph TD
A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig] A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig]
B --> C[Boot early (0030)\ngpgv verify + FPR pin] B --> C[Boot early (0030): gpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)] C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS] D --> E[Mount RootFS]
E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)] E --> F[Boot late (0045): gpgv verify + FPR pin (root key)]
F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)] F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)]
C -- FAIL --> X[Abort] C -- FAIL --> X[Abort]
F -- FAIL --> X F -- FAIL --> X
G -- FAIL --> X G -- FAIL --> X