msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m18s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-18 13:59:55 +00:00
parent a3b4e5d198
commit b19c0380e6
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
View File

@@ -25,6 +25,7 @@ PHASE="${1:-}"
case "${PHASE}" in case "${PHASE}" in
premount) premount)
exit 0
;; ### Continue. ;; ### Continue.
*) *)
exit 0 ### Do nothing in other phases. exit 0 ### Do nothing in other phases.

6
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -56,7 +56,6 @@ participant 0050 as grubx64.efi
end end
box lightgreen Trusted CISS.debian.live.builder box lightgreen Trusted CISS.debian.live.builder
participant 0060 as initrd.img participant 0060 as initrd.img
participant 0070 as Kernel Entry Point participant 0070 as Kernel Entry Point
participant 0080 as Kernel Decompress participant 0080 as Kernel Decompress
@@ -82,7 +81,7 @@ end
0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI 0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI
0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI 0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI
0050->>0060: Loading initrd.img 0050->>0060: Loading initrd.img
0060->>0070: Transfer Controle to Kernel Entry Point 0060->>0070: Transfer Control to Kernel Entry Point
0070->>0080: Decompress Kernel 0070->>0080: Decompress Kernel
0080->>0090: /init Phase 0080->>0090: /init Phase
0090->>0100: Starting CISS.hardened dropbear 0090->>0100: Starting CISS.hardened dropbear
@@ -93,18 +92,21 @@ end
0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512] 0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512]
LUKS->>ROOT: Assemble RootFS OverlayFS LUKS->>ROOT: Assemble RootFS OverlayFS
ROOT->>0126: Executing 0026-ciss: Hardening early sysctls ROOT->>0126: Executing 0026-ciss: Hardening early sysctls
0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin) 0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin)
alt 0130 SUCCESSFUL alt 0130 SUCCESSFUL
0130->>0060: Verified authenticity and integrity of ISO edge 0130->>0060: Verified authenticity and integrity of ISO edge
else 0130 FAIL else 0130 FAIL
0130-x 0060: CISS boot process stopped 0130-x 0060: CISS boot process stopped
end end
0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking 0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking
alt 0142 SUCCESSFUL alt 0142 SUCCESSFUL
0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS 0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS
else 0142 FAIL else 0142 FAIL
0142-x 0060: CISS boot process stopped 0142-x 0060: CISS boot process stopped
end end
0142->>9000: Switching root 0142->>9000: Switching root
9000->>9010: Starting /sbin/init -> systemd 9000->>9010: Starting /sbin/init -> systemd
9010->>9020: Starting Target Units 9010->>9020: Starting Target Units