V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/root/.ciss/alias

@@ -81,6 +81,8 @@ alias ssa='systemctl status'
 alias ssf='systemctl status --failed'
 alias sysdr='systemctl daemon-reload'
 alias syses='systemctl edit'
+alias sysliboot='systemctl list-unit-files --state=enabled --type=service'
+alias syslirun='systemctl list-units --type=service --state=running'
 alias sysrl='systemctl reload'
 alias sysrs='systemctl restart'
 alias syssp='systemctl stop'

docs/CHANGELOG.md

@@ -15,9 +15,9 @@ include_toc: true
 ## V8.13.408.2025.11.13
 * **Added**: [0002_hardening_overlay_tmpfs.chroot](../config/hooks/live/0002_hardening_overlay_tmpfs.chroot) + Remount overlay root with ``nosuid,nodev``.
 * **Added**: [0100_ciss_mem_wipe.chroot](../config/hooks/live/0100_ciss_mem_wipe.chroot) + adding Tails-like memory wiping.
-* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs.sh) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
+* **Added**: [0022-ciss-overlay-tmpfs.sh](../config/includes.chroot/usr/lib/live/boot/0022-ciss-overlay-tmpfs) + Pre-create constrained tmpfs for OverlayFS upper/work before live-boot mounts overlay.
 * **Added**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) + Open ``/live/ciss_rootfs.crypt`` (LUKS) and present its SquashFS as ``/run/live/rootfs``.
-* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl.sh) + Enforce early sysctls before services start.
+* **Added**: [0026-ciss-early-sysctl.sh](../config/includes.chroot/usr/lib/live/boot/0026-ciss-early-sysctl) + Enforce early sysctls before services start.
 * **Added**: [0042-ciss-post-decrypt-attest](../config/includes.chroot/usr/lib/live/boot/0042-ciss-post-decrypt-attest) + Late rootfs attestation and dmsetup health checking.
 * **Added**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md)
 * **Added**: [lib_ciss_signatures.sh](../lib/lib_ciss_signatures.sh) + integrated dynamic GPG FPR injection.

docs/MAN_CISS_ISO_BOOT_CHAIN.md

@@ -47,23 +47,38 @@ sequenceDiagram
 participant K as Kernel
 participant I as initramfs + live-boot
 participant D as Dropbear (optional)
-  participant C25 as CISS 0025 (live-premount)
-  participant C30 as CISS 0030 (live-bottom, early)
+participant C30 as CISS 0030 (early verify)
+participant C25 as CISS 0025 (unlock)
 participant LUKS as LUKS2 + dm-integrity
 participant RS as RootFS (SquashFS/Overlay)
-  participant C45 as CISS 0045 (live-bottom, late)
+participant C45 as CISS 0045 (late verify)
+
 
 FW->>GRUB: Load kernel + initramfs
 GRUB->>K: Boot kernel
 K->>I: Pivot to initramfs (live-boot phases)
 I->>D: (optional) Start Dropbear (remote unlock)
+
+
+I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin)
+alt 0030 OK
+C30-->>I: Verified
+else 0030 FAIL
+C30-x I: Abort boot
+end
+
+
 I->>C25: Run 0025: LUKS open (dm-crypt + integrity), mount SquashFS
 C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
-  I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
-  C30-->>I: OK → continue; FAIL → abort
+
+
 I->>RS: Assemble overlay, switch_root
-  I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
-  C45-->>I: OK → handoff to userspace; FAIL → abort
+I->>C45: Run 0045: Verify root FS (gpgv, FPR pin) + dmsetup health
+alt 0045 OK
+C45-->>I: Verified
+else 0045 FAIL
+C45-x I: Abort boot
+end
 ```
 
 # 6. LUKS/dm-integrity Layering
@@ -136,11 +151,11 @@ dmsetup table --showkeys /dev/mapper/crypt_liveiso
 dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 ```
 
-# 9. Failure Policy (fail-closed, deterministic)
+# 10. Failure Policy (fail-closed, deterministic)
 
 * **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
 
-# 10. Dropbear (Hardened Remotely Unlock)
+# 11. Dropbear (Hardened Remotely Unlock)
 
 ```text
 • Public-key auth only, no passwords
@@ -152,16 +167,26 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 
 *Concrete selection compiled via your `localoptions.h` at ISO build time.*
 
-# 11. Integration Points & Paths
+# 12. Integration Points & Paths
 
-* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
-* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
+* **Hooks (build view):** 
+  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
+  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
+  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
+  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
+  * `/usr/lib/live/boot/0042-ciss-post-decrypt-attest`,
+* **Hooks (boot view):** 
+  * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
+  * `/scripts/live-premount/0024-ciss-crypt-squash`,
+  * `/scripts/live-premount/0026-ciss-early-sysctl`,
+  * `/scripts/live-bottom/0030-ciss-verify-checksums`,
+  * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific name)
-  * Root FS (for 0045): `/etc/ciss/keys/*.gpg`
+  * ISO edge (for 0030): embedded public key blob (project-specific fpr)
+  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
 * **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
 
-# 12. Diagram: Trust Chain & Verification Paths
+# 13. Diagram: Trust Chain & Verification Paths
 
 ```mermaid
 flowchart TD
@@ -170,13 +195,13 @@ flowchart TD
 C -->|OK| D[LUKS open (0025)]
 D --> E[Mount RootFS]
 E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
-  F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
+F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA-512)]
 C -- FAIL --> X[Abort]
 F -- FAIL --> X
 G -- FAIL --> X
 ```
 
-# 13. Closing Remark
+# 14. Closing Remark
 
 This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.