V9.14.028.2026.06.18

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
V9.14.026.2026.06.17
2026-06-18 10:49:41 +01:00 · 2026-06-18 06:46:41 +01:00 · 2026-06-17 21:55:52 +01:00 · 2026-06-17 18:44:12 +01:00 · 2026-06-17 17:14:45 +01:00 · 2026-06-17 16:31:47 +01:00
55 changed files with 581 additions and 258 deletions
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -25,7 +25,7 @@ body:
    attributes:
      label: "Version"
      description: "Which version are you running? Use `./ciss_live_builder.sh -v`."
-      placeholder: "e.g., Master V9.14.024.2026.06.11"
+      placeholder: "e.g., Master V9.14.028.2026.06.18"
    validations:
      required: true
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 FROM debian:bookworm
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render README.md to README.html.
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.024.2026.06.11
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.024.2026.06.11
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -11,5 +11,5 @@
 build:
  counter: 1023
-  version: V9.14.024.2026.06.11
+  version: V9.14.028.2026.06.18
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔐 Generating a Private Live ISO TRIXIE.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 💙 Generating a PUBLIC Live ISO.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 # Gitea Workflow: Shell-Script Linting
 #
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🛡️ Retrieve DNSSEC status of coresecret.dev.
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 name: 🔁 Render Graphviz Diagrams.
@@ -15,5 +15,5 @@ properties_SPDX-License-Identifier="LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 "
 properties_SPDX-LicenseComment="This file is part of the CISS.debian.installer.secure framework."
 properties_SPDX-PackageName="CISS.debian.live.builder"
 properties_SPDX-Security-Contact="security@coresecret.eu"
-properties_version="V9.14.024.2026.06.11"
+properties_version="V9.14.028.2026.06.18"
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
@@ -6,7 +6,7 @@ Creator: Person: Marc S. Weidner (Centurion Intelligence Consulting Agency)
 Created: 2025-05-07T12:00:00Z
 Package: CISS.debian.live.builder
 PackageName: CISS.debian.live.builder
-PackageVersion: Master V9.14.024.2026.06.11
+PackageVersion: Master V9.14.028.2026.06.18
 PackageSupplier: Organization: Centurion Intelligence Consulting Agency
 PackageDownloadLocation: https://git.coresecret.dev/msw/CISS.debian.live.builder
 PackageHomePage: https://git.coresecret.dev/msw/CISS.debian.live.builder
@@ -2,7 +2,7 @@
 gitea: none
 include_toc: true
 ---
-[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.024.2026.06.11-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
+[![Static Badge](https://badges.coresecret.dev/badge/Release-V9.14.028.2026.06.18-white?style=plastic&logo=linux&logoColor=white&logoSize=auto&label=Release&color=%23FCC624)](https://git.coresecret.dev/msw/CISS.debian.live.builder)
 &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/Licence-EUPL1.2-white?style=plastic&logo=europeanunion&logoColor=white&logoSize=auto&label=Licence&color=%23003399)](https://eupl.eu/1.2/en/) &nbsp;
 [![Static Badge](https://badges.coresecret.dev/badge/opensourceinitiative-Compliant-white?style=plastic&logo=opensourceinitiative&logoColor=white&logoSize=auto&label=OSI&color=%233DA639)](https://opensource.org/license/eupl-1-2) &nbsp;
@@ -27,7 +27,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 **CISS.debian.live.builder — First of its own.**<br>
 **World-class CIA: Designed, handcrafted, and powered by Centurion Intelligence Consulting Agency.**
@@ -46,8 +46,8 @@ Beyond a conventional live system, **CISS.debian.live.builder** assembles a **fu
 in a single, deterministic build step: a LUKS2 container backed by `dm-integrity` hosting the SquashFS root filesystem, combined
 with a hardened initramfs chain including a dedicated Dropbear build pipeline for remote LUKS unlock. The resulting ISO ships
 with a hardened kernel configuration, strict sysctl and network tuning, pre-configured SSH hardening and fail2ban, and a
-customised `verify-checksums` path providing fail-closed ISO-edge verification and runtime attestation of the exact final
+customised `verify-checksums` path providing fail-closed mounted-medium verification plus runtime attestation of the exact
-SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
+final SquashFS payload bytes selected for the encrypted live root. All components are aligned with the `CISS.debian.installer`
 baseline, ensuring a unified cryptographic and security posture from first boot to an installed system. For an overview of the
 entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
@@ -137,7 +137,7 @@ verification chain is documented separately in **[CISS ISO Boot Chain](docs/MAN_
 In compact form, my expectations for the system are:<br>
 * Every bit that matters for boot and provisioning is covered by checksums that I control and that are signed with keys under my solely authoritative HSM.
-* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root.
+* The live root runs out of a LUKS2 dm-integrity container, and the final SquashFS byte stream copied into the decrypted mapper is verified against a signed rootfs attestation manifest, so a tampered or bit-rotted SquashFS never becomes a trusted root. During boot, `0024-ciss-crypt-squash` copies `/live/filesystem.squashfs.sha512sum.txt[.sig]` from the real ISO medium to `/run/ciss-rootfs-attestation/`; `0042_ciss_post_decrypt_attest` then verifies that cached manifest/signature pair against `/etc/ciss/keys/<FPR>.gpg` and the exact bytes read from `/dev/mapper/crypt_liveiso`.
 * Verification steps are not advisory. Any anomaly causes a hard abort during boot.
 * After the live environment has reached a stable, verified state, it can hand off to ``CISS.debian.installer``. The installer operates from the same image, does not pull random payloads from the internet, and keeps the target system behind a hardened firewall until the entire provisioning process has completed.
 * For unattended, headless scenarios I also support builds where the target system is installed without ever exposing a shell over the console. After installation and reboot, the machine waits for a decryption passphrase via an embedded Dropbear SSH instance in the initramfs, limited to public key authentication and guarded by strict cryptographic policies. In such variants even ``/boot`` can be encrypted, with GRUB taking care of unlocking the boot partition.
@@ -181,7 +181,7 @@ installer toolchain.
 This project adheres strictly to a structured versioning scheme following the pattern x.y.z-Date.
-Example: `V9.14.024.2026.06.11`
+Example: `V9.14.028.2026.06.18`
 `x.y.z` represents major (x), minor (y), and patch (z) version increments.
@@ -8,13 +8,13 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Repository Structure
 **Project:** Centurion Intelligence Consulting Agency Information Security Standard (CISS) — Debian Live Builder  
 **Branch:** `master`  
-**Repository State:** Master Version **9.14**, Build **V9.14.024.2026.06.11** (as of 2025-10-11)
+**Repository State:** Master Version **9.14**, Build **V9.14.028.2026.06.18** (as of 2025-10-11)
 ## 3.1. Top-Level Layout
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Private Material
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS Secure Boot Public Material
@@ -65,6 +65,59 @@ preallocate() {
 # shellcheck disable=SC2034
 readonly -f preallocate
 #######################################
 # Validate that the rootfs attestation artifacts exist in the final ISO payload tree.
 # Globals:
 #   None
 # Arguments:
 #   1: Rootfs attestation manifest path
 # Returns:
 #   0: on success
 #   42: on failure
 #######################################
 require_rootfs_attestation_artifacts() {
  declare manifest="${1}"
  declare signature="${manifest}.sig"
  declare artifact=""
  for artifact in "${manifest}" "${signature}"; do
    if [[ ! -e "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact missing: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ -L "${artifact}" || ! -f "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is not a regular file: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ ! -s "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is empty: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
    if [[ ! -r "${artifact}" ]]; then
      printf "\e[91m❌ Required rootfs attestation artifact is not readable: [%s]. \e[0m\n" "${artifact}" >&2
      return 42
    fi
  done
  return 0
 }
 ### Prevents accidental 'unset -f'.
 # shellcheck disable=SC2034
 readonly -f require_rootfs_attestation_artifacts
 #######################################
 # Create and sign the rootfs attestation manifest for the exact SquashFS payload copied into the LUKS mapper.
 # Globals:
@@ -79,33 +132,62 @@ readonly -f preallocate
 #   42: on failure
 #######################################
 create_attestation() {
-  declare rootfs_file="$1"
+  declare rootfs_file="${1}"
-  declare rootfs_attestation="$2"
+  declare rootfs_attestation="${2}"
  declare rootfs_hash=""
  declare rootfs_size=""
  rootfs_size="$(stat -c%s -- "${rootfs_file}")"
-  rootfs_hash="$(sha512sum "${rootfs_file}")"
+  rootfs_hash="$(LC_ALL=C sha512sum "${rootfs_file}")"
  rootfs_hash="${rootfs_hash%% *}"
  if printf '%s  %s\n' "${rootfs_hash}" "${rootfs_file}" | LC_ALL=C sha512sum -c --strict --quiet; then
    printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${rootfs_file}"
  else
    printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${rootfs_file}"
    return 42
  fi
  # The attested boundary is the final SquashFS byte stream before LUKS wrapping. The boot verifier reads exactly this many
  # bytes from the decrypted mapper and intentionally excludes the LUKS allocation slack after the SquashFS payload.
  cat << EOF >| "${rootfs_attestation}"
-# CISS rootfs attestation manifest v1
+# CISS.debian.live.builder Master ${VAR_VERSION}
-# boundary: final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
+# Attestation file for filesystem.squashfs Version 1.0.0
-# rootfs-size-bytes: ${rootfs_size}
+# Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
-${rootfs_hash}  ciss-rootfs.squashfs
+# Bytes    : Final filesystem.squashfs ${rootfs_size}
 ${rootfs_hash}  filesystem.squashfs
 EOF
  chmod 0444 "${rootfs_attestation}"
-  gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
+  if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
-    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"
+    --detach-sign --output "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
    printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${rootfs_attestation}"
  else
    printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${rootfs_attestation}"
    return 42
  fi
  chmod 0444 "${rootfs_attestation}.sig"
-  gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"
+  if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${rootfs_attestation}.sig" "${rootfs_attestation}"; then
-  printf "\e[92m[INFO] Rootfs attestation manifest created and verified: [%s]. \e[0m\n" "${rootfs_attestation}"
+    printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${rootfs_attestation}.sig"
  else
    printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${rootfs_attestation}.sig"
    return 42
  fi
  return 0
 }
@@ -113,18 +195,21 @@ EOF
 # shellcheck disable=SC2034
 readonly -f create_attestation
-declare    LUKSFS="${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt"
+declare    LIVE_PAYLOAD_DIR="${VAR_HANDLER_BUILD_DIR}/binary/live"
-declare    ROOTFS="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs"
+declare    ROOTFS_ATTESTATION_NAME="filesystem.squashfs.sha512sum.txt"
-declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt"
+declare    ROOTFS_ATTESTATION_REL="live/${ROOTFS_ATTESTATION_NAME}"
 declare    LUKSFS="${LIVE_PAYLOAD_DIR}/ciss_rootfs.crypt"
 declare    ROOTFS="${LIVE_PAYLOAD_DIR}/filesystem.squashfs"
 declare    ROOTFS_ATTESTATION="${VAR_HANDLER_BUILD_DIR}/binary/${ROOTFS_ATTESTATION_REL}"
 declare    DM_LAB="crypt_liveiso"
 declare    DEVMAP="/dev/mapper/${DM_LAB}"
 declare    LUKS_KEY_FILE="${VAR_TMP_SECRET}/${VAR_LUKS_KEY:-luks.txt}"
 declare    KEYFD=""
 # Keep Argon2 keyslot memory and parallel costs bounded for later initramfs unlocks on smaller systems.
 declare -i LUKS_PBKDF_MEMORY_KIB=262144
 declare -i LUKS_PBKDF_PARALLEL=1
 # shellcheck disable=SC2155
 declare -i VAR_ROOTFS_SIZE="$(stat -c%s -- "${ROOTFS}")"
 # shellcheck disable=SC2155
 declare    VAR_ROOTFS_HASH="$(LC_ALL=C sha512sum "${ROOTFS}")"
 declare    VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
 ### Attestation Boundary
 #   - The attested boundary is the final SquashFS byte stream before LUKS wrapping.
@@ -132,53 +217,11 @@ declare    VAR_ROOTFS_HASH="${VAR_ROOTFS_HASH%% *}"
 #     slack after the SquashFS payload.
 printf "\e[95m🧪 Attestation of filesystem.squashfs ... \e[0m\n"
-cat << EOF >| "${ROOTFS_ATTESTATION}"
+create_attestation "${ROOTFS}" "${ROOTFS_ATTESTATION}"
-# CISS.debian.live.builder Master ${VAR_VERSION}
+require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
 # Attestation file for filesystem.squashfs Version 1.0.0
 # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
 # Bytes    : Final filesystem.squashfs ${VAR_ROOTFS_SIZE}
 ${VAR_ROOTFS_HASH}  filesystem.squashfs
 EOF
-chmod 0444 "${ROOTFS_ATTESTATION}"
+printf "\e[92m✅ Attestation of filesystem.squashfs successful: ISO paths [/%s] and [/%s.sig]. \e[0m\n" \
-
+  "${ROOTFS_ATTESTATION_REL}" "${ROOTFS_ATTESTATION_REL}"
 if gpg --batch --yes --pinentry-mode loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --local-user "${VAR_SIGNING_KEY_FPR}" \
  --detach-sign --output "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
  printf "\e[92m✅ [gpg of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
 else
  printf "\e[91m❌ [gpg of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
  return 42
 fi
 chmod 0444 "${ROOTFS_ATTESTATION}.sig"
 if gpgv --keyring "${VAR_VERIFY_KEYRING}" "${ROOTFS_ATTESTATION}.sig" "${ROOTFS_ATTESTATION}"; then
  printf "\e[92m✅ [gpgv of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
 else
  printf "\e[91m❌ [gpgv of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}.sig"
  return 42
 fi
 if LC_ALL=C sha512sum -c --strict --quiet "${ROOTFS_ATTESTATION}"; then
  printf "\e[92m✅ [LC_ALL=C sha512sum -c --strict --quiet of %s] successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
 else
  printf "\e[91m❌ [LC_ALL=C sha512sum -c --strict --quiet of %s] NOT successful. \e[0m\n" "${ROOTFS_ATTESTATION}"
  return 42
 fi
 printf "\e[92m✅ Attestation of filesystem.squashfs successful. \e[0m\n"
 ### Safety margin:
 #   - LUKS2-Header and Metadata
@@ -207,6 +250,8 @@ if [[ "${VAR_CDLB_INSIDE_RUNNER}" == "false" ]]; then
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -226,6 +271,8 @@ elif [[ "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
    --luks2-keyslots-size 16777216 \
    --luks2-metadata-size 4194304 \
    --pbkdf argon2id \
    --pbkdf-memory "${LUKS_PBKDF_MEMORY_KIB}" \
    --pbkdf-parallel "${LUKS_PBKDF_PARALLEL}" \
    --sector-size 4096 \
    --type luks2 \
    --use-random \
@@ -261,6 +308,8 @@ shred -fzu -n 5 -- "${LUKS_KEY_FILE}"
 rm -f -- "${ROOTFS}"
 require_rootfs_attestation_artifacts "${ROOTFS_ATTESTATION}"
 umask "${__umask}"
 __umask=""
@@ -39,7 +39,7 @@ install -d -m 0755  "${DESTDIR}/usr/sbin"
 ### Include binaries -----------------------------------------------------------------------------------------------------------
-for bin in bash blkid busybox dd dmsetup gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
+for bin in awk bash blkid busybox dd dmsetup gawk gpgv losetup lsblk mkpasswd mountpoint sha384sum sha512sum sort stty timeout tr tree udevadm whois; do
  path="$(command -v "${bin}" 2>/dev/null || true)"
@@ -123,7 +123,6 @@ if [ -d "${src_dir}" ]; then
 fi
 ### Install Dropbear configuration ---------------------------------------------------------------------------------------------
 install -m 0444 /etc/dropbear/initramfs/dropbear.conf "${DESTDIR}/etc/dropbear/dropbear.conf"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/dropbear.conf %s/etc/dropbear/dropbear.conf] \n\e[0m" "${DESTDIR}"
@@ -146,6 +145,13 @@ printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/ba
 install -m 0444 /etc/banner "${DESTDIR}/etc/dropbear/banner"
 printf "\e[92mSuccessfully executed: [install -m 0444 /etc/dropbear/initramfs/banner %s/etc/dropbear/banner] \n\e[0m" "${DESTDIR}"
 ### Ensure live-boot runtime scripts in the initramfs are executable -----------------------------------------------------------
 if [ -d "${DESTDIR}/usr/lib/live/boot" ]; then
  find "${DESTDIR}/usr/lib/live/boot" -type f -exec chmod +x -- {} +
  printf "\e[92mSuccessfully executed: [find %s/usr/lib/live/boot -type f -exec chmod +x -- {} +] \n\e[0m" "${DESTDIR}"
 fi
 ### EOS
 printf "\e[92mSuccessfully executed: [/etc/initramfs-tools/hooks/9999_ciss_debian_live_builder.sh] \n\e[0m"
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 [git.coresecret.dev]:42842 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGQA107AVmg1D/jnyXiqbPf38zQRl8s3c+PM1zbfpeQl
 [git.coresecret.dev]:42842 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDYD9ysmMWZlejUnxu0qOzeWcIYezoFLbYdo6ffGUL5kqOBAYb+5CF4bJLUpA93XFYVF+TbrcMV1yJh6JaHFL0VU5CvgAzruCeedx0c4qUV6lWcJUGNk5K0yb9n2Wosdy6F/zTOxL9KXBt/TV+cscsen2Dahvx0ctMKgNbu+vvUcWxHf9lOkbYoF/uA/nW5CVXy5XUPVUDFUhEeKXL85+6gid5AEMfYT8aRl5YDGvo1iMBmBYOljN4S7MnRe14qbAZG0GDGvF22eHbSU2pILcFIjc2Lo/S5Ox/MJpbLAqpFlLPTKgr6F7yVwfNMSNwl05ysUOZfrQKSXzCU6+lfqKYCwemLALyG/n1ernpp7/8W/2RYoz3fd+TQyfhW++rx3yUHpYCkTv9A4LRYZYGSAWKMHSBEYq3EcATQUxQi0xpwmcR+u0uC9F9eta5Bim+sBZD6F2hgPJ5xgYT8LFm880g1YadAwBoD4TAkqSvl+jYW0VA2GH9CknKHJ36gc/X4eeUHDC1Hf/E8M5RBj4D6NuHfeVRik/ahHmoCqKQUW7VU/EBsWFsngDiLEHcV71iMtWiUddWOHwoAPHIzn6p9HTeLCxTwsPMG5UDGK/S9HUozqDXxexRtqbcFa7DWuzRvZ1bcZ2VQsaafuzKCkkc4NjC7h1wssel7q9aeYPFg+1vS6Q==
@@ -9,7 +9,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 ### https://www.ssh-audit.com/
 ### ssh -Q cipher | cipher-auth | compression | kex | kex-gss | key | key-cert | key-plain | key-sig | mac | protocol-version | sig
@@ -11,7 +11,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-# Version Master V9.14.024.2026.06.11
+# Version Master V9.14.028.2026.06.18
 ### https://docs.kernel.org/
 ### https://github.com/a13xp0p0v/kernel-hardening-checker/
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
-declare -gr VERSION="Master V9.14.024.2026.06.11"
+declare -gr VERSION="Master V9.14.028.2026.06.18"
 ### VERY EARLY CHECK FOR DEBUGGING
 if [[ $* == *" --debug "* ]]; then
@@ -112,4 +112,4 @@ d-i preseed/late_command string sh /preseed/.ash/3_di_preseed_late_command.sh
 # Please consider donating to my work at: https://coresecret.eu/spenden/
 ###########################################################################################
-# Written by: ./preseed_hash_generator.sh Version: Master V9.14.024.2026.06.11 at: 10:18:37.9542
+# Written by: ./preseed_hash_generator.sh Version: Master V9.14.028.2026.06.18 at: 10:18:37.9542
@@ -295,6 +295,10 @@ export CDLB_MAPPER_NAME="crypt_liveiso"
 export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
 export CDLB_MNT_MEDIUM="/run/live/medium"
 export CDLB_MNT_ROOTFS="/run/live/rootfs"
 export CDLB_ROOTFS_ATTEST_NAME="filesystem.squashfs.sha512sum.txt"
 export CDLB_ROOTFS_ATTEST_CACHE_DIR="/run/ciss-rootfs-attestation"
 export CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
 export CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_MANIFEST}.sig"
 export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
 _PARAMETER=""
 _dev=""
@@ -377,6 +381,66 @@ fi
 printf "\e[92m[INFO] CISS LUKS FS         : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
 ### Preserve rootfs attestation evidence before live-boot may replace or unmount the medium view. -----------------------------
 CDLB_ROOTFS_ATTEST_SOURCE="${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}"
 CDLB_ROOTFS_ATTEST_SOURCE_SIG="${CDLB_ROOTFS_ATTEST_SOURCE}.sig"
 if [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE}" ] || [ ! -f "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" ]; then
  printf "\e[91m[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [%s] [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}"
  sleep 8
  log   "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
  panic "[FATAL] Boot failure        : Rootfs attestation artifacts not found on live medium: [${CDLB_ROOTFS_ATTEST_SOURCE}] [${CDLB_ROOTFS_ATTEST_SOURCE_SIG}]"
 fi
 if ! mkdir -p "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to create rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! chmod 0755 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to permission rootfs attestation cache directory: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! cp "${CDLB_ROOTFS_ATTEST_SOURCE}" "${CDLB_ROOTFS_ATTEST_MANIFEST}" || \
   ! cp "${CDLB_ROOTFS_ATTEST_SOURCE_SIG}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to preserve rootfs attestation artifacts in: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 if ! chmod 0444 "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"; then
  printf "\e[91m[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [%s] \n\e[0m" \
    "${CDLB_ROOTFS_ATTEST_CACHE_DIR}"
  sleep 8
  log   "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
  panic "[FATAL] Boot failure        : Failed to make rootfs attestation cache read-only: [${CDLB_ROOTFS_ATTEST_CACHE_DIR}]"
 fi
 chmod 0555 "${CDLB_ROOTFS_ATTEST_CACHE_DIR}" 2>&- || true
 printf "\e[92m[INFO] Rootfs attestation   : Preserved [%s] and [%s] \n\e[0m" \
  "${CDLB_ROOTFS_ATTEST_MANIFEST}" "${CDLB_ROOTFS_ATTEST_SIGNATURE}"
 ### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
 if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
@@ -587,6 +651,10 @@ export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
 export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
 export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
 export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
 export CDLB_ROOTFS_ATTEST_NAME=${CDLB_ROOTFS_ATTEST_NAME}
 export CDLB_ROOTFS_ATTEST_CACHE_DIR=${CDLB_ROOTFS_ATTEST_CACHE_DIR}
 export CDLB_ROOTFS_ATTEST_MANIFEST=${CDLB_ROOTFS_ATTEST_MANIFEST}
 export CDLB_ROOTFS_ATTEST_SIGNATURE=${CDLB_ROOTFS_ATTEST_SIGNATURE}
 export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
 EOF
 chmod 0444 /run/ciss-rootdev 2>&- || true
@@ -27,16 +27,6 @@ set -eu
 printf "\e[95m[INFO] Starting             : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] \n\e[0m"
 ### Check panic command availability -------------------------------------------------------------------------------------------
 if ! command -v panic >/dev/null 2>&1; then
  panic() {
    printf '\e[91m[FATAL] %s \n\e[0m' "${*}" >&2
    exit 1
  }
 fi
 ### Declare variables ----------------------------------------------------------------------------------------------------------
 ### Will be replaced at build time:
@@ -49,8 +39,10 @@ export CDLB_MAPPER_DEV="${CDLB_MAPPER_DEV:-/dev/mapper/${CDLB_MAPPER_NAME}}"
 export CDLB_MNT_MEDIUM="${CDLB_MNT_MEDIUM:-/run/live/medium}"
 ### Locations of the attestation file of filesystem.squashfs on the verified live medium. --------------------------------------
-CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/filesystem.squashfs.sha512sum.txt}"
+CDLB_ROOTFS_ATTEST_NAME="${CDLB_ROOTFS_ATTEST_NAME:-filesystem.squashfs.sha512sum.txt}"
 CDLB_ROOTFS_ATTEST_MANIFEST="${CDLB_ROOTFS_ATTEST_MANIFEST:-${CDLB_MNT_MEDIUM}/live/${CDLB_ROOTFS_ATTEST_NAME}}"
 CDLB_ROOTFS_ATTEST_SIGNATURE="${CDLB_ROOTFS_ATTEST_SIGNATURE:-${CDLB_ROOTFS_ATTEST_MANIFEST}.sig}"
 CDLB_ROOTFS_ATTEST_CACHE_DIR="${CDLB_ROOTFS_ATTEST_CACHE_DIR:-/run/ciss-rootfs-attestation}"
 CDLB_ROOTFS_ATTEST_CHECK="${CDLB_ROOTFS_ATTEST_CHECK:-/run/ciss-rootfs-attestation.sha512sum}"
 CDLB_KEY_DIR="${CDLB_KEY_DIR:-/etc/ciss/keys}"
@@ -83,6 +75,17 @@ log_ok() { printf '\e[92m[INFO] %s \n\e[0m' "$*"; }
 #######################################
 log_er() { printf '\e[91m[FATAL] %s \n\e[0m' "$*"; }
 ### Provide a local fail-closed fallback when this file is executed as a subprocess outside the live-boot shell context. --------
 if ! command -v panic >/dev/null 2>&1; then
  panic() {
    log_er "${*}"
    printf '%s\n' "0042 FATAL: ${*}" >/dev/console 2>/dev/null || :
    exit 1
  }
 fi
 #######################################
 # Validate a boot-time attestation input file.
 # Globals:
@@ -135,6 +138,63 @@ require_attestation_file() {
  return 0
 }
 #######################################
 # Resolve rootfs attestation paths on known live medium mountpoints.
 # Globals:
 #   CDLB_MNT_MEDIUM
 #   CDLB_ROOTFS_ATTEST_MANIFEST
 #   CDLB_ROOTFS_ATTEST_NAME
 #   CDLB_ROOTFS_ATTEST_SIGNATURE
 # Arguments:
 #   None
 # Returns:
 #   0: on success
 #######################################
 resolve_rootfs_attestation_artifacts() {
  medium_path=""
  manifest_path=""
  signature_path=""
  if [ -f "${CDLB_ROOTFS_ATTEST_MANIFEST}" ] && [ -f "${CDLB_ROOTFS_ATTEST_SIGNATURE}" ]; then
    return 0
  fi
  manifest_path="${CDLB_ROOTFS_ATTEST_CACHE_DIR}/${CDLB_ROOTFS_ATTEST_NAME}"
  signature_path="${manifest_path}.sig"
  if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
    CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
    CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
    return 0
  fi
  for medium_path in "${CDLB_MNT_MEDIUM}" /run/live/medium /lib/live/mount/medium /cdrom; do
    [ -n "${medium_path}" ] || continue
    manifest_path="${medium_path}/live/${CDLB_ROOTFS_ATTEST_NAME}"
    signature_path="${manifest_path}.sig"
    if [ -f "${manifest_path}" ] && [ -f "${signature_path}" ]; then
      CDLB_ROOTFS_ATTEST_MANIFEST="${manifest_path}"
      CDLB_ROOTFS_ATTEST_SIGNATURE="${signature_path}"
      return 0
    fi
  done
  log_er "0042()              : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
  panic  "0042()              : Rootfs attestation artifacts not found. Expected manifest/signature: [${CDLB_ROOTFS_ATTEST_MANIFEST}] [${CDLB_ROOTFS_ATTEST_SIGNATURE}]"
  return 1
 }
 #######################################
 # Validate the decrypted rootfs payload device.
 # Globals:
@@ -154,7 +214,11 @@ require_rootfs_payload_device() {
  fi
-  if [ -L "${artifact_path}" ] || { [ ! -b "${artifact_path}" ] && [ ! -f "${artifact_path}" ]; }; then
+  if [ -b "${artifact_path}" ]; then
    :
  elif [ -L "${artifact_path}" ] || [ ! -f "${artifact_path}" ]; then
    log_er "0042()              : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
    panic  "0042()              : Rootfs payload must be a block device or regular test fixture: [${artifact_path}]"
@@ -187,7 +251,6 @@ stream_rootfs_payload() {
  block_size=1048576
  full_blocks=$((payload_size / block_size))
  remainder=$((payload_size % block_size))
  remainder_offset=$((full_blocks * block_size))
  if [ "${full_blocks}" -gt 0 ]; then
@@ -197,7 +260,7 @@ stream_rootfs_payload() {
  if [ "${remainder}" -gt 0 ]; then
-    dd if="${payload_device}" bs=1 skip="${remainder_offset}" count="${remainder}" 2>/dev/null || return 1
+    dd if="${payload_device}" bs="${block_size}" skip="${full_blocks}" count=1 2>/dev/null | dd bs=1 count="${remainder}" 2>/dev/null || return 1
  fi
@@ -220,7 +283,7 @@ verify_rootfs_payload() {
  payload_size=""
  payload_hash=""
-  payload_size="$(awk -F': ' '/^# rootfs-size-bytes: /{print $2; exit}' "${manifest_path}")"
+  payload_size="$(awk '/^# Bytes[[:space:]]*:[[:space:]]Final filesystem[.]squashfs[[:space:]]+[0-9]+[[:space:]]*$/ {print $NF; exit}' "${manifest_path}")"
  payload_hash="$(awk '($0 !~ /^#/ && NF >= 2){print $1; exit}' "${manifest_path}")"
  case "${payload_size}" in
@@ -281,15 +344,23 @@ verify_rootfs_payload() {
  return 0
 }
 resolve_rootfs_attestation_artifacts
 HASH_FILE="${CDLB_ROOTFS_ATTEST_MANIFEST}"
 SIGN_FILE="${CDLB_ROOTFS_ATTEST_SIGNATURE}"
 KEYFILE="${CDLB_KEY_DIR}/${CDLB_EXP_FPR}.gpg"
 log_in "0042()               : Validating [${KEYFILE}]"
 require_attestation_file "Public key"                   "${KEYFILE}"
 log_in "0042()               : Validating [${HASH_FILE}]"
 require_attestation_file "Rootfs attestation manifest"  "${HASH_FILE}"
 log_in "0042()               : Validating [${SIGN_FILE}]"
 require_attestation_file "Rootfs attestation signature" "${SIGN_FILE}"
 log_in "0042()               : Validating [${CDLB_MAPPER_DEV}]"
 require_rootfs_payload_device "${CDLB_MAPPER_DEV}"
 log_ok "0042()               : Rootfs attestation inputs are present and readable."
 log_in "0042()               : Verifying rootfs attestation manifest with 'gpgv' and pinned GPG FPR."
 if ! _STATUS="$(/usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIGN_FILE}" "${HASH_FILE}" 2>&1)"; then
@@ -497,7 +497,23 @@ setup_unionfs ()
  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
  printf "\e[95m[INFO] Calling              : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] ... \n\e[0m"
-  [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ] && /usr/lib/live/boot/0042_ciss_post_decrypt_attest
+
  chmod +x /usr/lib/live/boot/0042_ciss_post_decrypt_attest
  if [ -x /usr/lib/live/boot/0042_ciss_post_decrypt_attest ]; then
      if ! /usr/lib/live/boot/0042_ciss_post_decrypt_attest; then
        panic "[FATAL] [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] failed."
      fi
  else
    panic "[FATAL] [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] missing or not executable."
  fi
  printf "\e[92m[INFO] Calling              : [/usr/lib/live/boot/0042_ciss_post_decrypt_attest] done. \n\e[0m"
  ### CISS override for /usr/lib/live/boot/0042_ciss_post_decrypt_attest -------------------------------------------------------
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. DNSSEC Status
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Haveged Audit on Netcup RS 2000 G11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Lynis Audit:
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. SSH Audit by ssh-audit.com
@@ -8,15 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. TLS Audit:
 ````text
 ./testssl.sh --show-each --wide --phone-out --full https://git.coresecret.dev/
 #####################################################################
-  testssl.sh version 3.2.2 from https://testssl.sh/
+  testssl.sh version 3.2.3 from https://testssl.sh/
-  (2e77f5e 2025-09-22 19:35:27)
+  (0ff7a34 2026-06-01 09:45:44)
  This program is free software. Distribution and modification under
  GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
@@ -27,7 +26,7 @@ include_toc: true
  Using OpenSSL 1.0.2-bad (Mar 28 2025)  [~179 ciphers]
  on kali:./bin/openssl.Linux.x86_64
- Start 2025-09-28 16:12:17        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Start 2026-06-17 14:44:50        -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 Further IP addresses:   2a0a:4cc0:80:330f:152:53:110:40
 rDNS (152.53.110.40):   git.coresecret.dev.
@@ -73,11 +72,11 @@ TLSv1
 TLSv1.1
 -
 TLSv1.2 (server order)
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 448   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+ xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 448   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+ xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 448   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 TLSv1.3 (server order)
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384
+ x1302   TLS_AES_256_GCM_SHA384            MLKEM1024  AESGCM      256      TLS_AES_256_GCM_SHA384
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
+ x1303   TLS_CHACHA20_POLY1305_SHA256      MLKEM1024  ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 Has server cipher order?     yes (OK) -- TLS 1.3 and below
@@ -88,21 +87,21 @@ TLSv1.3 (server order)
 Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
 -----------------------------------------------------------------------------------------------------------------------------
- x1302   TLS_AES_256_GCM_SHA384            ECDH 448   AESGCM      256      TLS_AES_256_GCM_SHA384                             available
+ x1302   TLS_AES_256_GCM_SHA384            MLKEM1024  AESGCM      256      TLS_AES_256_GCM_SHA384                             available
- x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 448   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
+ x1303   TLS_CHACHA20_POLY1305_SHA256      MLKEM1024  ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       available
 xcc14   ECDHE-ECDSA-CHACHA20-POLY1305-OLD ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256_OLD  not a/v
 xcc13   ECDHE-RSA-CHACHA20-POLY1305-OLD   ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD    not a/v
 xcc15   DHE-RSA-CHACHA20-POLY1305-OLD     DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256_OLD      not a/v
- xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 521   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              available
+ xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH       AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              not a/v
- xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH       AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            not a/v
+ xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 521   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384            available
 xc028   ECDHE-RSA-AES256-SHA384           ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              not a/v
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384            not a/v
 xc014   ECDHE-RSA-AES256-SHA              ECDH       AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 not a/v
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH       AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA               not a/v
 xa3     DHE-DSS-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384                not a/v
 x9f     DHE-RSA-AES256-GCM-SHA384         DH         AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                not a/v
- xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH       ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      not a/v
+ xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 448   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256      available
- xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 448   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        available
+ xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH       ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        not a/v
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH         ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          not a/v
 xc0af   ECDHE-ECDSA-AES256-CCM8           ECDH       AESCCM8     256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8                 not a/v
 xc0ad   ECDHE-ECDSA-AES256-CCM            ECDH       AESCCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_CCM                   not a/v
@@ -170,9 +169,10 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 xc086   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256       not a/v
 xc08a   -                                 ECDH       CamelliaGCM 128      TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256         not a/v
 KEMs offered                 MLKEM1024 X25519MLKEM768 SecP384r1MLKEM1024
 Elliptic curves offered:     secp384r1 secp521r1 X448
- TLS 1.2 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512 RSA+SHA256 RSA+SHA384 RSA+SHA512 RSA+SHA224
+ TLS 1.2 sig_algs offered:    ECDSA+SHA256 ECDSA+SHA384 ECDSA+SHA512 ECDSA+SHA224
- TLS 1.3 sig_algs offered:    RSA-PSS-RSAE+SHA256 RSA-PSS-RSAE+SHA384 RSA-PSS-RSAE+SHA512
+ TLS 1.3 sig_algs offered:    ECDSA+SHA384
 Testing server defaults (Server Hello)
@@ -185,33 +185,33 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 TLS clock skew               Random values, no fingerprinting possible
 Certificate Compression      none
 Client Authentication        none
- Signature Algorithm          SHA256 with RSA
+ Signature Algorithm          ECDSA with SHA256
- Server key size              RSA 4096 bits (exponent is 65537)
+ Server key size              EC 384 bits (curve P-384)
- Server key usage             Digital Signature, Key Encipherment
+ Server key usage             Digital Signature
- Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
+ Server extended key usage    TLS Web Server Authentication
- Serial                       13292523EB168BD226CE46 (OK: length 11)
+ Serial                       85135AE9A772A9778768548CDED9F483 (OK: length 16)
- Fingerprints                 SHA1 1CCF67686A5FFF33D163EFC9E67AB5C70D1122B8
+ Fingerprints                 SHA1 7745E895B49A44DA786509D124F7BAEF5BCDE21A
-                              SHA256 565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
+                              SHA256 EBAC1DAD82CFAF97644D2F9A03082DE9ABC2B44AD4C86FE6FA202D3EF7243FE4
 Common Name (CN)             coresecret.dev
- subjectAltName (SAN)         coresecret.dev git.coresecret.dev lab.coresecret.dev run.coresecret.dev www.coresecret.dev
+ subjectAltName (SAN)         coresecret.dev badges.coresecret.dev cendev.eu git.coresecret.dev lab.coresecret.dev phpmyadmin.git.coresecret.dev
                              run.coresecret.dev uml.coresecret.dev www.coresecret.dev
 Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
- Certificate Validity (UTC)   178 >= 60 days (2025-09-27 18:27 --> 2026-03-25 22:59)
+ Certificate Validity (UTC)   89 >= 60 days (2026-06-16 00:00 --> 2026-09-14 23:59)
 ETS/"eTLS", visibility info  not present
- In pwnedkeys.com DB          not in database Certificate Revocation List  http://crl.buypass.no/crl/BPClass2CA5.crl, not revoked
+ In pwnedkeys.com DB          not in database
- OCSP URI                     http://ocsp.buypass.com, not revoked
+ Certificate Revocation List  --
 OCSP URI                     http://ocsp.sectigo.com, not revoked
 OCSP stapling                offered, not revoked
- OCSP must staple extension   --
+ OCSP must staple extension   supported
 DNS CAA RR (experimental)    available - please check for match with "Issuer" below
-                              communications=error, iodef=mailto:dns@coresecret.eu, issue=;, issue=buypass.no, issue=certum.pl,
+                              contactemail=caa@coresecret.eu, iodef=mailto:caa@coresecret.eu, issue=;, issue=certum.pl, issue=letsencrypt.org;,
-                              issue=letsencrypt.org;, issue=quantumsign.eu;, issue=sectigo.com, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
+                              issue=quantumsign.eu;, issue=sectigo.com, issuemail=certum.pl, issuevmc=sectigo.com, issuewild=;
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuect=quantumsign.eu;,
                              issuect=quantumsign.eu;, issuect=quantumsign.eu;, issuemail=buypass.no, issuemail=certum.pl, issuewild=;
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
- Issuer                       Buypass Class 2 CA 5 (Buypass AS-983163327 from NO)
+ Issuer                       ZeroSSL ECC DV SSL CA 2 (ZeroSSL GmbH from AT)
- Intermediate cert validity   #1: ok > 40 days (2027-05-23 12:57). Buypass Class 2 CA 5 <-- Buypass Class 2 Root CA
+ Intermediate cert validity   #1: ok > 40 days (2035-09-23 23:59). ZeroSSL ECC DV SSL CA 2 <-- Sectigo Public Server Authentication Root E46
 Intermediate Bad OCSP (exp.) Ok
@@ -223,7 +223,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Public Key Pinning           --
 Server banner                nginx
 Application banner           --
- Cookie(s)                    2 issued: 2/2 secure, 2/2 HttpOnly
+ Cookie(s)                    1 issued: 1/1 secure, 1/1 HttpOnly
 Security headers             X-Frame-Options: SAMEORIGIN
                              X-Content-Type-Options: nosniff
                              Content-Security-Policy: default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'
@@ -236,7 +236,6 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
                              Cross-Origin-Resource-Policy: cross-origin
                              Cross-Origin-Embedder-Policy: unsafe-none
                              X-XSS-Protection: 1; mode=block
                              Permissions-Policy: interest-cohort=()
                              Referrer-Policy: no-referrer
                              Cache-Control: no-cache
 Reverse Proxy banner         --
@@ -257,8 +256,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
-                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services, see
+                                           no RSA certificate, thus certificate can't be used with SSLv2 elsewhere
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=565271C2C74AF9EF5F0DCA16453A643C13E43CBD5B87AB82A622E929C48C8B7B
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     not vulnerable (OK), no SSL3 or TLS1
 LUCKY13 (CVE-2013-0169), experimental     not vulnerable (OK)
@@ -271,24 +269,24 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
 ------------------------------------------------------------------------------------------------
 Android 7.0 (native)         No connection
- Android 8.1 (native)         TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Android 8.1 (native)         TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
 Android 9.0 (native)         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 10.0 (native)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 11/12 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
 Android 13/14 (native)       TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Android 15 (native)          TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Chrome 101 (Win 10)          TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Chromium 137 (Win 11)        TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Firefox 100 (Win 10)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
+ Firefox 137 (Win 11)         TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 IE 8 Win 7                   No connection
- IE 11 Win 7                  No connection
+ IE 11 Win 7                  TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win 8.1                No connection
+ IE 11 Win 8.1                TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win Phone 8.1          No connection
+ IE 11 Win Phone 8.1          TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- IE 11 Win 10                 TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ IE 11 Win 10                 TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
- Edge 15 Win 10               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       384 bit ECDH (P-384)
+ Edge 15 Win 10               TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     384 bit ECDH (P-384)
 Edge 101 Win 10 21H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
- Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            384 bit ECDH (P-384)
+ Edge 133 Win 11 23H2         TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
 Safari 18.4 (iOS 18.4)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 15.4 (macOS 12.3.1)   TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 Safari 18.4 (macOS 15.4)     TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -299,11 +297,11 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Java 21.0.6 (OpenJDK)        TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 go 1.17.8                    TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
 LibreSSL 3.3.6 (macOS)       TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
- OpenSSL 1.0.2e               TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ OpenSSL 1.0.2e               TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     521 bit ECDH (P-521)
 OpenSSL 1.1.1d (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
 OpenSSL 3.0.15 (Debian)      TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
- OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            448 bit ECDH (X448)
+ OpenSSL 3.5.0 (git)          TLSv1.3   TLS_AES_256_GCM_SHA384            X25519MLKEM768
- Apple Mail (16.0)            TLSv1.2   ECDHE-RSA-AES256-GCM-SHA384       521 bit ECDH (P-521)
+ Apple Mail (16.0)            TLSv1.2   ECDHE-ECDSA-AES256-GCM-SHA384     521 bit ECDH (P-521)
 Thunderbird (91.9)           TLSv1.3   TLS_AES_256_GCM_SHA384            521 bit ECDH (P-521)
@@ -317,7 +315,7 @@ Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Ciphe
 Final Score                  100
 Overall Grade                A+
- Done 2025-09-28 16:13:50 [  95s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
+ Done 2026-06-17 14:46:05 [  78s] -->> 152.53.110.40:443 (git.coresecret.dev) <<--
 ````
 ---
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Hardened Kernel Boot Parameters
@@ -8,10 +8,21 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Changelog
 ## V9.14.028.2026.06.18
 * **Changed**: [0024-ciss-crypt-squash](../config/includes.chroot/usr/lib/live/boot/0024-ciss-crypt-squash) Explicitly permissions the runtime rootfs attestation cache and fails closed on cache creation or chmod errors.
 * **Changed**: [MAN_CISS_ISO_BOOT_CHAIN.md](MAN_CISS_ISO_BOOT_CHAIN.md) Documents the rootfs attestation artifact custody path from build-time `binary/live` creation through the `0024` runtime cache and `0042` verification.
 * **Changed**: [README.md](../README.md) Documents the runtime rootfs attestation cache handoff.
 ## V9.14.026.2026.06.17
 * **Updated**: git.coresecret.dev nginx Mainline 1.31.1 custom build with OpenSSL 4.0.1 to support PQC KEX algorithms:
 * * ``MLKEM1024`` ``SecP384r1MLKEM1024`` ``X25519MLKEM768`` 
 * * ECDH: ``X448`` ``secp521r1`` ``secp384r1``
 * **Updated**: [AUDIT_TLS.md](AUDIT_TLS.md)
 ## V9.14.024.2026.06.11
 * **Added**: [lib_build_dir_safety.sh](../lib/lib_build_dir_safety.sh) Integrated Security Audit Finding A12
 * **Added**: [lib_debug_sanitize.sh](../lib/lib_debug_sanitize.sh) Integrated Security Audit Finding A11
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Centurion Net - Developer Branch Overview
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Purpose
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Contributing / participating
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Credits
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Download the latest PUBLIC CISS.debian.live.ISO
@@ -8,14 +8,14 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2.1. Usage
 ````text
                        CDLB(1)                        CISS.debian.live.builder                        CDLB(1)
 CISS.debian.live.builder from https://git.coresecret.dev/msw
-Master V9.14.024.2026.06.11
+Master V9.14.028.2026.06.18
 A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 (c) Marc S. Weidner, 2018 - 2026
@@ -190,7 +190,7 @@ A lightweight Shell Wrapper for building a hardened Debian Live ISO Image.
 💷 Please consider donating to my work at:
 🌐 https://coresecret.eu/spenden/
-                        V9.14.024.2026.06.11                        2026-05-17                         CDLB(1)
+                        V9.14.028.2026.06.18                        2026-05-17                         CDLB(1)
 ````
 # 3. Booting
@@ -8,23 +8,23 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
-**Status:** 2026-06-10<br>
+**Status:** 2026-06-18<br>
 **Audience:** CICA CISO, CISS staff, technically proficient administrators<br>
-**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock that verifies the exact final SquashFS payload bytes copied into the decrypted LUKS mapper, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
+**Summary:** The **CISS.debian.live.builder** Live-ISO establishes a two-stage verification chain around the live root: after the CISS LUKS/dm-integrity container has been opened, and the live medium context has been exposed, `0030-ciss-verify-checksums` verifies the mounted live-medium checksum manifest, detached signature, and signer fingerprint; `0024-ciss-crypt-squash` preserves the rootfs attestation artifacts from the real ISO medium into a stable initramfs runtime cache; later, `0042_ciss_post_decrypt_attest` verifies the signed rootfs attestation manifest, and the exact final SquashFS payload bytes copied into the decrypted LUKS mapper. UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.<br>
 # 3. Overview
 * **Trust anchor:** Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
-* **Integrity & authenticity verification:**
+* **Integrity and authenticity verification:**
-  1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
+  1. **Mounted live medium:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed `/run/live/medium`, verify `sha512sum.txt` using `gpgv`, FPR pinning, and checksum execution.
-  2. **Late:** Verify the external rootfs attestation manifest using `gpgv` and FPR pin, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
+  2. **Decrypted rootfs payload:** Preserve the external rootfs attestation manifest and detached signature before live-boot may replace or unmount the medium view, verify the cached manifest using `gpgv` and FPR pinning, then verify the exact SquashFS payload bytes from the decrypted mapper with `sha512sum -c`.
-* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
+* **Storage-level confidentiality and keyed sector integrity:** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
 * **Remotely unlock:** CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
 # 3.1. Secure Boot Profiles
@@ -49,15 +49,15 @@ private Secure Boot key names are detected in those paths before live-build chec
 # 4. Primitives & Parameters
-| Component    | Primitive / Parameter                                     | Purpose                                                |
+| Component    | Primitive / Parameter                                                            | Purpose                                                                    |
-|--------------|-----------------------------------------------------------|--------------------------------------------------------|
+|--------------|----------------------------------------------------------------------------------|----------------------------------------------------------------------------|
-| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS)                        |
+| LUKS2        | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096`                        | Confidentiality (2×256-bit XTS)                                            |
-| dm-integrity | `hmac-sha512` (keyed), journal                            | Adversary-resistant per-sector integrity, authenticity |
+| dm-integrity | `hmac-sha512` (keyed), journal                                                   | Keyed per-sector integrity for the opened mapping; not origin authenticity |
-| PBKDF        | `argon2id`, `--iter-time 1000` ms                         | Key derivation, hardware-agnostic                      |
+| PBKDF        | `argon2id`, `--iter-time 1000` ms, `--pbkdf-memory 262144`, `--pbkdf-parallel 1` | Bounded key derivation cost for initramfs unlock                           |
-| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                          | Public verifiability, non-repudiation                  |
+| Signatures   | Ed25519 or RSA-4096 (FPR pinned)                                                 | Public verifiability, non-repudiation                                      |
-| Verification | `gpgv --no-default-keyring`                               | No agent dependency in initramfs                       |
+| Verification | `gpgv --keyring <pinned-keyring>`                                                | Explicit keyring selection and no agent dependency in initramfs            |
-| Hash lists   | `sha512sum` format                                        | Deterministic content verification                     |
+| Hash lists   | `sha512sum` format                                                               | Deterministic content verification                                         |
-| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                    | Minimal attack surface, remote unlock                  |
+| Dropbear     | Modern KEX/AEAD (per `localoptions.h`)                                           | Minimal attack surface, remote unlock                                      |
 # 5. Diagram: CISS Live ISO Boot Flow
 ```mermaid
@@ -92,12 +92,14 @@ flowchart TD
    0090 e09@--> 0100["Starting CISS.hardened dropbear"];
    0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
    0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
-    0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
+    0122 e12@--> 0124["Executing 0024-ciss: Mount ISO medium and locate /live/ciss_rootfs.crypt"];
-    0124 e13@--> |SUCCESSFUL| LUKS["Unlocking LUKS2 Argon2id PBKDF → XTS + HMAC-SHA512"];
+    0124 e13@--> CACHE["0024-ciss: Preserve rootfs attestation artifacts in /run/ciss-rootfs-attestation"];
-    LUKS e14@--> ROOT["Assemble RootFS OverlayFS"];
+    CACHE e13b@--> LUKSOPEN["0024-ciss: LUKS open (dm-crypt & integrity)"];
-    ROOT e15@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
+    LUKSOPEN e13c@--> |SUCCESSFUL| LUKS["Decrypted mapper exposed; livefs_root=/run/live/medium set"];
-    0126 e16@--> 0130["Executing 0030-ciss: Verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
+    LUKS e14@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
-    0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS SquashFS payload"];
+    0126 e15@--> 0130["Executing 0030-ciss: Mounted live-medium checksum and signature verification"];
    0130 e16@--> |SUCCESSFUL| ROOT["9990-overlay: Mount SquashFS / OverlayFS"];
    ROOT e17@--> 0142["Executing 0042-ciss: Attestation of RootFS SquashFS payload"];
    0142 e18@--> 0145["init-bottom: stop CISS.hardened dropbear, tear down initramfs net"];
    0145 e19@--> 9050["Switching root (run-init / pivot_root)"];
    9050 e20@--> 9010["Starting /sbin/init -> systemd"];
@@ -111,6 +113,8 @@ flowchart TD
    e11@{ animation: fast }
    e12@{ animation: fast }
    e13@{ animation: fast }
    e13b@{ animation: fast }
    e13c@{ animation: fast }
    e14@{ animation: fast }
    e15@{ animation: fast }
    e16@{ animation: fast }
@@ -130,27 +134,52 @@ flowchart TD
 0030 -- FAIL --> X;
 0040 -- FAIL --> X;
 0124 -- FAIL --> X;
 CACHE -- FAIL --> X;
 LUKSOPEN -- FAIL --> X;
 0130 -- FAIL --> X;
 0142 -- FAIL --> X;
 ```
 # 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
 ```text
 ISO medium
 └── /live/ciss_rootfs.crypt
    └── LUKS2 / dm-crypt / dm-integrity
        └── /dev/mapper/crypt_liveiso
            └── SquashFS rootfs [SHA-512 over exact SquashFS byte stream]
                └── OverlayFS / running root filesystem
 ```
 Rootfs attestation evidence follows a separate side path:
 ```text
 ISO medium
 ├── /live/filesystem.squashfs.sha512sum.txt
 └── /live/filesystem.squashfs.sha512sum.txt.sig
    └── copied by 0024-ciss-crypt-squash to:
        ├── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt
        └── /run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig
 ```
 The `/run/ciss-rootfs-attestation/` cache is only a stable initramfs runtime location. It is not a trust anchor. `0042_ciss_post_decrypt_attest` still requires the cached manifest to verify against the detached signature, the pinned GPG fingerprint, and the actual decrypted mapper bytes.
 ```mermaid
 ---
 config:
      theme: forest
 ---
 flowchart TD
-0{{"Plain device: CD-ROM / USB"}} --> 1["ISO image (ISO9660 + ESP)"];
+0{{"Plain device: CD-ROM / USB"}} --> 1["ISO medium (ISO9660 + ESP)"];
-1 --> 2["Mount ISO9660 FS → /run/live/medium"];
+1 --> 2["/live/ciss_rootfs.crypt"];
-2 --> 3["Container file /run/live/medium/live/ciss_rootfs.crypt"];
+2 --> 3["LUKS2 / dm-crypt / dm-integrity"];
-3 --> 4["dm-integrity layer (HMAC-SHA-512, 4 KiB)"];
+3 --> 4["/dev/mapper/crypt_liveiso"];
-4 --> 5["dm-crypt LUKS2 (AES-XTS-512) → /dev/mapper/crypt_liveiso"];
+4 --> 5["SquashFS rootfs byte stream"];
-5 --> 6["Mount SquashFS from /dev/mapper/crypt_liveiso → /run/live/rootfs"];
+5 --> 6["OverlayFS / running root filesystem"];
 ```
-**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
+**Note:** `dm-integrity` provides keyed sector integrity for the opened LUKS mapping. It is not treated as origin authenticity; origin authenticity is provided by the signed checksum and rootfs attestation manifests plus pinned signer fingerprints.
 # 7. CISS Live ISO LUKS Build-Time Core Steps
 ```sh
@@ -165,6 +194,8 @@ cryptsetup luksFormat \
  --luks2-keyslots-size 16777216 \
  --luks2-metadata-size 4194304 \
  --pbkdf argon2id \
  --pbkdf-memory 262144 \
  --pbkdf-parallel 1 \
  --sector-size 4096 \
  --type luks2 \
  --use-random \
@@ -174,9 +205,41 @@ cryptsetup luksFormat \
 **Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
-# 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
+## 7.1. Rootfs Attestation Artifacts Created at Build Time
-**Goal:** Before consuming any medium content, verify:
+`config/hooks/live/zzzz_ciss_crypt_squash.hook.binary` runs in the live-build binary phase after `binary/live/filesystem.squashfs` exists and before the final ISO image is emitted.
 The hook expects:
 | Artifact                    | Build-time path                                            | Purpose                                                                                 |
 |-----------------------------|------------------------------------------------------------|-----------------------------------------------------------------------------------------|
 | Final plaintext SquashFS    | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs` | Source byte stream that will be attested and copied into the encrypted mapper.          |
 | Signing key passphrase file | `${VAR_SIGNING_KEY_PASSFILE}`                              | Unlocks the configured signing key without exposing the passphrase on the command line. |
 | Verification keyring        | `${VAR_VERIFY_KEYRING}`                                    | Build-time self-check for the detached signature before the ISO is accepted.            |
 The hook creates:
 | Artifact                              | Build-time path                                                              | ISO path                                      |
 |---------------------------------------|------------------------------------------------------------------------------|-----------------------------------------------|
 | Encrypted live root container         | `${VAR_HANDLER_BUILD_DIR}/binary/live/ciss_rootfs.crypt`                     | `/live/ciss_rootfs.crypt`                     |
 | Rootfs attestation manifest           | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt`     | `/live/filesystem.squashfs.sha512sum.txt`     |
 | Rootfs attestation detached signature | `${VAR_HANDLER_BUILD_DIR}/binary/live/filesystem.squashfs.sha512sum.txt.sig` | `/live/filesystem.squashfs.sha512sum.txt.sig` |
 The manifest format is intentionally small and deterministic:
 ```text
 # CISS.debian.live.builder Master <version>
 # Attestation file for filesystem.squashfs Version 1.0.0
 # Boundary : Final filesystem.squashfs byte stream copied into /dev/mapper/crypt_liveiso
 # Bytes    : Final filesystem.squashfs <exact-byte-count>
 <sha512-of-final-filesystem.squashfs>  filesystem.squashfs
 ```
 The signed boundary is the final SquashFS byte stream before LUKS wrapping. The hook writes that byte stream into `/dev/mapper/crypt_liveiso`, closes the mapper, shreds the transient LUKS key file, removes `binary/live/filesystem.squashfs`, and keeps only `/live/ciss_rootfs.crypt` plus the manifest/signature pair in the final ISO payload tree.
 # 8. Mounted Live-Medium Checksum Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
 **Goal:** After `0024-ciss-crypt-squash` has opened the encrypted container and exposed the live medium context, but before the final live root is accepted, verify:
 1. **Detached signature of `sha512sum.txt`** using `gpgv` against the embedded public key.
 2. **FPR pinning:** Parse `VALIDSIG` and require exact match with the build-time pinned FPR.
@@ -191,17 +254,39 @@ cryptsetup luksFormat \
 # 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
-**Goal:** After LUKS unlocked, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
+**Goal:** After LUKS unlocked, and the live root has been mounted by `9990-overlay.sh`, validate the **decrypted** rootfs payload selected at build time and the **actual** mapping topology.
 * **Attested boundary:** the final `binary/live/filesystem.squashfs` byte stream, immediately before it is copied into `/dev/mapper/crypt_liveiso` by `zzzz_ciss_crypt_squash.hook.binary`.
-* **Runtime verification boundary:** the first `rootfs-size-bytes` bytes read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded.
+* **Runtime verification boundary:** the first byte count declared by `# Bytes    : Final filesystem.squashfs <bytes>` in the signed manifest, read from the decrypted mapper. Any LUKS allocation slack after the SquashFS payload is intentionally excluded.
-* **Attestation files:** `/run/live/medium/live/ciss_rootfs.sha512sum.txt[.sig]`
+* **ISO attestation files:** `/run/live/medium/live/filesystem.squashfs.sha512sum.txt[.sig]` while the original ISO medium is mounted by `0024-ciss-crypt-squash`.
 * **Runtime attestation cache:** `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt[.sig]`, copied by `0024-ciss-crypt-squash` before live-boot may replace or unmount the medium view during `toram` handling.
 * **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
 ## 9.1. Runtime Artifact Custody and Expectations
 | Step | Actor                           | Requires                                                                                                                                                                                                      | Copies / writes                                                                                                                                                                                                                                                                                                    | Later consumer                                                               |
 |------|---------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|
 | 1    | `0024-ciss-crypt-squash`        | Mounted ISO medium at `/run/live/medium`; `/run/live/medium/live/ciss_rootfs.crypt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt`; `/run/live/medium/live/filesystem.squashfs.sha512sum.txt.sig` | Copies the manifest to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt` and the detached signature to `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; sets the cache directory to `0755` before copy, cached files to `0444`, and best-effort final directory mode to `0555` | `0042_ciss_post_decrypt_attest`                                              |
 | 2    | `0024-ciss-crypt-squash`        | `/run/live/medium/live/ciss_rootfs.crypt`; unlock passphrase from console or Dropbear path                                                                                                                    | Opens the encrypted container as `/dev/mapper/crypt_liveiso`; writes `/run/ciss-rootdev` with mapper, medium, and attestation-cache paths                                                                                                                                                                          | `9990-overlay.sh`                                                            |
 | 3    | `9990-main.sh`                  | `/conf/param.conf` with `PLAIN_ROOT=1` and `livefs_root=/run/live/medium`; optional `toram` boot parameter                                                                                                    | May copy live media to RAM and may leave `/run/live/medium` busy, replaced, or otherwise unsuitable as the only attestation source                                                                                                                                                                                 | `9990-overlay.sh` and `0042_ciss_post_decrypt_attest`                        |
 | 4    | `9990-overlay.sh`               | `/run/ciss-rootdev`; `/dev/mapper/crypt_liveiso`                                                                                                                                                              | Sources `/run/ciss-rootdev`, overrides the image directory to `/dev/mapper/crypt_liveiso`, mounts the decrypted SquashFS read-only, and invokes `/usr/lib/live/boot/0042_ciss_post_decrypt_attest`                                                                                                                 | `0042_ciss_post_decrypt_attest`                                              |
 | 5    | `0042_ciss_post_decrypt_attest` | `/etc/ciss/keys/<pinned-FPR>.gpg`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`; `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`; `/dev/mapper/crypt_liveiso`        | Creates transient `/run/ciss-rootfs-attestation.sha512sum` for `sha512sum -c`; does not create trusted evidence                                                                                                                                                                                                    | Boot continues only after signature, FPR, and exact payload bytes all verify |
 `0042_ciss_post_decrypt_attest` resolves artifacts in this order:
 1. The explicit manifest/signature paths exported through `/run/ciss-rootdev`.
 2. The default runtime cache under `/run/ciss-rootfs-attestation/`.
 3. Compatibility fallback mountpoints: `${CDLB_MNT_MEDIUM}`, `/run/live/medium`, `/lib/live/mount/medium`, and `/cdrom`.
 The fallback mountpoints are diagnostic and compatibility paths. The intended normal path for current CISS ISOs is the runtime cache copied by `0024-ciss-crypt-squash`.
 **Core calls (initramfs):**
 ```sh
 # 1) Signature and FPR pin (no agent)
 DATA="/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt"
 SIG="${DATA}.sig"
 KEYFILE="/etc/ciss/keys/<pinned-FPR>.gpg"
 /usr/bin/gpgv --keyring "${KEYFILE}" --status-fd 1 "${SIG}" "${DATA}"
 # 2) Mandatory content hash verification
@@ -210,7 +295,7 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
 # 10. Failure Policy (fail-closed, deterministic)
-* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
+* **Abort** on: missing checksum manifest, unsupported checksum manifest/tool state, failed checksum, empty checksum manifest, missing rootfs attestation artifacts on the real ISO medium during `0024`, failed preservation of the runtime attestation cache, missing cached rootfs manifest/signature during `0042`, missing `VALIDSIG`, FPR mismatch, missing key/signature, malformed rootfs attestation manifest, or rootfs payload hash mismatch.
 * A signed rootfs manifest alone is not sufficient. Boot continues only after the manifest signature/FPR, and the decrypted SquashFS payload bytes both verify successfully.
 * `dm-integrity` protects the opened LUKS mapping against sector corruption or tampering under the LUKS key, but it is not treated as origin authenticity. Origin authenticity is provided by the signed rootfs attestation manifest and pinned signer fingerprint.
@@ -237,59 +322,77 @@ dd if="${CDLB_MAPPER_DEV}" ... | /usr/bin/sha512sum -c /run/ciss-rootfs-attestat
  * [9990-main.sh](../config/includes.chroot/usr/lib/live/boot/9990-main.sh),
  * [9990-networking.sh](../config/includes.chroot/usr/lib/live/boot/9990-networking.sh),
  * [9990-overlay.sh](../config/includes.chroot/usr/lib/live/boot/9990-overlay.sh).
-* **Hooks (boot view):** 
+* **Hooks (initramfs boot view):**
-  * `/scripts/live-premount/0022-ciss-overlay-tmpfs`, 
+  * `/usr/lib/live/boot/0022-ciss-overlay-tmpfs`,
-  * `/scripts/live-premount/0024-ciss-crypt-squash`,
+  * `/usr/lib/live/boot/0024-ciss-crypt-squash`,
-  * `/scripts/live-premount/0026-ciss-early-sysctl`,
+  * `/usr/lib/live/boot/0026-ciss-early-sysctl`,
-  * `/scripts/live-bottom/0030-ciss-verify-checksums`,
+  * `/usr/lib/live/boot/0030-ciss-verify-checksums`,
-  * `/scripts/live-bottom/0042-ciss-post-decrypt-attest`
+  * `/usr/lib/live/boot/0042_ciss_post_decrypt_attest`,
  * `/usr/lib/live/boot/9990-main.sh`,
  * `/usr/lib/live/boot/9990-overlay.sh`
 * **Key files:**
-  * ISO edge (for 0030): embedded public key blob (project-specific FPR)
+  * Mounted live medium (for 0030): embedded public key blob (project-specific FPR)
  * Root FS (for 0042): `/etc/ciss/keys/<FPR>.gpg`
-* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
+* **Rootfs attestation artifacts:**
  * ISO payload paths: `/live/filesystem.squashfs.sha512sum.txt`, `/live/filesystem.squashfs.sha512sum.txt.sig`
  * Runtime cache paths: `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt`, `/run/ciss-rootfs-attestation/filesystem.squashfs.sha512sum.txt.sig`
  * Transient checksum file for exact mapper-byte verification: `/run/ciss-rootfs-attestation.sha512sum`
 * **Runtime handoff state:** `/run/ciss-rootdev`
 * **Mounts (typical):** `/run/live/medium`, `/run/live/rootfs`, `/run/live/overlay`
 # 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
 ```mermaid
 flowchart TD
  subgraph ISO Build Time
-    A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate ISO-edge sha512sum.txt and .sig"];
+    A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate mounted-medium sha512sum.txt and .sig"];
-    B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"];
+    B e01@--> C["Build filesystem.squashfs"];
    C e01b@--> C2["Generate rootfs attestation manifest and detached signature in binary/live"];
    C2 e01c@--> C3["Copy filesystem.squashfs into ciss_rootfs.crypt and remove plaintext filesystem.squashfs"];
    e00@{ animation: fast }
    e01@{ animation: fast }
    e01b@{ animation: fast }
    e01c@{ animation: fast }
  end
  subgraph ISO Boot Time
-    C e02@--> D["0024 LUKS2, dm-integrity HMAC-SHA512"];
+    C3 e02@--> D["0024 mounts real ISO medium and expects ciss_rootfs.crypt plus rootfs attestation files under /live"];
-    D e03@-->|SUCCESSFUL| E["ciss_rootfs.crypt opened"];
+    D e02b@--> DCACHE["0024 copies rootfs attestation files to /run/ciss-rootfs-attestation"];
-    E e04@--> F["Mounting RootFS"];
+    DCACHE e03@--> E["0024 opens ciss_rootfs.crypt with LUKS2/dm-integrity and exposes /dev/mapper/crypt_liveiso"];
-    F e05@--> G["0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
+    E e04@--> F["0030 verifies mounted live-medium manifest, signature, FPR, and checksums"];
-    G e06@-->|SUCCESSFUL| H["ISO edge verified"];
+    F e05@-->|SUCCESSFUL| G["Mounted live medium verified"];
-    H e07@--> I["0042 post-decrypt-attestation of RootFS SquashFS payload"];
+    G e06@--> H["9990-overlay mounts SquashFS / OverlayFS"];
-    I e08@-->|SUCCESSFUL| J["RootFS SquashFS payload attestation successful"];
+    H e07@--> I["0042 verifies cached rootfs attestation manifest and FPR"];
    I e08@--> J["0042 verifies exact SquashFS bytes from /dev/mapper/crypt_liveiso"];
    J e09@-->|SUCCESSFUL| K["RootFS SquashFS payload attestation successful"];
    e02@{ animation: fast }
    e02b@{ animation: fast }
    e03@{ animation: fast }
    e04@{ animation: fast }
    e05@{ animation: fast }
    e06@{ animation: fast }
    e07@{ animation: fast }
    e08@{ animation: fast }
  end
  subgraph ISO Run Time
    J e09@--> K{{"CISS.debian.live.builder ISO running"}};
    X{{"CISS.debian.live.builder Boot process halted"}};
    e09@{ animation: fast }
  end
  subgraph ISO Run Time
    K e10@--> L{{"CISS.debian.live.builder ISO running"}};
    X{{"CISS.debian.live.builder Boot process halted"}};
    e10@{ animation: fast }
  end
 D -- FAIL --> X;
-G -- FAIL --> X;
+DCACHE -- FAIL --> X;
 E -- FAIL --> X;
 F -- FAIL --> X;
 I -- FAIL --> X;
 J -- FAIL --> X;
 ```
 # 14. Closing Remarks
-This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks **both before and after decryption**. The dual-verification phases make the state transparent and deterministic.
+This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection at the mounted-medium and decrypted-rootfs-payload boundaries. The dual-verification phases make the state transparent and deterministic without treating `dm-integrity`, LUKS, or private infrastructure as substitutes for origin authenticity.
 ---
 **[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. SSH Host Key Policy – CISS.debian.live.builder / CISS.debian.installer
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. Resources
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``30-ciss-hardening.conf``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``90-ciss-local.hardened``
@@ -8,7 +8,7 @@ include_toc: true
 **Centurion Intelligence Consulting Agency Information Security Standard**<br>
 *Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
 **Master Version**: 9.14<br>
-**Build**: V9.14.024.2026.06.11<br>
+**Build**: V9.14.028.2026.06.18<br>
 # 2. ``ciss_live_builder.sh``
@@ -57,7 +57,6 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   None
 # Returns:
 #   ERR_ARG_MSMTCH: on failure
 #   ERR_ARG_MSMTCH: on failure
 #   ERR_CONTROL_CT: on failure
 #   ERR_DROPBEAR_V: on failure
 #   ERR_MISS_PWD_F: on failure
@@ -164,7 +163,7 @@ arg_parser() {
          shift 1
          ;;
-        --change-splash )
+        --change-splash)
          if [[ "${2}" == "club" || "${2}" == "hexagon" ]]; then
            # shellcheck disable=SC2034
            declare -g VAR_HANDLER_SPLASH="${2}"
@@ -63,10 +63,10 @@ trap_on_exit() {
      print_scr_exit_non_zero "${errcode}" "${errscrt}" "${errline}" "${errfunc}" "${errcmmd}"
      sanitize_debug_logs || true
    fi
    sanitize_debug_logs || true
    exit "${errcode}"
  fi
@@ -78,6 +78,9 @@ usage() {
    echo "    This option creates a boot menu entry that starts the forthcoming 'CISS.debian.installer', which is executed"
    echo "    once the system has successfully booted up."
    echo
    echo -e "\e[97m  --cicd \e[0m"
    echo "    Only for CISS internal Gitea Action Runners"
    echo
    echo -e "\e[97m  --contact, -c \e[0m"
    echo "    Show author contact information."
    echo
@@ -118,6 +121,9 @@ usage() {
    echo "    This MUST be a filename only and MUST be placed in the root-owned tmpfs secret root:"
    echo "    </dev/shm/cdlb_secrets>"
    echo
    echo -e "\e[97m  --logo, -l \e[0m"
    echo "    Shows the Centurion Head."
    echo
    echo -e "\e[97m  --log-statistics-only \e[0m"
    echo "    Provides statistic only after successful building a CISS.debian.live-ISO. While enabling '--log-statistics-only'"
    echo "    the argument '--build-directory' MUST be provided."
@@ -125,10 +131,6 @@ usage() {
    echo -e "\e[97m  --primordial-key <ssh-identity-filename> \e[0m"
    echo "    SSH identity filename for the Primordial overlay clone. This MUST be a filename only; the runtime path is"
    echo "    derived as '/root/.ssh/<ssh-identity-filename>'."
    echo "    Example fragment:"
    echo "      ./ciss_live_builder.sh --primordial-url https://git.coresecret.dev/ahz/PhysNet.primordial.git \\"
    echo "        --primordial-key id--git.coresecret.dev--PhysNet.primordial_deploy--ed25519--newton--2025-10 \\"
    echo "        --primordial-ssh 42842"
    echo
    echo -e "\e[97m  --primordial-ssh <INTEGER> \e[0m"
    echo "    Adds one outgoing UFW TCP exception for a bootstrap SSH port."
@@ -601,7 +601,7 @@ main() {
  var_log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +"%Y-%m-%d_%H-%M-%S").log"
  touch "${var_log}"
-  printf "CISS.debian.live.builder V9.14.024.2026.06.11 calling CISS.debian.installer ... \n" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.028.2026.06.18 calling CISS.debian.installer ... \n" >> "${var_log}"
  ### Sleep a moment to settle boot artifacts.
  sleep 8
@@ -696,7 +696,7 @@ main() {
  ### Timeout reached without acceptable semaphore.
  logger -t cdi-watcher "No valid semaphore ${VAR_SEMAPHORE} (mode 0600) within ${VAR_TIMEOUT}s; exiting idle."
-  printf "CISS.debian.live.builder V9.14.024.2026.06.11: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
+  printf "CISS.debian.live.builder V9.14.028.2026.06.18: No valid semaphore [%s] within [%s]s.\n" "${VAR_SEMAPHORE}" "${VAR_TIMEOUT}" >> "${var_log}"
  exit 0
 }
@@ -25,7 +25,7 @@ declare -grx VAR_GIT_HEAD_FULL="$(git rev-parse HEAD)"
 declare -grx VAR_HOST="$(uname -n)"
 declare -grx VAR_ISO8601="$(date -u -d "@${VAR_DATE_EPOCH}" '+%Y-%m-%dT%H:%M:%SZ')"
 declare -grx VAR_SYSTEM="$(uname -mnosv)"
-declare -grx VAR_VERSION="Master V9.14.024.2026.06.11"
+declare -grx VAR_VERSION="Master V9.14.028.2026.06.18"
 declare -grx VAR_VER_BASH="$(bash --version | head -n1 | awk '{
  # Print $4 and $5; include $6 only if it exists
  out = $4
Author	SHA256	Message	Date
msw	a8454eeadf	V9.14.028.2026.06.18 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 10:49:41 +01:00
msw	f31ac3503f	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-18 06:46:41 +01:00
msw	0f28dad6c2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 21:55:52 +01:00
msw	784c088c0e	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 18:44:12 +01:00
msw	1d130a7027	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 17:14:45 +01:00
msw	7fb6ca2cd2	V9.14.026.2026.06.17 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 16:31:47 +01:00
msw	009f92aea1	V9.14.026.2026.06.17 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-17 15:49:17 +01:00
msw	e11b6285ca	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 06:26:46 +01:00
msw	b59bca727e	V9.14.026.2026.06.12 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:30:51 +01:00
msw	7bb871e3f7	V9.14.026.2026.06.12 Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 05:24:03 +01:00
msw	4633ff5ea7	V9.14.026.2026.06.12 🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Has been cancelled Details 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details 💙 Generating a PUBLIC Live ISO. / 💙 Generating a PUBLIC Live ISO. (push) Has been cancelled Details 🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-12 04:52:18 +01:00
msw	bd5c7729a2	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 21:15:37 +01:00
msw	666111df0e	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:39:50 +01:00
msw	5cc2110ecb	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 20:14:31 +01:00
msw	f6ca83fb26	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:54:19 +01:00
msw	ab827e9c05	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 18:13:13 +01:00
msw	b81b9bf836	V9.14.024.2026.06.11 🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Has been cancelled Details Signed-off-by: Marc S. Weidner <msw@coresecret.dev>	2026-06-11 17:29:59 +01:00