V9.14.018.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/9990-overlay.sh

@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 
-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root
+# device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity
+# options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the
+# final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt
+# attestation hook after the overlay is in place.
 
 #set -e
 
@@ -152,7 +159,7 @@ setup_unionfs ()
         rootfslist="${mpoint} ${rootfslist}"
         mount_options=""
 
-        # Setup dm-verity support if a device has it supported
+        # Set up dm-verity support if a device has it supported
         hash_device="${image}.verity"
         # shellcheck disable=SC2086
         if [ -f ${hash_device} ]
@@ -434,7 +441,7 @@ setup_unionfs ()
     fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
   done
 
-  # Remove persistence depending on boot parameter
+  # Remove persistence depending on the boot parameter
   Remove_persistence
 
   # Correct the permissions of /: