V9.14.008.2026.06.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-04 18:19:09 +01:00
parent c80b45417f
commit ec3aca7fc8
119 changed files with 931 additions and 392 deletions
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. DNSSEC Status

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Haveged Audit on Netcup RS 2000 G11

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Lynis Audit:

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. SSH Audit by ssh-audit.com

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. TLS Audit:
 ````text
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Hardened Kernel Boot Parameters

@@ -8,10 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Changelog

+## V9.14.008.2026.06.04
+tba
+
 ## V9.14.004.2026.05.17
 * **Added**: [AGENTS.md](../AGENTS.md)
 * **Added**: [code_review.md](../code_review.md)
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Centurion Net - Developer Branch Overview

@@ -10,23 +10,27 @@ include_toc: true

 # 2. Purpose

-This document defines the coding and review conventions for this repository.
+This document defines the coding and review conventions for this repository. This file is the detailed engineering convention.

 The project builds Debian-based live and installer infrastructure. Treat every change as security-sensitive and
 boot-chain-sensitive, especially changes that affect initramfs behavior, encrypted SquashFS handling, LUKS, Dropbear, GRUB,
 checksums, signatures, package sources, hardening settings, or network exposure.

+`AGENTS.md` is the short operational guide for Codex.
+`code_review.md` is used for review tasks and final self-review.
+
 # 3. Change discipline

-* Keep changes small, local, and reviewable.
-* Make one functional change per pull request or patch set.
-* Preserve existing architecture, naming style, error handling, formatting, and security posture.
-* Do not introduce Ubuntu-specific assumptions. The default target distribution is Debian 13 Trixie.
-* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, or Debian package behavior. Verify against existing
-  code or authoritative Debian/upstream documentation.
-* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum
-  verification, or input validation unless the task explicitly requires it and the risk is documented.
-* Prefer simple, inspectable Bash over clever abstractions.
+* Keep changes small, local, and reviewable. 
+* Make one functional change per patch set. 
+* Preserve existing architecture, naming style, error handling, formatting, and security posture. 
+* Do not introduce Ubuntu-specific assumptions. 
+* Target Debian 13 Trixie unless explicitly instructed otherwise. 
+* Do not invent live-build, live-boot, initramfs, cryptsetup, GRUB, systemd, Debian package, or upstream tool behavior. 
+* Verify uncertain behavior against repository code or authoritative upstream documentation. 
+* Do not weaken cryptography, authentication, sandboxing, permission checks, TLS verification, signature verification, checksum verification, provenance verification, or input validation unless explicitly requested and documented. 
+* Prefer simple, inspectable Bash over clever abstractions. 
+* Do not perform unrelated cleanup or formatting churn.

 # 4. Boot and build phases

@@ -123,7 +127,7 @@ Run the narrowest checks that prove the change:
 * Live-build, initramfs, or ISO behavior changes: document the required Debian Trixie build validation command, normally
  `make live` or the equivalent `./ciss_live_builder.sh ...` invocation.

-If a relevant check cannot be run in the current environment, state the exact reason and the command that should be run locally.
+If a relevant check cannot be run in the current environment, state the exact reason, and the command that should be run locally.

 # 12. Code review

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Contributing / participating

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Credits

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Download the latest PUBLIC CISS.debian.live.ISO

@@ -8,18 +8,18 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)

 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.004.2026.05.17
+Master V9.14.008.2026.06.04
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.

-(c) Marc S. Weidner, 2018 - 2025
-(p) Centurion Press, 2024 - 2025
+(c) Marc S. Weidner, 2018 - 2026
+(p) Centurion Press, 2024 - 2026

 ./ciss_live_builder.sh <option>, where <option> is one or more of:

@@ -71,6 +71,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
    <./upgrades/dropbear/dropbear-<STRING>.tar.bz2>
    If omitted defaults to VAR_DROPBEAR_VERSION from <./var/global.var.sh>.

+  --sops-version <STRING>
+    Selects the upstream SOPS release version used for the SOPS binary installed into the Live System.
+    The value MUST be a semantic version such as '3.13.1'. A leading 'v' is accepted and normalized.
+    The expected amd64 upstream asset is:
+    <https://github.com/getsops/sops/releases/download/v<STRING>/sops-v<STRING>.linux.amd64>
+    SOPS checksums are verified with Cosign using either Sigstore bundle mode or legacy split certificate/signature mode.
+    If omitted defaults to VAR_SOPS_VERSION from <./var/global.var.sh>.
+
  --jump-host <IP | IP | ... >
    Provide up to 10 IPs for '/etc/host.allow' whitelisting of SSH access. Could be either IPv4 and / or IPv6
    addresses and / or CCDIR notation. If provided, than it MUST be a <SPACE> separated list.
@@ -117,6 +125,14 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
    MUST be placed in:
    </dev/shm/cdlb_secrets/password.txt>

+  --secure-boot-profile <STRING> one of <debian-shim | ciss-uki>
+    Selects the UEFI Secure Boot profile. Defaults to 'debian-shim'.
+    'debian-shim' keeps the Microsoft-signed Debian shim and signed GRUB path.
+    'ciss-uki' builds a CISS-signed UKI and installs it as 'EFI/BOOT/BOOTX64.EFI'.
+    The 'ciss-uki' profile requires:
+      <./ciss.secureboot/private/ciss-efi-image.key>
+      <./ciss.secureboot/public/ciss-efi-image.crt>
+
  --signing_key=* and --signing_key_fpr=*. Optional: --signing_key_pass=* --signing_ca=*
    The GPG private keyring that should be used for signing artifacts such as checksum hashes and scripts is
    specified via '--signing_key=*'. If the keyring is protected, then provide the passphrase in its own file.
@@ -152,7 +168,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/

-                        V9.14.004.2026.05.17                        2025-11-06                         CDLB(1)
+                        V9.14.008.2026.06.04                        2026-05-17                         CDLB(1)
 ````

 # 3. Booting
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

 **Status:** 2025-11-12<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>

 # 3. Overview

@@ -27,6 +27,26 @@ include_toc: true
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
 * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.

+# 3.1. Secure Boot Profiles
+
+The builder supports two built-time Secure Boot profiles:
+
+* `debian-shim` (default): keeps the broadly portable live-build path. The ISO is built as `iso-hybrid` with BIOS and UEFI
+  bootloaders, and UEFI Secure Boot loads the Microsoft-signed Debian shim before Debian-signed GRUB.
+* `ciss-uki`: intended for amd64 systems whose firmware trusts the CISS Secure Boot public key through db, or a custom
+  PK/KEK/db model. A late binary hook builds and signs a UKI from the final `binary/live/vmlinuz-*` and
+  `binary/live/initrd.img-*` artifacts, then installs it as `EFI/BOOT/BOOTX64.EFI` inside `binary/boot/grub/efi.img` and
+  mirrors it into the ISO EFI tree when live-build created one.
+
+The `ciss-uki` path is:
+
+```text
+UEFI firmware -> EFI/BOOT/BOOTX64.EFI (CISS-signed UKI) -> Linux
+```
+
+The private EFI signing key remains outside `binary/`, `chroot/` and `config/includes.*`; the binary hooks fail if the CISS
+private Secure Boot key names are detected in those paths before live-build checksum generation.
+
 # 4. Primitives & Parameters

 | Component    | Primitive / Parameter                                     | Purpose                                                |
@@ -52,12 +72,16 @@ flowchart TD
  end

  subgraph Trusted Secure Boot
-    0030 e03@--> |SUCCESSFUL| 0040["Secure Boot: load & verify \\EFI\\BOOT\\BOOTX64.EFI (shim)"];
-    0040 e04@--> |SUCCESSFUL| 0050["shim: load & verify \\EFI\\BOOT\\GRUBX64.EFI"];
+    0030 e03@--> |debian-shim| 0040["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (shim)"];
+    0040 e04@--> |SUCCESSFUL| 0050["shim: load & verify \EFI\BOOT\GRUBX64.EFI"];
    0050 e05@--> 0060["GRUB: load vmlinuz + initrd.img, set cmdline"];
+    0030 e06a@--> |ciss-uki| 0045["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (CISS UKI)"];
+    0045 e06b@--> 0060;
    e03@{ animation: fast }
    e04@{ animation: fast }
    e05@{ animation: fast }
+    e06a@{ animation: fast }
+    e06b@{ animation: fast }

  end

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. Resources

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. ``30-ciss-hardening.conf``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. ``90-ciss-local.hardened``

@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. ``ciss_live_builder.sh``