Compare commits
2 Commits
55cd7449eb
...
ae321b3d6d
| Author | SHA256 | Date | |
|---|---|---|---|
ae321b3d6d
|
|||
|
5f904232e8
|
@@ -71,6 +71,8 @@ declare -ga shortcuts=(
|
|||||||
"swget: TLS1.3 wget"
|
"swget: TLS1.3 wget"
|
||||||
"sysdr: systemctl daemon-reload"
|
"sysdr: systemctl daemon-reload"
|
||||||
"syses: systemctl edit"
|
"syses: systemctl edit"
|
||||||
|
"sysliboot: list-unit-files --state=enabled --type=service"
|
||||||
|
"syslirun: list-units --type=service --state=running"
|
||||||
"sysp: load 99_local.hardened"
|
"sysp: load 99_local.hardened"
|
||||||
"sysrl: systemctl reload"
|
"sysrl: systemctl reload"
|
||||||
"sysrs: systemctl restart'"
|
"sysrs: systemctl restart'"
|
||||||
|
|||||||
@@ -79,11 +79,12 @@ end
|
|||||||
|
|
||||||
# 6. LUKS/dm-integrity Layering
|
# 6. LUKS/dm-integrity Layering
|
||||||
```mermaid
|
```mermaid
|
||||||
graph TD
|
flowchart TD;
|
||||||
A[Plain device (rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)]
|
%%
|
||||||
B --> C[dm-crypt (AES-XTS-512)]
|
A[Plain device (/live/rootfs.crypt)] --> B[dm-integrity (HMAC-SHA-512, 4 KiB)];
|
||||||
C --> D[Mapped device /dev/mapper/crypt_liveiso]
|
B --> C[dm-crypt (AES-XTS-512)];
|
||||||
D --> E[SquashFS mount /run/live/rootfs]
|
C --> D[Mapped device /dev/mapper/crypt_liveiso];
|
||||||
|
D --> E[SquashFS mount /run/live/rootfs];
|
||||||
```
|
```
|
||||||
|
|
||||||
**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
|
**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
|
||||||
@@ -185,16 +186,17 @@ dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
|
|||||||
# 13. Diagram: Trust Chain & Verification Paths
|
# 13. Diagram: Trust Chain & Verification Paths
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
graph TD
|
flowchart TD;
|
||||||
A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig]
|
%%
|
||||||
B --> C[Boot early (0030): gpgv verify + FPR pin]
|
A[Build time: pin EXP_FPR + embed ISO key] --> B[ISO artifacts: sha512sum.txt + .sig];
|
||||||
C -->|OK| D[LUKS open (0025)]
|
B --> C[Boot early (0030): gpgv verify + FPR pin];
|
||||||
D --> E[Mount RootFS]
|
C -->|OK| D[LUKS open (0025)];
|
||||||
E --> F[Boot late (0045): gpgv verify + FPR pin (root key)]
|
D --> E[Mount RootFS];
|
||||||
F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)]
|
E --> F[Boot late (0045): gpgv verify + FPR pin (root key)];
|
||||||
C -- FAIL --> X[Abort]
|
F --> G[dmsetup health: crypt(XTS) over integrity(HMAC-SHA-512)];
|
||||||
F -- FAIL --> X
|
C -- FAIL --> X[Abort];
|
||||||
G -- FAIL --> X
|
F -- FAIL --> X;
|
||||||
|
G -- FAIL --> X;
|
||||||
```
|
```
|
||||||
|
|
||||||
# 14. Closing Remark
|
# 14. Closing Remark
|
||||||
|
|||||||
Reference in New Issue
Block a user