V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-13 07:21:00 +01:00
parent dc15003750
commit dae9662c02
1 changed files with 17 additions and 15 deletions
--- a/docs/MAN_CISS_ISO_BOOT_CHAIN.md
+++ b/docs/MAN_CISS_ISO_BOOT_CHAIN.md
@@ -79,12 +79,13 @@ end
 # 6. LUKS/dm-integrity Layering
 ```mermaid
-flowchart TD;
+flowchart TD
-%%
+
-A[Plain device (/live/rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)];
+
-B --> C[dm-crypt (AES-XTS-512)];
+A["Plain device (/live/rootfs.crypt)"] --> B["dm-integrity (HMAC-SHA-512, 4 KiB)"];
-C --> D[Mapped device /dev/mapper/crypt_liveiso];
+B --> C["dm-crypt (AES-XTS-512)"];
-D --> E[SquashFS mount /run/live/rootfs];
+C --> D["/dev/mapper/crypt_liveiso"];
 D --> E["SquashFS mount /run/live/rootfs"];
 ```
 **Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
@@ -186,15 +187,16 @@ dmsetup table --showkeys CHILD  # expect integrity hmac sha512 4096
 # 13. Diagram: Trust Chain & Verification Paths
 ```mermaid
-flowchart TD;
+flowchart TD
-%%
+
-A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig];
+
-B --> C[Boot early (0030): gpgv verify + FPR pin];
+A["Build time: pin EXP_FPR + embed ISO key"] --> B["ISO artifacts: sha512sum.txt + .sig"];
-C -->|OK| D[LUKS open (0025)];
+B --> C["Boot early (0030): gpgv verify + FPR pin"];
-D --> E[Mount RootFS];
+C -->|OK| D["LUKS open (0025)"];
-E --> F[Boot late (0045): gpgv verify + FPR pin (root key)];
+D --> E["Mount RootFS"];
-F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)];
+E --> F["Boot late (0045): gpgv verify + FPR pin (root key)"];
-C -- FAIL --> X[Abort];
+F --> G["dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)"];
 C -- FAIL --> X["Abort"];
 F -- FAIL --> X;
 G -- FAIL --> X;
 ```