V9.14.008.2026.06.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

README.md

@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.004.2026.05.17-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.008.2026.06.04-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
  
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/)  
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2)  
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>
 
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -175,7 +175,7 @@ installer toolchain.
 
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
 
-Example: `V9.14.004.2026.05.17`
+Example: `V9.14.008.2026.06.04`
 
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
 
@@ -237,7 +237,7 @@ deliberate design decision.
 
 ### 2.1.2. CPU Vulnerability Mitigations
 
-I build the kernels with the relevant mitigations for Spectre, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
+I build the kernels with the relevant mitigations for Specter, Meltdown, L1TF, MDS, TAA, Retbleed, and related families activated. 
 The ``mitigations=auto,nosmt`` flag ensures that new mitigations integrated into the mainline kernel become effective as they 
 are added, instead of requiring that I micromanage every single toggle. The residual performance cost is acceptable in the 
 context I am targeting; stale mitigations can be revisited, but missing mitigations will not be.
@@ -514,6 +514,8 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
      --reionice-priority 1 2 \
      --renice-priority "-19" \
      --root-password-file /dev/shm/cdlb_secrets/password.txt \
+     --secure-boot-profile debian-shim \
+     --sops-version 3.13.0 \
      --signing_key_fpr=98089A472CCF4601CD51D7C7095D36535296EA14B8DE92198723C4DC606E8F76 \
      --signing_key_pass=signing_key_pass.txt \
      --signing_key=signing_key.asc \
@@ -523,6 +525,11 @@ To use **``CISS.debian.live.builder``** as intended, the following baseline is e
      --trixie
    ````
 
+   `--sops-version` selects the upstream SOPS release installed into the live system. If omitted, the builder uses
+   `VAR_SOPS_VERSION` from `var/global.var.sh`. The SOPS hook verifies the upstream checksums file with Cosign and supports
+   both the newer Sigstore bundle asset and the legacy split certificate/signature assets before checking the downloaded
+   SOPS binary with `sha256sum -c --ignore-missing`.
+
 4. Locate your ISO in the `--build-directory`.
 5. Boot from the ISO and login to the live image via the console, or the multi-layer secured **coresecret** SSH tunnel.
 6. Type `sysp` for the final kernel hardening features.
@@ -556,6 +563,8 @@ preview it or run it.
     ````bash
     BUILD_DIR=/opt/cdlb
     ROOT_PASSWORD_FILE=/dev/shm/cdlb_secrets/password.txt
+    SECURE_BOOT_PROFILE=debian-shim
+    SOPS_VERSION=3.13.0
     SSH_PORT=4242
     SSH_PUBKEY=/dev/shm/cdlb_secrets
 
@@ -569,7 +578,31 @@ preview it or run it.
 
 4. Execute the build: ````make live````
 
-## 5.3. CI/CD Gitea Runner Workflow Example
+## 5.3. Secure Boot Profiles
+
+The default build profile is ``--secure-boot-profile debian-shim``. It keeps the ISO broadly portable: ``lb config`` uses an
+``iso-hybrid`` image with both ``grub-pc`` and ``grub-efi`` bootloaders, and UEFI Secure Boot remains delegated to live-build's
+standard Microsoft-signed Debian shim plus Debian-signed GRUB path.
+
+The custom profile is ``--secure-boot-profile ciss-uki``. It is intended for amd64 systems whose firmware trusts the CISS Secure
+Boot key material through the platform Secure Boot database, or a custom PK/KEK/db model. In this profile a late binary hook
+builds a Unified Kernel Image from the final ``binary/live/vmlinuz-*`` and ``binary/live/initrd.img-*`` artifacts, signs it with
+``ciss.secureboot/private/ciss-efi-image.key`` and ``ciss.secureboot/public/ciss-efi-image.crt``, rebuilds
+``binary/boot/grub/efi.img``, installs the signed UKI as ``EFI/BOOT/BOOTX64.EFI``, and mirrors it into the ISO EFI tree when
+live-build created one.
+
+Required files for ``ciss-uki``:
+
+````text
+ciss.secureboot/private/ciss-efi-image.key
+ciss.secureboot/public/ciss-efi-image.crt
+````
+
+The private directory is ignored by Git. The hooks fail if the CISS EFI image signing key or module signing key appears below
+``binary/``, ``chroot/`` or ``config/includes.*``. Build-time UKI manifests are written below the build directory in
+``ciss.secureboot/manifests`` and can be checked with ``ukify inspect`` and ``sbverify``.
+
+## 5.4. CI/CD Gitea Runner Workflow Example
 
 1. Clone the repository: