**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.17<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. Changelog
## V9.14.028.2026.06.18
* **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Explicitly permissions the runtime rootfs attestation cache and fails closed on cache creation or chmod errors.
* **Changed**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) Documents the rootfs attestation artifact custody path from build-time `binary/live` creation through the `0024` runtime cache and `0042` verification.
* **Changed**: [README.md](../README.md) Documents the runtime rootfs attestation cache handoff.
## V9.14.026.2026.06.17
* **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint;`0024-ciss-crypt-squash` preserves the rootfs attestation artifacts from the real ISO medium into a stable initramfs runtime cache; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
# 3. Overview
@@ -22,7 +22,7 @@ include_toc: true
* **Integrity and authenticity verification:**
1.**Mounted live medium:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed `/run/live/medium`, verify `sha512sum.txt` using `gpgv`, FPR pinning, and checksum execution.
2.**Decrypted rootfs payload:**Verify the external rootfs attestation manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
2.**Decrypted rootfs payload:**Preserve the external rootfs attestation manifest and detached signature before live-boot may replace or unmount the medium view, verify the cached manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
* **Storage-level confidentiality and keyed sector integrity:** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
@@ -55,7 +55,7 @@ private Secure Boot key names are detected in those paths before live-build chec
| dm-integrity | `hmac-sha512` (keyed), journal | Keyed per-sector integrity for the opened mapping; not origin authenticity |
The `/run/ciss-rootfs-attestation/` cache is only a stable initramfs runtime location. It is not a trust anchor. `0042_ciss_post_decrypt_attest` still requires the cached manifest to verify against the detached signature, the pinned GPG fingerprint, and the actual decrypted mapper bytes.
```mermaid
---
config:
@@ -186,6 +205,38 @@ cryptsetup luksFormat \
**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
## 7.1. Rootfs Attestation Artifacts Created at Build Time
`config/hooks/live/zzzz_ciss_crypt_squash.hook.binary` runs in the live-build binary phase after `binary/live/filesystem.squashfs` exists and before the final ISO image is emitted.
| Final plaintext SquashFS | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs` | Source byte stream that will be attested and copied into the encrypted mapper. |
| Signing key passphrase file | `${VAR_SIGNING_KEY_PASSFILE}` | Unlocks the configured signing key without exposing the passphrase on the command line. |
| Verification keyring | `${VAR_VERIFY_KEYRING}` | Build-time self-check for the detached signature before the ISO is accepted. |
The signed boundary is the final SquashFS byte stream before LUKS wrapping. The hook writes that byte stream into `/dev/mapper/crypt_liveiso`, closes the mapper, shreds the transient LUKS key file, removes `binary/live/filesystem.squashfs`, and keeps only `/live/ciss_rootfs.crypt` plus the manifest/signature pair in the final ISO payload tree.
**Goal:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed the live medium context, but before the final live root is accepted, verify:
@@ -203,17 +254,39 @@ cryptsetup luksFormat \
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
**Goal:** After LUKS unlocked, and the live root has been mounted by `9990-overlay.sh`, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
* **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`.
* **Runtime verification boundary:** the first byte count declared by `# Bytes : Final filesystem.squashfs <bytes>` in the signed manifest, read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded.
* **ISO attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` while the original ISO medium is mounted by `0024-ciss-crypt-squash`.
* **Runtime attestation cache:** `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt[.sig]`, copied by `0024-ciss-crypt-squash` before live-boot may replace or unmount the medium view during `toram` handling.
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
## 9.1. Runtime Artifact Custody and Expectations
| Step | Actor | Requires | Copies / writes | Later consumer |
| 1 | `0024-ciss-crypt-squash` | Mounted ISO medium at `/run/live/medium`; `/run/live/medium/live/ciss_rootfs.crypt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt.sig` | Copies the manifest to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt` and the detached signature to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; sets the cache directory to `0755` before copy, cached files to `0444`, and best-effort final directory mode to `0555` | `0042_ciss_post_decrypt_attest` |
| 2 | `0024-ciss-crypt-squash` | `/run/live/medium/live/ciss_rootfs.crypt`; unlock passphrase from console or Dropbear path | Opens the encrypted container as `/dev/mapper/crypt_liveiso`; writes `/run/ciss-rootdev` with mapper, medium, and attestation-cache paths | `9990-overlay.sh` |
| 3 | `9990-main.sh` | `/conf/param.conf` with `PLAIN_ROOT=1` and `livefs_root=/run/live/medium`; optional `toram` boot parameter | May copy live media to RAM and may leave `/run/live/medium` busy, replaced, or otherwise unsuitable as the only attestation source | `9990-overlay.sh` and `0042_ciss_post_decrypt_attest` |
| 4 | `9990-overlay.sh` | `/run/ciss-rootdev`; `/dev/mapper/crypt_liveiso` | Sources `/run/ciss-rootdev`, overrides the image directory to `/dev/mapper/crypt_liveiso`, mounts the decrypted SquashFS read-only, and invokes `/usr/lib/live/boot/0042_ciss_post_decrypt_attest` | `0042_ciss_post_decrypt_attest` |
| 5 | `0042_ciss_post_decrypt_attest` | `/etc/ciss/keys/<pinned-FPR>.gpg`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; `/dev/mapper/crypt_liveiso` | Creates transient `/run/ciss-rootfs-attestation.sha512sum` for `sha512sum -c`; does not create trusted evidence | Boot continues only after signature, FPR, and exact payload bytes all verify |
`0042_ciss_post_decrypt_attest` resolves artifacts in this order:
1. The explicit manifest/signature paths exported through `/run/ciss-rootdev`.
2. The default runtime cache under `/run/ciss-rootfs-attestation/`.
3. Compatibility fallback mountpoints: `${CDLB_MNT_MEDIUM}`, `/run/live/medium`, `/lib/live/mount/medium`, and `/cdrom`.
The fallback mountpoints are diagnostic and compatibility paths. The intended normal path for current CISS ISOs is the runtime cache copied by `0024-ciss-crypt-squash`.
* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing rootfs attestation artifacts on the real ISO medium during `0024`, failed preservation of the runtime attestation cache, missing cached rootfs manifest/signature during `0042`, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
* A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully.
*`dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint.
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 9.14<br>
**Build**: V9.14.026.2026.06.17<br>
**Build**: V9.14.028.2026.06.18<br>
# 2. ``ciss_live_builder.sh``
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
