diff --git a/.archive/generate_PRIVATE_trixie_0.yaml b/.archive/generate_PRIVATE_trixie_0.yaml index db84c92..49e9983 100644 --- a/.archive/generate_PRIVATE_trixie_0.yaml +++ b/.archive/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PRIVATE_trixie_1.yaml b/.archive/generate_PRIVATE_trixie_1.yaml index 8e3612a..bd46c55 100644 --- a/.archive/generate_PRIVATE_trixie_1.yaml +++ b/.archive/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.archive/generate_PUBLIC_iso.yaml b/.archive/generate_PUBLIC_iso.yaml index 555bbe3..7acde40 100644 --- a/.archive/generate_PUBLIC_iso.yaml +++ b/.archive/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml index 40de13c..16f748f 100644 --- a/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml +++ b/.gitea/ISSUE_TEMPLATE/ISSUE_TEMPLATE.yaml @@ -25,7 +25,7 @@ body: attributes: label: "Version" description: "Which version are you running? Use `./ciss_live_builder.sh -v`." - placeholder: "e.g., Master V9.14.026.2026.06.17" + placeholder: "e.g., Master V9.14.028.2026.06.18" validations: required: true diff --git a/.gitea/TODO/dockerfile b/.gitea/TODO/dockerfile index f838475..c3bf6bb 100644 --- a/.gitea/TODO/dockerfile +++ b/.gitea/TODO/dockerfile @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 FROM debian:bookworm diff --git a/.gitea/TODO/render-md-to-html.yaml b/.gitea/TODO/render-md-to-html.yaml index ec016d2..57c8eb0 100644 --- a/.gitea/TODO/render-md-to-html.yaml +++ b/.gitea/TODO/render-md-to-html.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔁 Render README.md to README.html. diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index e47eb9e..fcbe7b6 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.026.2026.06.17 + version: V9.14.028.2026.06.18 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index c2a7357..7b2b5cf 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.026.2026.06.17 + version: V9.14.028.2026.06.18 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_dns.yaml b/.gitea/trigger/t_generate_dns.yaml index c2a7357..7b2b5cf 100644 --- a/.gitea/trigger/t_generate_dns.yaml +++ b/.gitea/trigger/t_generate_dns.yaml @@ -11,5 +11,5 @@ build: counter: 1023 - version: V9.14.026.2026.06.17 + version: V9.14.028.2026.06.18 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml index 493757e..65647f1 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml index 77af289..d6c1e8e 100644 --- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml +++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔐 Generating a Private Live ISO TRIXIE. diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml index 1143bf2..03ab115 100644 --- a/.gitea/workflows/generate_PUBLIC_iso.yaml +++ b/.gitea/workflows/generate_PUBLIC_iso.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 💙 Generating a PUBLIC Live ISO. diff --git a/.gitea/workflows/linter_char_scripts.yaml b/.gitea/workflows/linter_char_scripts.yaml index be846ac..0d25607 100644 --- a/.gitea/workflows/linter_char_scripts.yaml +++ b/.gitea/workflows/linter_char_scripts.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 # Gitea Workflow: Shell-Script Linting # diff --git a/.gitea/workflows/render-dnssec-status.yaml b/.gitea/workflows/render-dnssec-status.yaml index 6453391..f3d4045 100644 --- a/.gitea/workflows/render-dnssec-status.yaml +++ b/.gitea/workflows/render-dnssec-status.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🛡️ Retrieve DNSSEC status of coresecret.dev. diff --git a/.gitea/workflows/render-dot-to-png.yaml b/.gitea/workflows/render-dot-to-png.yaml index fde0816..aa91de6 100644 --- a/.gitea/workflows/render-dot-to-png.yaml +++ b/.gitea/workflows/render-dot-to-png.yaml @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 name: 🔁 Render Graphviz Diagrams. diff --git a/.version.properties b/.version.properties index 89576a3..f0c667d 100644 --- a/.version.properties +++ b/.version.properties @@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 " properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework." properties_SPDX-PackageName="CISS.debian.live.builder" properties_SPDX-Security-Contact="security@coresecret.eu" -properties_version="V9.14.026.2026.06.17" +properties_version="V9.14.028.2026.06.18" # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/CISS.debian.live.builder.spdx b/CISS.debian.live.builder.spdx index 740eb00..2ff08ec 100644 --- a/CISS.debian.live.builder.spdx +++ b/CISS.debian.live.builder.spdx @@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency) Created: 2025-05-07T12:00:00Z Package: CISS.debian.live.builder PackageName: CISS.debian.live.builder -PackageVersion: Master V9.14.026.2026.06.17 +PackageVersion: Master V9.14.028.2026.06.18 PackageSupplier: Organization: Centurion Intelligence Consulting Agency PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder diff --git a/README.md b/README.md index 8bca016..3ab5f52 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ gitea: none include_toc: true --- -[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.026.2026.06.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder) +[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)   [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)   [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)   @@ -27,7 +27,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
**CISS.debian.live.builder — First of its own.**
**World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.** @@ -137,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_ In compact form, my expectations for the system are:
* Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM. -* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. +* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`. * Verification steps are not advisory. Any anomaly causes a hard abort during boot. * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed. * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition. @@ -181,7 +181,7 @@ installer toolchain. This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date. -Example: `V9.14.026.2026.06.17` +Example: `V9.14.028.2026.06.18` `x.y.z` represents major (x), minor (y), and patch (z) version increments. diff --git a/REPOSITORY.md b/REPOSITORY.md index 37835e5..7c0cb64 100644 --- a/REPOSITORY.md +++ b/REPOSITORY.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Repository Structure **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder **Branch:** `master` -**Repository State:** Master Version **9.14**, Build **V9.14.026.2026.06.17** (as of 2025-10-11) +**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11) ## 3.1. Top-Level Layout diff --git a/ciss.secureboot/private/README.md b/ciss.secureboot/private/README.md index 1398519..5df9313 100644 --- a/ciss.secureboot/private/README.md +++ b/ciss.secureboot/private/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. CISS Secure Boot Private Material diff --git a/ciss.secureboot/public/README.md b/ciss.secureboot/public/README.md index 77b5b5d..752de01 100644 --- a/ciss.secureboot/public/README.md +++ b/ciss.secureboot/public/README.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. CISS Secure Boot Public Material diff --git a/config/includes.chroot/etc/ssh/ssh_known_hosts b/config/includes.chroot/etc/ssh/ssh_known_hosts index baaac68..fb31799 100644 --- a/config/includes.chroot/etc/ssh/ssh_known_hosts +++ b/config/includes.chroot/etc/ssh/ssh_known_hosts @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q== diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index efc9427..f874556 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -9,7 +9,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 ### https://www.ssh-audit.com/ ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig diff --git a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened index 324c4f7..0088423 100644 --- a/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened +++ b/config/includes.chroot/etc/sysctl.d/90-ciss-local.hardened @@ -11,7 +11,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -# Version Master V9.14.026.2026.06.17 +# Version Master V9.14.028.2026.06.18 ### https://docs.kernel.org/ ### https://github.com/a13xp0p0v/kernel-hardening-checker/ diff --git a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh index b1b8a66..f677025 100644 --- a/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh +++ b/config/includes.chroot/preseed/.iso/preseed_hash_generator.sh @@ -10,7 +10,7 @@ # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu -declare -gr VERSION="Master V9.14.026.2026.06.17" +declare -gr VERSION="Master V9.14.028.2026.06.18" ### VERY EARLY CHECK FOR DEBUGGING if [[ $* == *" --debug "* ]]; then diff --git a/config/includes.chroot/preseed/preseed.cfg b/config/includes.chroot/preseed/preseed.cfg index b95d447..df0eea6 100644 --- a/config/includes.chroot/preseed/preseed.cfg +++ b/config/includes.chroot/preseed/preseed.cfg @@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh # Please consider donating to my work at: https://coresecret.eu/spenden/ ########################################################################################### -# Written by: ./preseed_hash_generator.sh Version: Master V9.14.026.2026.06.17 at: 10:18:37.9542 +# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542 diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash index 3eb24d4..8617873 100644 --- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash +++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash @@ -395,7 +395,25 @@ if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURC fi -mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" +if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then + + printf "\e[91m[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \ + "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" + sleep 8 + log "[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + panic "[FATAL] Boot failure : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + +fi + +if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then + + printf "\e[91m[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \ + "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" + sleep 8 + log "[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + panic "[FATAL] Boot failure : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + +fi if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \ ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then @@ -408,7 +426,17 @@ if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \ fi -chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" 2>&- || true +if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then + + printf "\e[91m[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \ + "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" + sleep 8 + log "[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + panic "[FATAL] Boot failure : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]" + +fi + +chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true printf "\e[92m[INFO] Rootfs attestation : Preserved [%s] and [%s] \n\e[0m" \ "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" diff --git a/docs/AUDIT_DNSSEC.md b/docs/AUDIT_DNSSEC.md index aa7c967..2379f9a 100644 --- a/docs/AUDIT_DNSSEC.md +++ b/docs/AUDIT_DNSSEC.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. DNSSEC Status diff --git a/docs/AUDIT_HAVEGED.md b/docs/AUDIT_HAVEGED.md index 5a1efb7..9f5af2c 100644 --- a/docs/AUDIT_HAVEGED.md +++ b/docs/AUDIT_HAVEGED.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Haveged Audit on Netcup RS 2000 G11 diff --git a/docs/AUDIT_LYNIS.md b/docs/AUDIT_LYNIS.md index 6019a39..53a61e3 100644 --- a/docs/AUDIT_LYNIS.md +++ b/docs/AUDIT_LYNIS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Lynis Audit: diff --git a/docs/AUDIT_SSH.md b/docs/AUDIT_SSH.md index 0767d42..c7c9f48 100644 --- a/docs/AUDIT_SSH.md +++ b/docs/AUDIT_SSH.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. SSH Audit by ssh-audit.com diff --git a/docs/AUDIT_TLS.md b/docs/AUDIT_TLS.md index d53ea4e..348f521 100644 --- a/docs/AUDIT_TLS.md +++ b/docs/AUDIT_TLS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. TLS Audit: ````text diff --git a/docs/BOOTPARAMS.md b/docs/BOOTPARAMS.md index 0001258..58e96eb 100644 --- a/docs/BOOTPARAMS.md +++ b/docs/BOOTPARAMS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Hardened Kernel Boot Parameters diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index f634e78..74ef146 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -8,10 +8,15 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Changelog +## V9.14.028.2026.06.18 +* **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Explicitly permissions the runtime rootfs attestation cache and fails closed on cache creation or chmod errors. +* **Changed**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) Documents the rootfs attestation artifact custody path from build-time `binary/live` creation through the `0024` runtime cache and `0042` verification. +* **Changed**: [README.md](../README.md) Documents the runtime rootfs attestation cache handoff. + ## V9.14.026.2026.06.17 * **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms: * * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768`` diff --git a/docs/CNET.md b/docs/CNET.md index 09b35ad..fd900c3 100644 --- a/docs/CNET.md +++ b/docs/CNET.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Centurion Net - Developer Branch Overview diff --git a/docs/CODING_CONVENTION.md b/docs/CODING_CONVENTION.md index b251026..c8d74e5 100644 --- a/docs/CODING_CONVENTION.md +++ b/docs/CODING_CONVENTION.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Purpose diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md index 6e7d5ca..d05a196 100644 --- a/docs/CONTRIBUTING.md +++ b/docs/CONTRIBUTING.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Contributing / participating diff --git a/docs/CREDITS.md b/docs/CREDITS.md index 045f7b1..cbf8c79 100644 --- a/docs/CREDITS.md +++ b/docs/CREDITS.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Credits diff --git a/docs/DL_PUB_ISO.md b/docs/DL_PUB_ISO.md index 168bf54..2370c72 100644 --- a/docs/DL_PUB_ISO.md +++ b/docs/DL_PUB_ISO.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Download the latest PUBLIC CISS.debian.live.ISO diff --git a/docs/DOCUMENTATION.md b/docs/DOCUMENTATION.md index 4a95e89..6be78b8 100644 --- a/docs/DOCUMENTATION.md +++ b/docs/DOCUMENTATION.md @@ -8,14 +8,14 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2.1. Usage ````text CDLB(1) CISS.debian.live.builder CDLB(1) CISS.debian.live.builder from https://git.coresecret.dev/msw -Master V9.14.026.2026.06.17 +Master V9.14.028.2026.06.18 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. (c) Marc S. Weidner, 2018 - 2026 @@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image. 💷 Please consider donating to my work at: 🌐 https://coresecret.eu/spenden/ - V9.14.026.2026.06.17 2026-05-17 CDLB(1) + V9.14.028.2026.06.18 2026-05-17 CDLB(1) ```` # 3. Booting diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md index 3969383..b30abb7 100644 --- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md +++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md @@ -8,13 +8,13 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation) -**Status:** 2026-06-10
+**Status:** 2026-06-18
**Audience:** CICA CISO, CISS staff, technically proficient administrators
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; `0024-ciss-crypt-squash` preserves the rootfs attestation artifacts from the real ISO medium into a stable initramfs runtime cache; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.
# 3. Overview @@ -22,7 +22,7 @@ include_toc: true * **Integrity and authenticity verification:** 1. **Mounted live medium:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed `/run/live/medium`, verify `sha512sum.txt` using `gpgv`, FPR pinning, and checksum execution. - 2. **Decrypted rootfs payload:** Verify the external rootfs attestation manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`. + 2. **Decrypted rootfs payload:** Preserve the external rootfs attestation manifest and detached signature before live-boot may replace or unmount the medium view, verify the cached manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`. * **Storage-level confidentiality and keyed sector integrity:** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB). * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding. @@ -55,7 +55,7 @@ private Secure Boot key names are detected in those paths before live-build chec | dm-integrity | `hmac-sha512` (keyed), journal | Keyed per-sector integrity for the opened mapping; not origin authenticity | | PBKDF | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock | | Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation | -| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs | +| Verification | `gpgv --keyring ` | Explicit keyring selection and no agent dependency in initramfs | | Hash lists | `sha512sum` format | Deterministic content verification | | Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock | @@ -92,8 +92,10 @@ flowchart TD 0090 e09@--> 0100["Starting CISS.hardened dropbear"]; 0100 e10@--> 0110["Executing live-boot, mounting ISO FS"]; 0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"]; - 0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"]; - 0124 e13@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"]; + 0122 e12@--> 0124["Executing 0024-ciss: Mount ISO medium and locate /live/ciss_rootfs.crypt"]; + 0124 e13@--> CACHE["0024-ciss: Preserve rootfs attestation artifacts in /run/ciss-rootfs-attestation"]; + CACHE e13b@--> LUKSOPEN["0024-ciss: LUKS open (dm-crypt & integrity)"]; + LUKSOPEN e13c@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"]; LUKS e14@--> 0126["Executing 0026-ciss: Hardening early sysctls"]; 0126 e15@--> 0130["Executing 0030-ciss: Mounted live-medium checksum and signature verification"]; 0130 e16@--> |SUCCESSFUL| ROOT["9990-overlay: Mount SquashFS / OverlayFS"]; @@ -111,6 +113,8 @@ flowchart TD e11@{ animation: fast } e12@{ animation: fast } e13@{ animation: fast } + e13b@{ animation: fast } + e13c@{ animation: fast } e14@{ animation: fast } e15@{ animation: fast } e16@{ animation: fast } @@ -130,6 +134,8 @@ flowchart TD 0030 -- FAIL --> X; 0040 -- FAIL --> X; 0124 -- FAIL --> X; +CACHE -- FAIL --> X; +LUKSOPEN -- FAIL --> X; 0130 -- FAIL --> X; 0142 -- FAIL --> X; ``` @@ -145,6 +151,19 @@ ISO medium └── OverlayFS / running root filesystem ``` +Rootfs attestation evidence follows a separate side path: + +```text +ISO medium +├── /live/filesystem.squashfs.sha512sum.txt +└── /live/filesystem.squashfs.sha512sum.txt.sig + └── copied by 0024-ciss-crypt-squash to: + ├── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt + └── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig +``` + +The `/run/ciss-rootfs-attestation/` cache is only a stable initramfs runtime location. It is not a trust anchor. `0042_ciss_post_decrypt_attest` still requires the cached manifest to verify against the detached signature, the pinned GPG fingerprint, and the actual decrypted mapper bytes. + ```mermaid --- config: @@ -186,6 +205,38 @@ cryptsetup luksFormat \ **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain). +## 7.1. Rootfs Attestation Artifacts Created at Build Time + +`config/hooks/live/zzzz_ciss_crypt_squash.hook.binary` runs in the live-build binary phase after `binary/live/filesystem.squashfs` exists and before the final ISO image is emitted. + +The hook expects: + +| Artifact | Build-time path | Purpose | +|-----------------------------|------------------------------------------------------------|-----------------------------------------------------------------------------------------| +| Final plaintext SquashFS | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs` | Source byte stream that will be attested and copied into the encrypted mapper. | +| Signing key passphrase file | `${VAR_SIGNING_KEY_PASSFILE}` | Unlocks the configured signing key without exposing the passphrase on the command line. | +| Verification keyring | `${VAR_VERIFY_KEYRING}` | Build-time self-check for the detached signature before the ISO is accepted. | + +The hook creates: + +| Artifact | Build-time path | ISO path | +|---------------------------------------|------------------------------------------------------------------------------|-----------------------------------------------| +| Encrypted live root container | `${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt` | `/live/ciss_rootfs.crypt` | +| Rootfs attestation manifest | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt` | `/live/filesystem.squashfs.sha512sum.txt` | +| Rootfs attestation detached signature | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt.sig` | `/live/filesystem.squashfs.sha512sum.txt.sig` | + +The manifest format is intentionally small and deterministic: + +```text +# CISS.debian.live.builder Master +# Attestation file for filesystem.squashfs Version 1.0.0 +# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso +# Bytes : Final filesystem.squashfs + filesystem.squashfs +``` + +The signed boundary is the final SquashFS byte stream before LUKS wrapping. The hook writes that byte stream into `/dev/mapper/crypt_liveiso`, closes the mapper, shreds the transient LUKS key file, removes `binary/live/filesystem.squashfs`, and keeps only `/live/ciss_rootfs.crypt` plus the manifest/signature pair in the final ISO payload tree. + # 8. Mounted Live-Medium Checksum Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom) **Goal:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed the live medium context, but before the final live root is accepted, verify: @@ -203,17 +254,39 @@ cryptsetup luksFormat \ # 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh) -**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology. +**Goal:** After LUKS unlocked, and the live root has been mounted by `9990-overlay.sh`, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology. * **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`. * **Runtime verification boundary:** the first byte count declared by `# Bytes : Final filesystem.squashfs ` in the signed manifest, read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded. -* **Attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` +* **ISO attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` while the original ISO medium is mounted by `0024-ciss-crypt-squash`. +* **Runtime attestation cache:** `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt[.sig]`, copied by `0024-ciss-crypt-squash` before live-boot may replace or unmount the medium view during `toram` handling. * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin) +## 9.1. Runtime Artifact Custody and Expectations + +| Step | Actor | Requires | Copies / writes | Later consumer | +|------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------| +| 1 | `0024-ciss-crypt-squash` | Mounted ISO medium at `/run/live/medium`; `/run/live/medium/live/ciss_rootfs.crypt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt.sig` | Copies the manifest to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt` and the detached signature to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; sets the cache directory to `0755` before copy, cached files to `0444`, and best-effort final directory mode to `0555` | `0042_ciss_post_decrypt_attest` | +| 2 | `0024-ciss-crypt-squash` | `/run/live/medium/live/ciss_rootfs.crypt`; unlock passphrase from console or Dropbear path | Opens the encrypted container as `/dev/mapper/crypt_liveiso`; writes `/run/ciss-rootdev` with mapper, medium, and attestation-cache paths | `9990-overlay.sh` | +| 3 | `9990-main.sh` | `/conf/param.conf` with `PLAIN_ROOT=1` and `livefs_root=/run/live/medium`; optional `toram` boot parameter | May copy live media to RAM and may leave `/run/live/medium` busy, replaced, or otherwise unsuitable as the only attestation source | `9990-overlay.sh` and `0042_ciss_post_decrypt_attest` | +| 4 | `9990-overlay.sh` | `/run/ciss-rootdev`; `/dev/mapper/crypt_liveiso` | Sources `/run/ciss-rootdev`, overrides the image directory to `/dev/mapper/crypt_liveiso`, mounts the decrypted SquashFS read-only, and invokes `/usr/lib/live/boot/0042_ciss_post_decrypt_attest` | `0042_ciss_post_decrypt_attest` | +| 5 | `0042_ciss_post_decrypt_attest` | `/etc/ciss/keys/.gpg`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; `/dev/mapper/crypt_liveiso` | Creates transient `/run/ciss-rootfs-attestation.sha512sum` for `sha512sum -c`; does not create trusted evidence | Boot continues only after signature, FPR, and exact payload bytes all verify | + +`0042_ciss_post_decrypt_attest` resolves artifacts in this order: + +1. The explicit manifest/signature paths exported through `/run/ciss-rootdev`. +2. The default runtime cache under `/run/ciss-rootfs-attestation/`. +3. Compatibility fallback mountpoints: `${CDLB_MNT_MEDIUM}`, `/run/live/medium`, `/lib/live/mount/medium`, and `/cdrom`. + +The fallback mountpoints are diagnostic and compatibility paths. The intended normal path for current CISS ISOs is the runtime cache copied by `0024-ciss-crypt-squash`. + **Core calls (initramfs):** ```sh # 1) Signature and FPR pin (no agent) +DATA="/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt" +SIG="${DATA}.sig" +KEYFILE="/etc/ciss/keys/.gpg" /usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIG}" "${DATA}" # 2) Mandatory content hash verification @@ -222,7 +295,7 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat # 10. Failure Policy (fail-closed, deterministic) -* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch. +* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing rootfs attestation artifacts on the real ISO medium during `0024`, failed preservation of the runtime attestation cache, missing cached rootfs manifest/signature during `0042`, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch. * A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully. * `dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint. @@ -260,7 +333,12 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat * **Key files:** * Mounted live medium (for 0030): embedded public key blob (project-specific FPR) * Root FS (for 0042): `/etc/ciss/keys/.gpg` -* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay` +* **Rootfs attestation artifacts:** + * ISO payload paths: `/live/filesystem.squashfs.sha512sum.txt`, `/live/filesystem.squashfs.sha512sum.txt.sig` + * Runtime cache paths: `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`, `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig` + * Transient checksum file for exact mapper-byte verification: `/run/ciss-rootfs-attestation.sha512sum` +* **Runtime handoff state:** `/run/ciss-rootdev` +* **Mounts (typical):** `/run/live/medium`, `/run/live/rootfs`, `/run/live/overlay` # 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths ```mermaid @@ -268,21 +346,27 @@ flowchart TD subgraph ISO Build Time A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate mounted-medium sha512sum.txt and .sig"]; - B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"]; + B e01@--> C["Build filesystem.squashfs"]; + C e01b@--> C2["Generate rootfs attestation manifest and detached signature in binary/live"]; + C2 e01c@--> C3["Copy filesystem.squashfs into ciss_rootfs.crypt and remove plaintext filesystem.squashfs"]; e00@{ animation: fast } e01@{ animation: fast } + e01b@{ animation: fast } + e01c@{ animation: fast } end subgraph ISO Boot Time - C e02@--> D["0024 opens ciss_rootfs.crypt with LUKS2 and dm-integrity"]; - D e03@-->|SUCCESSFUL| E["Decrypted mapper exposed and livefs_root=/run/live/medium set"]; + C3 e02@--> D["0024 mounts real ISO medium and expects ciss_rootfs.crypt plus rootfs attestation files under /live"]; + D e02b@--> DCACHE["0024 copies rootfs attestation files to /run/ciss-rootfs-attestation"]; + DCACHE e03@--> E["0024 opens ciss_rootfs.crypt with LUKS2/dm-integrity and exposes /dev/mapper/crypt_liveiso"]; E e04@--> F["0030 verifies mounted live-medium manifest, signature, FPR, and checksums"]; F e05@-->|SUCCESSFUL| G["Mounted live medium verified"]; G e06@--> H["9990-overlay mounts SquashFS / OverlayFS"]; - H e07@--> I["0042 verifies signed rootfs attestation manifest and FPR"]; + H e07@--> I["0042 verifies cached rootfs attestation manifest and FPR"]; I e08@--> J["0042 verifies exact SquashFS bytes from /dev/mapper/crypt_liveiso"]; J e09@-->|SUCCESSFUL| K["RootFS SquashFS payload attestation successful"]; e02@{ animation: fast } + e02b@{ animation: fast } e03@{ animation: fast } e04@{ animation: fast } e05@{ animation: fast } @@ -299,6 +383,8 @@ flowchart TD end D -- FAIL --> X; +DCACHE -- FAIL --> X; +E -- FAIL --> X; F -- FAIL --> X; I -- FAIL --> X; J -- FAIL --> X; diff --git a/docs/MAN_SSH_Host_Key_Policy.md b/docs/MAN_SSH_Host_Key_Policy.md index cc136bd..47dd605 100644 --- a/docs/MAN_SSH_Host_Key_Policy.md +++ b/docs/MAN_SSH_Host_Key_Policy.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer diff --git a/docs/REFERENCES.md b/docs/REFERENCES.md index 3726475..ba16a57 100644 --- a/docs/REFERENCES.md +++ b/docs/REFERENCES.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. Resources diff --git a/docs/documentation/30-ciss-hardening.conf.md b/docs/documentation/30-ciss-hardening.conf.md index a0b6552..ebfd295 100644 --- a/docs/documentation/30-ciss-hardening.conf.md +++ b/docs/documentation/30-ciss-hardening.conf.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. ``30-ciss-hardening.conf`` diff --git a/docs/documentation/90-ciss-local.hardened.md b/docs/documentation/90-ciss-local.hardened.md index 278582e..435dd2f 100644 --- a/docs/documentation/90-ciss-local.hardened.md +++ b/docs/documentation/90-ciss-local.hardened.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. ``90-ciss-local.hardened`` diff --git a/docs/documentation/ciss_live_builder.sh.md b/docs/documentation/ciss_live_builder.sh.md index 1d983d2..9cc17dd 100644 --- a/docs/documentation/ciss_live_builder.sh.md +++ b/docs/documentation/ciss_live_builder.sh.md @@ -8,7 +8,7 @@ include_toc: true **Centurion Intelligence Consulting Agency Information Security Standard**
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*
**Master Version**: 9.14
-**Build**: V9.14.026.2026.06.17
+**Build**: V9.14.028.2026.06.18
# 2. ``ciss_live_builder.sh`` diff --git a/scripts/usr/local/sbin/9999_cdi_starter.sh b/scripts/usr/local/sbin/9999_cdi_starter.sh index b2473cf..539507d 100644 --- a/scripts/usr/local/sbin/9999_cdi_starter.sh +++ b/scripts/usr/local/sbin/9999_cdi_starter.sh @@ -601,7 +601,7 @@ main() { var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log" touch "${var_log}" - printf "CISS.debian.live.builder V9.14.026.2026.06.17 calling CISS.debian.installer ... \n" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.028.2026.06.18 calling CISS.debian.installer ... \n" >> "${var_log}" ### Sleep a moment to settle boot artifacts. sleep 8 @@ -696,7 +696,7 @@ main() { ### Timeout reached without acceptable semaphore. logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle." - printf "CISS.debian.live.builder V9.14.026.2026.06.17: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" + printf "CISS.debian.live.builder V9.14.028.2026.06.18: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}" exit 0 } diff --git a/var/early.var.sh b/var/early.var.sh index bee1c94..7b06763 100644 --- a/var/early.var.sh +++ b/var/early.var.sh @@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)" declare -grx VAR_HOST="$(uname -n)" declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')" declare -grx VAR_SYSTEM="$(uname -mnosv)" -declare -grx VAR_VERSION="Master V9.14.026.2026.06.17" +declare -grx VAR_VERSION="Master V9.14.028.2026.06.18" declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{ # Print $4 and $5; include $6 only if it exists out = $4