From 9bc91b5e0405783e53886eb8b4dc34692131b07d4dc01d34c04d788fe7036b84 Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Thu, 13 Nov 2025 07:03:39 +0100
Subject: [PATCH] V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 docs/MAN_CISS_ISO_BOOT_CHAIN.md | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index 573cb4d..38c8647 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -53,13 +53,11 @@ participant LUKS as LUKS2 + dm-integrity
 participant RS as RootFS (SquashFS/Overlay)
 participant C42 as CISS 0042 (late attestation)
 
-
 FW->>GRUB: Load kernel + initramfs
 GRUB->>K: Boot kernel
 K->>I: Pivot to initramfs (live-boot phases)
 I->>D: (optional) Start Dropbear (remote unlock)
 
-
 I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
 alt 0030 OK
 C30-->>I: Verified
@@ -67,11 +65,9 @@ else 0030 FAIL
 C30-x I: Abort boot
 end
 
-
 I->>C24: Run 0024: LUKS open (dm-crypt + integrity), mount SquashFS
 C24->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
 
-
 I->>RS: Assemble overlay, switch_root
 I->>C42: Run 0042: Verify root FS (gpgv, FPR pin) + dmsetup health
 alt 0042 OK
@@ -84,8 +80,8 @@ end
 # 6. LUKS/dm-integrity Layering
 ```mermaid
 graph TD
-A[Plain device (rootfs.crypt)] --> B[dm-integrity\nHMAC-SHA-512, 4 KiB]
-B --> C[dm-crypt\nAES-XTS-512]
+A[Plain device (rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)]
+B --> C[dm-crypt (AES-XTS-512)]
 C --> D[Mapped device /dev/mapper/crypt_liveiso]
 D --> E[SquashFS mount /run/live/rootfs]
 ```
@@ -190,12 +186,12 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 
 ```mermaid
 graph TD
-A[Build time\npin EXP_FPR + embed ISO key] --> B[ISO artifacts\nsha512sum.txt + .sig]
-B --> C[Boot early (0030)\ngpgv verify + FPR pin]
+A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig]
+B --> C[Boot early (0030): gpgv verify + FPR pin]
 C -->|OK| D[LUKS open (0025)]
 D --> E[Mount RootFS]
-E --> F[Boot late (0045)\ngpgv verify + FPR pin (root key)]
-F --> G[dmsetup health\ncrypt(XTS) over integrity(HMAC-SHA-512)]
+E --> F[Boot late (0045): gpgv verify + FPR pin (root key)]
+F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)]
 C -- FAIL --> X[Abort]
 F -- FAIL --> X
 G -- FAIL --> X