msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 59s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-18 16:29:38 +00:00
parent 976262abbf
commit bb854daa00
1 changed files with 59 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -40,77 +40,70 @@ include_toc: true
# 5. End-to-End Boot Flow # 5. End-to-End Boot Flow
```mermaid ```mermaid
sequenceDiagram flowchart TD
autonumber subgraph Trusted HW Manufacturer
0000["System Power On"] e00@--> 0010["CPU reset 0xFFFFFFF0, POST"];
0010 e01@--> 0020["UEFI DXE Phase enumerates devices"];
0020 e02@--> 0030["Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM"];
e00@{ animation: fast }
e01@{ animation: fast }
e02@{ animation: fast }
end
box lightgrey Trusted Manufacturer subgraph Trusted Secure Boot
participant 0000 as Power On 0030 e03@--> |SUCCESSFUL| 0040["Loading \EFI\BOOT\BOOTX64.EFI"];
participant 0010 as POST 0040 e04@--> 0050["Loading \EFI\BOOT\GRUBX64.EFI"];
participant 0020 as UEFI Initialisation 0050 e05@--> 0060["Loading initrd.img"];
end e03@{ animation: fast }
e04@{ animation: fast }
e05@{ animation: fast }
box lightblue Trusted Secure Boot end
participant 0030 as Secure Boot Initialisation
participant 0040 as bootx64.efi
participant 0050 as grubx64.efi
end
box lightgreen Trusted CISS.debian.live.builder subgraph Trusted Live ISO
participant 0060 as initrd.img 0060 e06@--> 0070["Transfer Control to Kernel Entry Point"];
participant 0070 as Kernel Entry Point 0070 e07@--> 0080["Decompress Kernel"];
participant 0080 as Kernel Decompress 0080 e08@--> 0090["/init Phase"];
participant 0090 as /init 0090 e09@--> 0100["Starting CISS.hardened dropbear"];
participant 0100 as Dropbear Remote Unlock 0100 -.-> 9000["Living CISS.hardened dropbear"];
participant 0110 as live-boot mounts ISO FS 0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
participant 0122 as 0022-ciss 0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
participant 0124 as 0024-ciss 0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
participant LUKS as LUKS2 & dm-integrity 0124 e13@--> |SUCCESSFUL| LUKS["Unlocking LUKS2 Argon2id PBKDF → XTS + HMAC-SHA512"];
participant ROOT as RootFS (SquashFS/Overlay) LUKS e14@--> ROOT["Assemble RootFS OverlayFS"];
participant 0126 as 0026-ciss ROOT e15@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
participant 0130 as 0030-ciss 0126 e16@--> 0130["Executing 0030-ciss: Verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
participant 0142 as 0042-ciss 0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS"];
participant 9000 as switch_root 0142 e18@--> |SUCCESSFUL| 9000["Switching root"];
participant 9010 as /sbin/init 9000 e19@--> 9010["Starting /sbin/init -> systemd"];
participant 9020 as Target Units 9010 e20@--> 9020["Starting Target Units"];
participant 9030 as Login e06@{ animation: fast }
end e07@{ animation: fast }
e08@{ animation: fast }
e09@{ animation: fast }
e10@{ animation: fast }
e11@{ animation: fast }
e12@{ animation: fast }
e13@{ animation: fast }
e14@{ animation: fast }
e15@{ animation: fast }
e16@{ animation: fast }
e17@{ animation: fast }
e18@{ animation: fast }
e19@{ animation: fast }
e20@{ animation: fast }
end
0000->>0010: CPU reset 0xFFFFFFF0, POST subgraph Finale State
0010->>0020: UEFI DXE Phase enumerates devices 9020 e21@--> 9030{{"CISS.debian.live.builder Waiting for Login"}};
0020->>0030: Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM X{{"CISS.debian.live.builder Boot process halted"}};
0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI e21@{ animation: fast }
0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI end
0050->>0060: Loading initrd.img
0060->>0070: Transfer Control to Kernel Entry Point
0070->>0080: Decompress Kernel
0080->>0090: /init Phase
0090->>0100: Starting CISS.hardened dropbear
0100->>9000: Living CISS.hardened dropbear
0100->>0110: Executing live-boot, mounting ISO FS
0110->>0122: Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work
0122->>0124: Executing 0024-ciss: LUKS open (dm-crypt & integrity)
0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512]
LUKS->>ROOT: Assemble RootFS OverlayFS
ROOT->>0126: Executing 0026-ciss: Hardening early sysctls
0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin) 0030 -- FAIL --> X;
alt 0130 SUCCESSFUL 0124 -- FAIL --> X;
0130->>0060: Verified authenticity and integrity of ISO edge 0130 -- FAIL --> X;
else 0130 FAIL 0142 -- FAIL --> X;
0130-x 0060: CISS boot process stopped
end
0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking
alt 0142 SUCCESSFUL
0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS
else 0142 FAIL
0142-x 0060: CISS boot process stopped
end
0142->>9000: Switching root
9000->>9010: Starting /sbin/init -> systemd
9010->>9020: Starting Target Units
9020->>9030: Waiting for Login
``` ```
# 6. LUKS/dm-integrity Layering # 6. LUKS/dm-integrity Layering