V8.13.536.2025.12.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -14,7 +14,7 @@ include_toc: true
 
 **Status:** 2025-11-12<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
 
 # 3. Overview
 
@@ -23,8 +23,9 @@ include_toc: true
 
   1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
   2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
+
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
-* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
+* **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
 
 # 4. Primitives & Parameters
 
@@ -33,12 +34,12 @@ include_toc: true
 | LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
 | dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
 | PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
-| Signatures   | Ed25519, RSA-4096 (FPR pinned)                            | Public verifiability, non-repudiation                  |
+| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                          | Public verifiability, non-repudiation                  |
 | Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
 | Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
 | Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
 
-# 5. Diagram: CISS Live ISO Boot Flow, complete
+# 5. Diagram: CISS Live ISO Boot Flow
 ```mermaid
 flowchart TD
   subgraph Trusted HW Manufacturer
@@ -109,7 +110,7 @@ flowchart TD
 0142 -- FAIL --> X;
 ```
 
-# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering, complete
+# 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
 ```mermaid
 ---
 config:
@@ -127,7 +128,7 @@ flowchart TD
 
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
 
-# 7. CISS Live ISO LUKS Build-Time Core Steps, complete
+# 7. CISS Live ISO LUKS Build-Time Core Steps
 ```sh
 cryptsetup luksFormat \
   --batch-mode \
@@ -149,7 +150,7 @@ cryptsetup luksFormat \
 
 **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
 
-# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
+# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
 
 **Goal:** Before consuming any medium content, verify:
 
@@ -164,13 +165,12 @@ cryptsetup luksFormat \
 # parse [GNUPG:] VALIDSIG ... <FPR> ...
 ```
 
-# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
+# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
 
 **Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
 
-* **Attestation files:** `/root/.ciss/attest/rootfs.sha512sum.txt[.sig]`
+* **Attestation files:** `/root/.ciss/attestation/<FPR>.sha512sum.txt[.sig]`
 * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
-* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
 
 **Core calls (initramfs):**
 
@@ -180,36 +180,35 @@ cryptsetup luksFormat \
 
 # 2) Optional: Content hash verification
 ( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
-
-# 3) dmsetup health
-dmsetup table --showkeys /dev/mapper/crypt_liveiso
-dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 ```
 
 # 10. Failure Policy (fail-closed, deterministic)
 
-* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
+* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key / signature.
 
-# 11. CISS Dropbear (Hardened Remotely Unlock)
+# 11. CISS hardened and built dropbear
 
 ```text
 • Public-key auth only, no passwords
-• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
-• No agent/X11/TCP forwarding, no SFTP
-• Strict timeouts/keep-alives, restricted cipher/KEX set
-• Port 42137 (per CISS convention)
+• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
+• No agent / X11 / TCP forwarding, no SFTP
+• Strict timeouts / keep-alives, restricted cipher / KEX set
+• Port 44137 (per CISS convention)
 ```
 
-*Concrete selection compiled via your `localoptions.h` at ISO build time.*
+*Concrete selection compiled via [localoptions.h](../upgrades/dropbear/localoptions.h) at ISO build time.*
 
 # 12. Integration Points & Paths
 
 * **Hooks (build view):** 
-  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
-  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
-  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
-  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
-  * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
+  * [0022-ciss-overlay-tmpfs](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs),
+  * [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash),
+  * [0026-ciss-early-sysctl](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl),
+  * [0030-ciss-verify-checksums](../config/includes.chroot/usr/lib/live/boot/0030-ciss-verify-checksums),
+  * [0042_ciss_post_decrypt_attest](../config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest),
+  * [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh),
+  * [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh),
+  * [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh).
 * **Hooks (boot view):** 
   * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
   * `/scripts/live-premount/0024-ciss-crypt-squash`,
@@ -217,7 +216,7 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
   * `/scripts/live-bottom/0030-ciss-verify-checksums`,
   * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific fpr)
+  * ISO edge (for 0030): embedded public key blob (project-specific FPR)
   * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
@@ -262,7 +261,7 @@ I -- FAIL --> X;
 
 # 14. Closing Remarks
 
-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases make the state transparent and deterministic.
 
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**