msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.408.2025.11.13
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m8s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-13 06:52:31 +01:00
parent 4a41faa1b5
commit c3b6e20b7e
5 changed files with 73 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/includes.chroot/root/.ciss/alias
View File

@@ -81,6 +81,8 @@ alias ssa='systemctl status'
alias ssf='systemctl status --failed' alias ssf='systemctl status --failed'
alias sysdr='systemctl daemon-reload' alias sysdr='systemctl daemon-reload'
alias syses='systemctl edit' alias syses='systemctl edit'
alias sysliboot='systemctl list-unit-files --state=enabled --type=service'
alias syslirun='systemctl list-units --type=service --state=running'
alias sysrl='systemctl reload' alias sysrl='systemctl reload'
alias sysrs='systemctl restart' alias sysrs='systemctl restart'
alias syssp='systemctl stop' alias syssp='systemctl stop'

0
config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh → config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs
View File

0
config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh → config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl
View File

4
docs/CHANGELOG.md
View File

@@ -15,9 +15,9 @@ include_toc: true
## V8.13.408.2025.11.13 ## V8.13.408.2025.11.13
* **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``. * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
* **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping. * **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay. * **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
* **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``. * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start. * **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
* **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking. * **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
* **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
* **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection. * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.

59
docs/MAN_CISS_ISO_BOOT_CHAIN.md
View File

@@ -47,23 +47,38 @@ sequenceDiagram
participant K as Kernel participant K as Kernel
participant I as initramfs + live-boot participant I as initramfs + live-boot
participant D as Dropbear (optional) participant D as Dropbear (optional)
participant C25 as CISS 0025 (live-premount) participant C30 as CISS 0030 (early verify)
participant C30 as CISS 0030 (live-bottom, early) participant C25 as CISS 0025 (unlock)
participant LUKS as LUKS2 + dm-integrity participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay) participant RS as RootFS (SquashFS/Overlay)
participant C45 as CISS 0045 (live-bottom, late) participant C45 as CISS 0045 (late verify)
FW->>GRUB: Load kernel + initramfs FW->>GRUB: Load kernel + initramfs
GRUB->>K: Boot kernel GRUB->>K: Boot kernel
K->>I: Pivot to initramfs (live-boot phases) K->>I: Pivot to initramfs (live-boot phases)
I->>D: (optional) Start Dropbear (remote unlock) I->>D: (optional) Start Dropbear (remote unlock)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
alt 0030 OK
C30-->>I: Verified
else 0030 FAIL
C30-x I: Abort boot
end
I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC) C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
C30-->>I: OK → continue; FAIL → abort
I->>RS: Assemble overlay, switch_root I->>RS: Assemble overlay, switch_root
I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
C45-->>I: OK → handoff to userspace; FAIL → abort alt 0045 OK
C45-->>I: Verified
else 0045 FAIL
C45-x I: Abort boot
end
``` ```
# 6. LUKS/dm-integrity Layering # 6. LUKS/dm-integrity Layering
@@ -136,11 +151,11 @@ dmsetup table --showkeys /dev/mapper/crypt_liveiso
dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096 dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
``` ```
# 9. Failure Policy (fail-closed, deterministic) # 10. Failure Policy (fail-closed, deterministic)
* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology. * **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
# 10. Dropbear (Hardened Remotely Unlock) # 11. Dropbear (Hardened Remotely Unlock)
```text ```text
• Public-key auth only, no passwords • Public-key auth only, no passwords
@@ -152,16 +167,26 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
*Concrete selection compiled via your `localoptions.h` at ISO build time.* *Concrete selection compiled via your `localoptions.h` at ISO build time.*
# 11. Integration Points & Paths # 12. Integration Points & Paths
* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...` * **Hooks (build view):**
* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...` * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
* `/usr/lib/live/boot/0024-ciss-crypt-squash`,
* `/usr/lib/live/boot/0026-ciss-early-sysctl`,
* `/usr/lib/live/boot/0030-ciss-verify-checksums`,
* `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
* **Hooks (boot view):**
* `/scripts/live-premount/0022-ciss-overlay-tmpfs`,
* `/scripts/live-premount/0024-ciss-crypt-squash`,
* `/scripts/live-premount/0026-ciss-early-sysctl`,
* `/scripts/live-bottom/0030-ciss-verify-checksums`,
* `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
* **Key files:** * **Key files:**
* ISO edge (for 0030): embedded public key blob (project-specific name) * ISO edge (for 0030): embedded public key blob (project-specific fpr)
* Root FS (for 0045): `/etc/ciss/keys/*.gpg` * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay` * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
# 12. Diagram: Trust Chain & Verification Paths # 13. Diagram: Trust Chain & Verification Paths
```mermaid ```mermaid
flowchart TD flowchart TD
@@ -170,13 +195,13 @@ flowchart TD
C -->|OK| D[LUKS open (0025)] C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS] D --> E[Mount RootFS]
E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)] E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)] F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)]
C -- FAIL --> X[Abort] C -- FAIL --> X[Abort]
F -- FAIL --> X F -- FAIL --> X
G -- FAIL --> X G -- FAIL --> X
``` ```
# 13. Closing Remark # 14. Closing Remark
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic. This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.