diff --git a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
index 158b83a..3eb24d4 100644
--- a/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
+++ b/config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash
@@ -295,6 +295,10 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_MNT_MEDIUM="/run/live/medium"
 export CDLB_MNT_ROOTFS="/run/live/rootfs"
+export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
+export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
+export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
+export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
 export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
@@ -377,6 +381,38 @@ fi
 
 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 
+### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
+CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
+CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
+
+if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
+
+  printf "\e[91m[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+  panic "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+
+fi
+
+mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+
+if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
+   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" 2>&- || true
+
+printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
+  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
+
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
 
@@ -587,6 +623,10 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
+export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
+export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
+export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
+export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
 chmod 0444 /run/ciss-rootdev 2>&- || true
diff --git a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
index 3a71352..541def1 100644
--- a/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
+++ b/config/includes.chroot/usr/lib/live/boot/0042_ciss_post_decrypt_attest
@@ -23,7 +23,7 @@
 #   SHA-512 digest and the exact byte length; allocation slack after that SquashFS payload is intentionally out of scope.
 # - Panics on missing, malformed, unauthentic, or mismatched evidence.
 
-#set -eu
+set -eu
 
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
 
@@ -42,6 +42,7 @@ export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"
 CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
 CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
 CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
+CDLB_ROOTFS_ATTEST_CACHE_DIR="${CDLB_ROOTFS_ATTEST_CACHE_DIR:-/run/ciss-rootfs-attestation}"
 CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
 CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
 
@@ -78,10 +79,9 @@ log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
 if ! command -v panic >/dev/null 2>&1; then
 
   panic() {
-    log_er "DEBUG: panic suppressed: ${*}"
-    printf '%s\n' "0042 DEBUG: panic suppressed: ${*}" >/dev/console 2>/dev/null || :
-    sleep 3
-    return 0
+    log_er "${*}"
+    printf '%s\n' "0042 FATAL: ${*}" >/dev/console 2>/dev/null || :
+    exit 1
   }
 
 fi
@@ -161,6 +161,17 @@ resolve_rootfs_attestation_artifacts() {
 
   fi
 
+  manifest_path="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
+  signature_path="${manifest_path}.sig"
+
+  if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
+
+    CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
+    CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
+    return 0
+
+  fi
+
   for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
 
     [ -n "${medium_path}" ] || continue