V9.14.018.2026.06.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-07 07:24:22 +01:00
parent 8b6731f1be
commit 9cdcc0a9ec
56 changed files with 204 additions and 97 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 💙 Generating a PUBLIC Live ISO.

@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.016.2026.06.06"
+      placeholder: "e.g., Master V9.14.018.2026.06.07"
    validations:
      required: true

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 FROM debian:bookworm

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔁 Render README.md to README.html.

@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@

 build:
  counter: 1023
-  version: V9.14.016.2026.06.06
+  version: V9.14.018.2026.06.07
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔐 Generating a Private Live ISO TRIXIE.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 💙 Generating a PUBLIC Live ISO.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.

@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 name: 🔁 Render Graphviz Diagrams.

@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.016.2026.06.06"
+properties_version="V9.14.018.2026.06.07"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.016.2026.06.06
+PackageVersion: Master V9.14.018.2026.06.07
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.016.2026.06.06-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.018.2026.06.07-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.

 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.

-Example: `V9.14.016.2026.06.06`
+Example: `V9.14.018.2026.06.07`

 `x.y.z` represents major (x), minor (y), and patch (z) version increments.

@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Repository Structure

 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.016.2026.06.06** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.018.2026.06.07** (as of 2025-10-11)

 ## 3.1. Top-Level Layout

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. CISS Secure Boot Private Material

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. CISS Secure Boot Public Material

@@ -95,7 +95,7 @@ write_dropbear_conf() {
  [[ -z "${sshport:-}" ]] && sshport="2222"

  ### CISS internal
-  [[ "${sshport}" == "42137" ]] && sshport="44137"
+  [[ "${sshport}" == "42137" ]] && sshport="64137"

  cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Version Master V9.14.016.2026.06.06
+# Version Master V9.14.018.2026.06.07

 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-declare -gr VERSION="Master V9.14.016.2026.06.06"
+declare -gr VERSION="Master V9.14.018.2026.06.07"

 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh

 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.016.2026.06.06 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.018.2026.06.07 at: 10:18:37.9542
@@ -14,8 +14,10 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Reserve a dedicated /run/live/overlay tmpfs with a configurable size limit.
+# - Mount it with restrictive flags and permissions before OverlayFS uses it.
+# - Prepare the upper and work directories required by the later live-boot overlay setup.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,8 +14,12 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Open /live/ciss_rootfs.crypt (LUKS) for final processing in '9990-overlay.sh'
-# Phase  : premount (executed by live-boot inside the initramfs)
+# Module summary:
+# - Read CISS boot parameters for the encrypted root path and live ISO label.
+# - Mount the live medium read-only and locate the encrypted SquashFS container.
+# - Attach the encrypted container through a read-only loop device.
+# - Accept a LUKS passphrase from the local console or remotely unlock FIFO.
+# - Open the decrypted root mapper and expose the handoff state for later live-boot overlay processing.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,8 +14,11 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Enforce early sysctls before services start.
-# Phase  : premount (executed by live-boot inside the initramfs).
+# Module summary:
+# - Runs during live-boot premount while the system is still inside the initramfs.
+# - Applies early kernel hardening before the real root and regular services are active.
+# - Restricts ptrace, unprivileged BPF, core dumps, kexec, unsafe link handling, regular-file protections, and kernel pointer
+#   exposure where supported.

 _SAVED_SET_OPTS="$(set +o)"

@@ -14,6 +14,14 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

+# Module summary:
+# This live-boot component implements the verify-checksums mode for the mounted live medium.
+# It reads the live-boot command line to decide whether checksum verification is enabled and which digests to accept.
+# It locates the pinned CISS GPG key material on the live medium, optionally verifies this script's signed hash,
+# optionally verifies signed checksum files, and checks the first matching checksum manifest with the matching digest tool. It
+# writes detailed checksum output to the verification TTY. It panics instead of continuing boot when integrity or
+# authenticity verification fails.
+
 ### Modified Version of the original file:
 ### https://salsa.debian.org/live-team/live-boot 'components/0030-ciss-verify-checksums'
 ### If the offered checksum is successfully verified, proceed with booting. Otherwise, panic.
@@ -14,8 +14,13 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-# Purpose: Late rootfs attestation and dmsetup health checking.
-# Phase  : executed by live-boot inside the 9990-main.sh.
+# Module summary:
+# - Runs after the encrypted live root filesystem has been decrypted.
+# - Requires the pinned public key, attestation hash file, and detached signature to exist as readable, non-empty regular files
+#   inside the decrypted rootfs.
+# - Verifies the attestation signature with gpgv against the pinned key material.
+# - Confirms that the signature fingerprint matches the build-time expected rootfs fingerprint and panics on missing, malformed,
+#   or mismatched evidence.

 _SAVED_SET_OPTS="$(set +o)"

@@ -30,7 +35,7 @@ export CDLB_EXP_FPR="@EXP_FPR@"
 export CDLB_EXP_CA_FPR="@EXP_CA_FPR@"

 ### Name of the top-level dm-crypt mapping (e.g., cryptsetup --label): zzzz_ciss_crypt_squash.hook.binary ----------------------
-CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"
+export CDLB_MAPPER_NAME="${CDLB_MAPPER_NAME:-crypt_liveiso}"

 ### Attestation file locations inside decrypted rootfs. ------------------------------------------------------------------------
 CDLB_ATTEST_FPR_SHA="${CDLB_ATTEST_FPR_SHA:-/root/root/.ciss/attestation/${CDLB_EXP_FPR}.gpg.sha512sum.txt}"
@@ -66,33 +71,83 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }

+#######################################
+# Validate a boot-time attestation input file.
+# Globals:
+#   None
+# Arguments:
+#   1: Human-readable artifact label
+#   2: Absolute artifact path
+# Returns:
+#   0: on success
+#######################################
+require_attestation_file() {
+  artifact_label="${1}"
+  artifact_path="${2}"
+
+  if [ ! -e "${artifact_path}" ]; then
+
+    if [ -L "${artifact_path}" ]; then
+
+      log_er "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+      panic  "0042()              : ${artifact_label} is a broken symlink, not a regular file: [${artifact_path}]"
+
+    fi
+
+    log_er "0042()              : ${artifact_label} missing: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} missing: [${artifact_path}]"
+
+  fi
+
+  if [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not a regular file: [${artifact_path}]"
+
+  fi
+
+  if [ ! -s "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is empty: [${artifact_path}]"
+
+  fi
+
+  if [ ! -r "${artifact_path}" ]; then
+
+    log_er "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+    panic  "0042()              : ${artifact_label} is not readable: [${artifact_path}]"
+
+  fi
+
+  return 0
+}
+
 HASH_FILE="${CDLB_ATTEST_FPR_SHA}"
 SIGN_FILE="${CDLB_ATTEST_FPR_SIG}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"

-if [ -s "${KEYFILE}" ]; then
-
-  log_er "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-  panic  "0042()              : No public key found under: [${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg]"
-
-fi
-
-if [ -s "${HASH_FILE}" ]; then
-
-  log_er "0042()              : Attestation data missing: [${HASH_FILE}]"
-  panic  "0042()              : Attestation data missing: [${HASH_FILE}]"
-
-fi
-
-if [ -s "${SIGN_FILE}" ]; then
-
-  log_er "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-  panic  "0042()              : Attestation signature missing: [${SIGN_FILE}]"
-
-fi
+require_attestation_file "Public key"            "${KEYFILE}"
+require_attestation_file "Attestation data"      "${HASH_FILE}"
+require_attestation_file "Attestation signature" "${SIGN_FILE}"

 log_in "0042()               : Verifying rootfs attestation with 'gpgv' and inside LUKS encrypted rootfs pinned GPG FPR."
-_STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}")"
+
+if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
+
+  log_er "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+  if [ -n "${_STATUS}" ]; then
+
+    printf '%s\n' "${_STATUS}" >&2
+
+  fi
+
+  sleep 8
+  panic  "0042()              : gpgv verification failed for signature: [${SIGN_FILE}]"
+
+fi
+
 _CDLB_SIG_FILE_FPR="$(printf '%s\n' "${_STATUS}" | awk '/^\[GNUPG:\] VALIDSIG /{print $3; exit}')"

 ### Compare against pinned and expected fingerprint. ---------------------------------------------------------------------------
@@ -14,9 +14,18 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-main.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# - Run early cryptroot handling before live filesystem discovery.
+# - Parse live-boot parameters, apply debug/read-only/network setup, and load initramfs configuration.
+# - Locate or reuse the live filesystem from network, iSCSI, plain root, memdisk, LVM-backed media, or the
+#   CISS encrypted SquashFS preseed.
+# - Verify checksums, optionally copy live media to RAM or disk, and mount the final live root via unionfs or image stacking.
+# - Transfer selected runtime configuration into the target root, validate the mounted root, configure fstab/netbase/swap, and
+#   preserve boot logs.

 # set -e

@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
-### Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-networking.sh'
+# Change the behavior so that the systemd-networkd stack '/etc/resolv.conf' is not overwritten.
+
+# Module summary:
+# - Resolve the boot interface from Syslinux/PXELINUX BOOTIF metadata when available.
+# - Bring up live-boot networking for local, netboot, fetch, HTTPFS, and FTPFS paths.
+# - Probe configured or discovered interfaces with ipconfig and export the selected device.
+# - Populate hostname, hosts, DNS, and HWADDR data only where needed by later boot stages.
+# - Preserve an existing /etc/resolv.conf so systemd-networkd ownership is not overwritten.

 # set -e

@@ -14,9 +14,16 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-### Modified Version of the original file:
-### https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
-### Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+# Modified Version of the original file:
+# https://salsa.debian.org/live-team/live-boot 'components/9990-overlay.sh'
+# Change the behavior so that the ciss_rootfs.crypt (0024-ciss-crypt-squash) is mounted when it is opened.
+
+# Module summary:
+# This live-boot overlay module prepares the root filesystem view during boot. It accepts the CISS decrypted root
+# device override from /run/ciss-rootdev, mounts the read-only root image set or plain-mapped root, applies dm-verity
+# options where available, prepares the writable overlay backing store from tmpfs, persistence, or NFS_COW, creates the
+# final union mounts, activates custom persistence mounts, normalizes key permissions, and invokes the CISS post-decrypt
+# attestation hook after the overlay is in place.

 #set -e

@@ -152,7 +159,7 @@ setup_unionfs ()
        rootfslist="${mpoint} ${rootfslist}"
        mount_options=""

-        # Setup dm-verity support if a device has it supported
+        # Set up dm-verity support if a device has it supported
        hash_device="${image}.verity"
        # shellcheck disable=SC2086
        if [ -f ${hash_device} ]
@@ -434,7 +441,7 @@ setup_unionfs ()
    fi || panic "mount ${UNIONTYPE} on ${unionmountpoint} failed with option ${unionmountopts}"
  done

-  # Remove persistence depending on boot parameter
+  # Remove persistence depending on the boot parameter
  Remove_persistence

  # Correct the permissions of /:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,10 +8,22 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Changelog

+## V9.14.018.2026.06.07
+* **Added**: [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) Module summary
+* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Module summary
+* **Added**: [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) Module summary
+* **Added**: [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums) Module summary
+* **Added**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Module summary
+* **Added**: [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh) Module summary
+* **Added**: [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh) Module summary
+* **Added**: [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh) Module summary
+* **Changed**: [9999_cdi_starter.sh](../scripts/usr/local/sbin/9999_cdi_starter.sh) Fixed: ``sysctl -p /etc/sysctl.d/90-ciss-local.hardened``
+* **Changed**: [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest) Fixed: Signature checksum verification.
+
 ## V9.14.016.2026.06.06
 * **Changed**: [zzzz_ciss_uki_build.hook.binary](../config/hooks/live/zzzz_ciss_uki_build.hook.binary)
 * **Changed**: [zzzz_ciss_uki_install.hook.binary](../config/hooks/live/zzzz_ciss_uki_install.hook.binary)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.016.2026.06.06
+Master V9.14.018.2026.06.07
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

 (c) Marc S. Weidner, 2018 - 2026
@@ -168,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V9.14.016.2026.06.06                        2026-05-17                         CDLB(1)
+                        V9.14.018.2026.06.07                        2026-05-17                         CDLB(1)
 ````

 # 3. Booting
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. ``30-ciss-hardening.conf``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. ``90-ciss-local.hardened``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.016.2026.06.06<br>
+**Build**: V9.14.018.2026.06.07<br>

 # 2. ``ciss_live_builder.sh``

@@ -39,13 +39,13 @@ usage() {
  # shellcheck disable=SC2155
  declare var_header=$(center "CDLB(1)                        CISS.debian.live.builder                        CDLB(1)" "${var_cols}")
  # shellcheck disable=SC2155
-  declare var_footer=$(center "V9.14.016.2026.06.06                        2026-06-04                         CDLB(1)" "${var_cols}")
+  declare var_footer=$(center "V9.14.018.2026.06.07                        2026-06-04                         CDLB(1)" "${var_cols}")

  {
    echo -e "\e[1;97m${var_header}\e[0m"
    echo
    echo -e "\e[92mCISS.debian.live.builder from https://git.coresecret.dev/msw \e[0m"
-    echo -e "\e[92mMaster V9.14.016.2026.06.06\e[0m"
+    echo -e "\e[92mMaster V9.14.018.2026.06.07\e[0m"
    echo -e "\e[92mA lightweight Shell Wrapper for building a hardened Debian Live ISO Image.\e[0m"
    echo
    echo -e "\e[97m(c) Marc S. Weidner, 2018 - 2026 \e[0m"
@@ -100,7 +100,7 @@ readonly -f net_wait
 #   0: on success
 #######################################
 sysp() {
-  sysctl -p /etc/sysctl.d/99_local.hardened
+  sysctl -p /etc/sysctl.d/90-ciss-local.hardened

  # shellcheck disable=SC2312
  sysctl -a | grep -E '^(kernel|vm|net)\.' >| "/var/log/sysctl_check_$(date +'%Y-%m-%d_%H-%M-%S').log"
@@ -130,7 +130,7 @@ main() {
  touch "${var_log}"


-  printf "CISS.debian.installer Master V9.14.016.2026.06.06 is up! \n" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.018.2026.06.07 is up! \n" >> "${var_log}"

  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -209,7 +209,7 @@ main() {

  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.installer Master V9.14.016.2026.06.06: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.installer Master V9.14.018.2026.06.07: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"

  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.016.2026.06.06"
+declare -grx VAR_VERSION="Master V9.14.018.2026.06.07"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4