diff --git a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
index deb5797..6dc733f 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_0.yaml
@@ -183,6 +183,7 @@ jobs:
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/keys.txt
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/luks.txt
+          install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_ca.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key.asc
           install -m 0600 /dev/null /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -196,6 +197,7 @@ jobs:
           echo "${{ secrets.CISS_PRIMORDIAL_PUBLIC }}"            >| /dev/shm/cdlb_secrets/id_2025_ed25519_ciss_primordial.pub
           echo "${{ secrets.CISS_PHYS_AGE }}"                     >| /dev/shm/cdlb_secrets/keys.txt
           echo "${{ secrets.CISS_PHYS_LUKS }}"                    >| /dev/shm/cdlb_secrets/luks.txt
+          echo "${{ secrets.PGP_CISS_CA_PUBLIC_KEY }}"            >| /dev/shm/cdlb_secrets/signing_ca.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY }}"       >| /dev/shm/cdlb_secrets/signing_key.asc
           echo "${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_PASS }}"  >| /dev/shm/cdlb_secrets/signing_key_pass.txt
 
@@ -204,12 +206,14 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
             --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
             --debug \
             --dhcp-centurion \
@@ -218,6 +222,7 @@ jobs:
             --key_luks=luks.txt \
             --provider-netcup-ipv6 ${{ secrets.CISS_DLB_NETCUP_IPV6 }} \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
+            --signing_ca=signing_ca.asc \
             --signing_key_fpr=${{ secrets.PGP_MSW_PRIVATE_SIGNING_KEY_FPR }} \
             --signing_key_pass=signing_key_pass.txt \
             --signing_key=signing_key.asc \
diff --git a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
index 5dfe5b7..d45898f 100644
--- a/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
+++ b/.gitea/workflows/generate_PRIVATE_trixie_1.yaml
@@ -206,7 +206,7 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
           chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
diff --git a/.gitea/workflows/generate_PUBLIC_iso.yaml b/.gitea/workflows/generate_PUBLIC_iso.yaml
index f5656ce..8f6e995 100644
--- a/.gitea/workflows/generate_PUBLIC_iso.yaml
+++ b/.gitea/workflows/generate_PUBLIC_iso.yaml
@@ -183,12 +183,14 @@ jobs:
           set -euo pipefail
           chmod 0700 ciss_live_builder.sh
           timestamp=$(date -u +"%Y_%m_%dT%H_%M_%SZ")
-          ### Change "--autobuild=" to the specific kernel version you need: '6.16.3+deb13-amd64'.
+          ### Change "--autobuild=" to the specific kernel version you need: '6.17.8+deb13-amd64'.
+          chmod 0400 /dev/shm/cdlb_secrets/*
           ./ciss_live_builder.sh \
             --architecture amd64 \
             --autobuild=6.17.8+deb13-amd64 \
             --build-directory /opt/cdlb \
             --cdi \
+            --change-splash hexagon \
             --control "${timestamp}" \
             --debug \
             --root-password-file /dev/shm/cdlb_secrets/password.txt \
diff --git a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
index 8042015..bc1aa34 100644
--- a/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
+++ b/config/includes.chroot/etc/initramfs-tools/files/unlock_wrapper.sh
@@ -341,8 +341,8 @@ readonly -f verify_script
 #######################################
 # Main Program Sequence.
 # Globals:
+#   CDLB_MAPPER_DEV
 #   CURRENTDATE
-#   DEVICES_LUKS
 #   GRE
 #   MAG
 #   NL
diff --git a/docs/MAN_CISS_ISO_BOOT_CHAIN.md b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
index a3e3192..918f648 100644
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -14,7 +14,7 @@ include_toc: true
 
 **Status:** 2025-11-12<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
 
 # 3. Overview
 
@@ -23,8 +23,9 @@ include_toc: true
 
   1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
   2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
+
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
-* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
+* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
 
 # 4. Primitives & Parameters
 
@@ -33,12 +34,12 @@ include_toc: true
 | LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
 | dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
 | PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
-| Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                  |
+| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                          | Public verifiability, non-repudiation                  |
 | Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
 | Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
 | Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
 
-# 5. Diagram: CISS Live ISO Boot Flow, complete
+# 5. Diagram: CISS Live ISO Boot Flow
 ```mermaid
 flowchart TD
   subgraph Trusted HW Manufacturer
@@ -109,7 +110,7 @@ flowchart TD
 0142 -- FAIL --> X;
 ```
 
-# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete
+# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
 ```mermaid
 ---
 config:
@@ -127,7 +128,7 @@ flowchart TD
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
 
-# 7. CISS Live ISO LUKS Build-Time Core Steps, complete
+# 7. CISS Live ISO LUKS Build-Time Core Steps
 ```sh
 cryptsetup luksFormat \
   --batch-mode \
@@ -149,7 +150,7 @@ cryptsetup luksFormat \
 
 **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
 
-# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
+# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
 
 **Goal:** Before consuming any medium content, verify:
 
@@ -164,13 +165,12 @@ cryptsetup luksFormat \
 # parse [GNUPG:] VALIDSIG ... <FPR> ...
 ```
 
-# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
+# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
 
 **Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
 
-* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]`
+* **Attestation files:** `/root/.ciss/attestation/<FPR>.sha512sum.txt[.sig]`
 * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
-* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
 
 **Core calls (initramfs):**
 
@@ -180,36 +180,35 @@ cryptsetup luksFormat \
 
 # 2) Optional: Content hash verification
 ( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
-
-# 3) dmsetup health
-dmsetup table --showkeys /dev/mapper/crypt_liveiso
-dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 ```
 
 # 10. Failure Policy (fail-closed, deterministic)
 
-* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
+* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature.
 
-# 11. CISS Dropbear (Hardened Remotely Unlock)
+# 11. CISS hardened and built dropbear
 
 ```text
 • Public-key auth only, no passwords
-• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
-• No agent/X11/TCP forwarding, no SFTP
-• Strict timeouts/keep-alives, restricted cipher/KEX set
-• Port 42137 (per CISS convention)
+• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
+• No agent / X11 / TCP forwarding, no SFTP
+• Strict timeouts / keep-alives, restricted cipher / KEX set
+• Port 44137 (per CISS convention)
 ```
 
-*Concrete selection compiled via your `localoptions.h` at ISO build time.*
+*Concrete selection compiled via [localoptions.h](../upgrades/dropbear/localoptions.h) at ISO build time.*
 
 # 12. Integration Points & Paths
 
 * **Hooks (build view):** 
-  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
-  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
-  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
-  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
-  * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
+  * [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs),
+  * [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash),
+  * [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl),
+  * [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums),
+  * [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest),
+  * [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh),
+  * [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh),
+  * [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh).
 * **Hooks (boot view):** 
   * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
   * `/scripts/live-premount/0024-ciss-crypt-squash`,
@@ -217,7 +216,7 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
   * `/scripts/live-bottom/0030-ciss-verify-checksums`,
   * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific fpr)
+  * ISO edge (for 0030): embedded public key blob (project-specific FPR)
   * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
@@ -262,7 +261,7 @@ I -- FAIL --> X;
 
 # 14. Closing Remarks
 
-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
diff --git a/lib/lib_clean_up.sh b/lib/lib_clean_up.sh
index 4900d4f..3075257 100644
--- a/lib/lib_clean_up.sh
+++ b/lib/lib_clean_up.sh
@@ -15,14 +15,16 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #######################################
 # Cleanup wrapper on the traps on 'ERR' and 'EXIT'.
 # Globals:
-#   VAR_CDLB_INSIDE_RUNNER
 #   GNUPGHOME
 #   LOG_ERROR
+#   VAR_CDLB_INSIDE_RUNNER
+#   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_KERNEL_INF
 #   VAR_KERNEL_SRT
 #   VAR_KERNEL_TMP
 #   VAR_NOTES
+#   VAR_TMP_SECRET
 #   VAR_WORKDIR
 # Arguments:
 #   1 : ${trap_on_exit_code} of trap_on_exit()