V9.14.008.2026.06.04

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-04 18:19:09 +01:00
parent c80b45417f
commit ec3aca7fc8
119 changed files with 931 additions and 392 deletions
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.004.2026.05.17<br>
+**Build**: V9.14.008.2026.06.04<br>

 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)

 **Status:** 2025-11-12<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>

 # 3. Overview

@@ -27,6 +27,26 @@ include_toc: true
 * **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
 * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.

+# 3.1. Secure Boot Profiles
+
+The builder supports two built-time Secure Boot profiles:
+
+* `debian-shim` (default): keeps the broadly portable live-build path. The ISO is built as `iso-hybrid` with BIOS and UEFI
+  bootloaders, and UEFI Secure Boot loads the Microsoft-signed Debian shim before Debian-signed GRUB.
+* `ciss-uki`: intended for amd64 systems whose firmware trusts the CISS Secure Boot public key through db, or a custom
+  PK/KEK/db model. A late binary hook builds and signs a UKI from the final `binary/live/vmlinuz-*` and
+  `binary/live/initrd.img-*` artifacts, then installs it as `EFI/BOOT/BOOTX64.EFI` inside `binary/boot/grub/efi.img` and
+  mirrors it into the ISO EFI tree when live-build created one.
+
+The `ciss-uki` path is:
+
+```text
+UEFI firmware -> EFI/BOOT/BOOTX64.EFI (CISS-signed UKI) -> Linux
+```
+
+The private EFI signing key remains outside `binary/`, `chroot/` and `config/includes.*`; the binary hooks fail if the CISS
+private Secure Boot key names are detected in those paths before live-build checksum generation.
+
 # 4. Primitives & Parameters

 | Component    | Primitive / Parameter                                     | Purpose                                                |
@@ -52,12 +72,16 @@ flowchart TD
  end

  subgraph Trusted Secure Boot
-    0030 e03@--> |SUCCESSFUL| 0040["Secure Boot: load & verify \\EFI\\BOOT\\BOOTX64.EFI (shim)"];
-    0040 e04@--> |SUCCESSFUL| 0050["shim: load & verify \\EFI\\BOOT\\GRUBX64.EFI"];
+    0030 e03@--> |debian-shim| 0040["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (shim)"];
+    0040 e04@--> |SUCCESSFUL| 0050["shim: load & verify \EFI\BOOT\GRUBX64.EFI"];
    0050 e05@--> 0060["GRUB: load vmlinuz + initrd.img, set cmdline"];
+    0030 e06a@--> |ciss-uki| 0045["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (CISS UKI)"];
+    0045 e06b@--> 0060;
    e03@{ animation: fast }
    e04@{ animation: fast }
    e05@{ animation: fast }
+    e06a@{ animation: fast }
+    e06b@{ animation: fast }

  end