V9.14.026.2026.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash

@@ -295,6 +295,10 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_MNT_MEDIUM="/run/live/medium"
 export CDLB_MNT_ROOTFS="/run/live/rootfs"
+export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
+export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
+export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
+export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
 export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
@@ -377,6 +381,38 @@ fi
 
 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 
+### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
+CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
+CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
+
+if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
+
+  printf "\e[91m[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+  panic "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
+
+fi
+
+mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+
+if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
+   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
+
+  printf "\e[91m[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
+    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
+  sleep 8
+  log   "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+  panic "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
+
+fi
+
+chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}" 2>&- || true
+
+printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
+  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
+
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
 
@@ -587,6 +623,10 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
+export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
+export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
+export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
+export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
 chmod 0444 /run/ciss-rootdev 2>&- || true