V8.13.432.2025.11.18
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 59s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 59s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -40,77 +40,70 @@ include_toc: true
|
||||
|
||||
# 5. End-to-End Boot Flow
|
||||
```mermaid
|
||||
sequenceDiagram
|
||||
autonumber
|
||||
flowchart TD
|
||||
subgraph Trusted HW Manufacturer
|
||||
0000["System Power On"] e00@--> 0010["CPU reset 0xFFFFFFF0, POST"];
|
||||
0010 e01@--> 0020["UEFI DXE Phase enumerates devices"];
|
||||
0020 e02@--> 0030["Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM"];
|
||||
e00@{ animation: fast }
|
||||
e01@{ animation: fast }
|
||||
e02@{ animation: fast }
|
||||
end
|
||||
|
||||
box lightgrey Trusted Manufacturer
|
||||
participant 0000 as Power On
|
||||
participant 0010 as POST
|
||||
participant 0020 as UEFI Initialisation
|
||||
end
|
||||
subgraph Trusted Secure Boot
|
||||
0030 e03@--> |SUCCESSFUL| 0040["Loading \EFI\BOOT\BOOTX64.EFI"];
|
||||
0040 e04@--> 0050["Loading \EFI\BOOT\GRUBX64.EFI"];
|
||||
0050 e05@--> 0060["Loading initrd.img"];
|
||||
e03@{ animation: fast }
|
||||
e04@{ animation: fast }
|
||||
e05@{ animation: fast }
|
||||
|
||||
box lightblue Trusted Secure Boot
|
||||
participant 0030 as Secure Boot Initialisation
|
||||
participant 0040 as bootx64.efi
|
||||
participant 0050 as grubx64.efi
|
||||
end
|
||||
end
|
||||
|
||||
box lightgreen Trusted CISS.debian.live.builder
|
||||
participant 0060 as initrd.img
|
||||
participant 0070 as Kernel Entry Point
|
||||
participant 0080 as Kernel Decompress
|
||||
participant 0090 as /init
|
||||
participant 0100 as Dropbear Remote Unlock
|
||||
participant 0110 as live-boot mounts ISO FS
|
||||
participant 0122 as 0022-ciss
|
||||
participant 0124 as 0024-ciss
|
||||
participant LUKS as LUKS2 & dm-integrity
|
||||
participant ROOT as RootFS (SquashFS/Overlay)
|
||||
participant 0126 as 0026-ciss
|
||||
participant 0130 as 0030-ciss
|
||||
participant 0142 as 0042-ciss
|
||||
participant 9000 as switch_root
|
||||
participant 9010 as /sbin/init
|
||||
participant 9020 as Target Units
|
||||
participant 9030 as Login
|
||||
end
|
||||
subgraph Trusted Live ISO
|
||||
0060 e06@--> 0070["Transfer Control to Kernel Entry Point"];
|
||||
0070 e07@--> 0080["Decompress Kernel"];
|
||||
0080 e08@--> 0090["/init Phase"];
|
||||
0090 e09@--> 0100["Starting CISS.hardened dropbear"];
|
||||
0100 -.-> 9000["Living CISS.hardened dropbear"];
|
||||
0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
|
||||
0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
|
||||
0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
|
||||
0124 e13@--> |SUCCESSFUL| LUKS["Unlocking LUKS2 Argon2id PBKDF → XTS + HMAC-SHA512"];
|
||||
LUKS e14@--> ROOT["Assemble RootFS OverlayFS"];
|
||||
ROOT e15@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
|
||||
0126 e16@--> 0130["Executing 0030-ciss: Verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
|
||||
0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS"];
|
||||
0142 e18@--> |SUCCESSFUL| 9000["Switching root"];
|
||||
9000 e19@--> 9010["Starting /sbin/init -> systemd"];
|
||||
9010 e20@--> 9020["Starting Target Units"];
|
||||
e06@{ animation: fast }
|
||||
e07@{ animation: fast }
|
||||
e08@{ animation: fast }
|
||||
e09@{ animation: fast }
|
||||
e10@{ animation: fast }
|
||||
e11@{ animation: fast }
|
||||
e12@{ animation: fast }
|
||||
e13@{ animation: fast }
|
||||
e14@{ animation: fast }
|
||||
e15@{ animation: fast }
|
||||
e16@{ animation: fast }
|
||||
e17@{ animation: fast }
|
||||
e18@{ animation: fast }
|
||||
e19@{ animation: fast }
|
||||
e20@{ animation: fast }
|
||||
end
|
||||
|
||||
0000->>0010: CPU reset 0xFFFFFFF0, POST
|
||||
0010->>0020: UEFI DXE Phase enumerates devices
|
||||
0020->>0030: Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM
|
||||
0030->>0040: Loading \EFI\BOOT\BOOTX64.EFI
|
||||
0040->>0050: Loading \EFI\BOOT\GRUBX64.EFI
|
||||
0050->>0060: Loading initrd.img
|
||||
0060->>0070: Transfer Control to Kernel Entry Point
|
||||
0070->>0080: Decompress Kernel
|
||||
0080->>0090: /init Phase
|
||||
0090->>0100: Starting CISS.hardened dropbear
|
||||
0100->>9000: Living CISS.hardened dropbear
|
||||
0100->>0110: Executing live-boot, mounting ISO FS
|
||||
0110->>0122: Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work
|
||||
0122->>0124: Executing 0024-ciss: LUKS open (dm-crypt & integrity)
|
||||
0124->>LUKS: Unlocking [Argon2id PBKDF → XTS + HMAC-SHA512]
|
||||
LUKS->>ROOT: Assemble RootFS OverlayFS
|
||||
ROOT->>0126: Executing 0026-ciss: Hardening early sysctls
|
||||
subgraph Finale State
|
||||
9020 e21@--> 9030{{"CISS.debian.live.builder Waiting for Login"}};
|
||||
X{{"CISS.debian.live.builder Boot process halted"}};
|
||||
e21@{ animation: fast }
|
||||
end
|
||||
|
||||
0126->>0130: Executing 0030-ciss: Verify ISO edge (gpgv, FPR pin)
|
||||
alt 0130 SUCCESSFUL
|
||||
0130->>0060: Verified authenticity and integrity of ISO edge
|
||||
else 0130 FAIL
|
||||
0130-x 0060: CISS boot process stopped
|
||||
end
|
||||
|
||||
0130->>0142: Executing 0042-ciss: RootFS attestation, dmsetup health checking
|
||||
alt 0142 SUCCESSFUL
|
||||
0142->>0060: Verified confidentiality, authenticity and integrity of opened LUKS2 RootFS
|
||||
else 0142 FAIL
|
||||
0142-x 0060: CISS boot process stopped
|
||||
end
|
||||
|
||||
0142->>9000: Switching root
|
||||
9000->>9010: Starting /sbin/init -> systemd
|
||||
9010->>9020: Starting Target Units
|
||||
9020->>9030: Waiting for Login
|
||||
0030 -- FAIL --> X;
|
||||
0124 -- FAIL --> X;
|
||||
0130 -- FAIL --> X;
|
||||
0142 -- FAIL --> X;
|
||||
```
|
||||
|
||||
# 6. LUKS/dm-integrity Layering
|
||||
|
||||
Reference in New Issue
Block a user