13 KiB
13 KiB
Table of Contents
- 1. CISS.debian.live.builder
- 2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
- 3. Overview
- 3.1. Secure Boot Profiles
- 4. Primitives & Parameters
- 5. Diagram: CISS Live ISO Boot Flow
- 6. Diagram: CISS Live ISO LUKS and dm-integrity layering
- 7. CISS Live ISO LUKS Build-Time Core Steps
- 8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
- 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
- 10. Failure Policy (fail-closed, deterministic)
- 11. CISS hardened and built dropbear
- 12. Integration Points & Paths
- 13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
- 14. Closing Remarks
1. CISS.debian.live.builder
Centurion Intelligence Consulting Agency Information Security Standard
Debian Live Build Generator for hardened live environment and CISS Debian Installer
Master Version: 9.14
Build: V9.14.022.2026.06.10
2. CISS.debian.live.builder – Boot & Trust Chain (Technical Documentation)
Status: 2025-11-12
Audience: CICA CISO, CISS staff, technically proficient administrators
Summary: The CISS.debian.live.builder Live-ISO establishes a two-stage verification chain around the live root: an early ISO-edge check (signature and FPR pin) before LUKS unlock, and a late root-FS attestation after unlock, reinforced by dm-crypt (AES-XTS) and dm-integrity (HMAC-SHA-512). UEFI Secure Boot can use either the default Microsoft/Debian shim chain, or a CISS-signed UKI chain for systems that trust the CISS Secure Boot key material.
3. Overview
-
Trust anchor: Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
-
Integrity & authenticity verification:
- Early: Verify
sha512sum.txtat the ISO edge usinggpgvand FPR pin. - Late: Verify an attestation hash list inside the decrypted root FS using
gpgvand FPR pin.
- Early: Verify
-
Storage-level AEAD (functional):
dm-crypt(AES-XTS-512) anddm-integrity(HMAC-SHA-512, 4 KiB). -
Remotely unlock: CISS hardened and build dropbear, modern primitives only, no passwords, no agent/forwarding.
3.1. Secure Boot Profiles
The builder supports two built-time Secure Boot profiles:
debian-shim(default): keeps the broadly portable live-build path. The ISO is built asiso-hybridwith BIOS and UEFI bootloaders, and UEFI Secure Boot loads the Microsoft-signed Debian shim before Debian-signed GRUB.ciss-uki: intended for amd64 systems whose firmware trusts the CISS Secure Boot public key through db, or a custom PK/KEK/db model. A late binary hook builds and signs a UKI from the finalbinary/live/vmlinuz-*andbinary/live/initrd.img-*artifacts, then installs it asEFI/BOOT/BOOTX64.EFIinsidebinary/boot/grub/efi.imgand mirrors it into the ISO EFI tree when live-build created one.
The ciss-uki path is:
UEFI firmware -> EFI/BOOT/BOOTX64.EFI (CISS-signed UKI) -> Linux
The private EFI signing key remains outside binary/, chroot/ and config/includes.*; the binary hooks fail if the CISS
private Secure Boot key names are detected in those paths before live-build checksum generation.
4. Primitives & Parameters
| Component | Primitive / Parameter | Purpose |
|---|---|---|
| LUKS2 | aes-xts-plain64, --key-size 512, --sector-size 4096 |
Confidentiality (2×256-bit XTS) |
| dm-integrity | hmac-sha512 (keyed), journal |
Adversary-resistant per-sector integrity, authenticity |
| PBKDF | argon2id, --iter-time 1000 ms |
Key derivation, hardware-agnostic |
| Signatures | Ed25519 or RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | gpgv --no-default-keyring |
No agent dependency in initramfs |
| Hash lists | sha512sum format |
Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per localoptions.h) |
Minimal attack surface, remote unlock |
5. Diagram: CISS Live ISO Boot Flow
flowchart TD
subgraph Trusted HW Manufacturer
0000["System Power On"] e00@--> 0010["CPU reset 0xFFFFFFF0, POST"];
0010 e01@--> 0020["UEFI DXE Phase enumerates devices"];
0020 e02@--> 0030["Secure Boot (if enabled): db, dbx, KEK, PK loaded from NVRAM"];
e00@{ animation: fast }
e01@{ animation: fast }
e02@{ animation: fast }
end
subgraph Trusted Secure Boot
0030 e03@--> |debian-shim| 0040["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (shim)"];
0040 e04@--> |SUCCESSFUL| 0050["shim: load & verify \EFI\BOOT\GRUBX64.EFI"];
0050 e05@--> 0060["GRUB: load vmlinuz + initrd.img, set cmdline"];
0030 e06a@--> |ciss-uki| 0045["Secure Boot: load & verify \EFI\BOOT\BOOTX64.EFI (CISS UKI)"];
0045 e06b@--> 0060;
e03@{ animation: fast }
e04@{ animation: fast }
e05@{ animation: fast }
e06a@{ animation: fast }
e06b@{ animation: fast }
end
subgraph Trusted Live ISO
0060 e06@--> 0070["Transfer Control to Kernel Entry Point"];
0070 e07@--> 0080["Decompress Kernel"];
0080 e08@--> 0090["/init Phase"];
0090 e09@--> 0100["Starting CISS.hardened dropbear"];
0100 e10@--> 0110["Executing live-boot, mounting ISO FS"];
0110 e11@--> 0122["Executing 0022-ciss: Hardening tmpfs for OverlayFS upper/work"];
0122 e12@--> 0124["Executing 0024-ciss: LUKS open (dm-crypt & integrity)"];
0124 e13@--> |SUCCESSFUL| LUKS["Unlocking LUKS2 Argon2id PBKDF → XTS + HMAC-SHA512"];
LUKS e14@--> ROOT["Assemble RootFS OverlayFS"];
ROOT e15@--> 0126["Executing 0026-ciss: Hardening early sysctls"];
0126 e16@--> 0130["Executing 0030-ciss: Verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
0130 e17@--> |SUCCESSFUL| 0142["Executing 0042-ciss: Attestation of RootFS"];
0142 e18@--> 0145["init-bottom: stop CISS.hardened dropbear, tear down initramfs net"];
0145 e19@--> 9050["Switching root (run-init / pivot_root)"];
9050 e20@--> 9010["Starting /sbin/init -> systemd"];
9010 e21@--> 9020["Starting Target Units"];
0100 -.-> 0145;
e06@{ animation: fast }
e07@{ animation: fast }
e08@{ animation: fast }
e09@{ animation: fast }
e10@{ animation: fast }
e11@{ animation: fast }
e12@{ animation: fast }
e13@{ animation: fast }
e14@{ animation: fast }
e15@{ animation: fast }
e16@{ animation: fast }
e17@{ animation: fast }
e18@{ animation: fast }
e19@{ animation: fast }
e20@{ animation: fast }
e21@{ animation: fast }
end
subgraph Finale State
9020 e24@--> 9030{{"CISS.debian.live.builder Waiting for Login"}};
X{{"CISS.debian.live.builder Boot process halted"}};
e24@{ animation: fast }
end
0030 -- FAIL --> X;
0040 -- FAIL --> X;
0124 -- FAIL --> X;
0130 -- FAIL --> X;
0142 -- FAIL --> X;
6. Diagram: CISS Live ISO LUKS and dm-integrity layering
---
config:
theme: forest
---
flowchart TD
0{{"Plain device: CD-ROM / USB"}} --> 1["ISO image (ISO9660 + ESP)"];
1 --> 2["Mount ISO9660 FS → /run/live/medium"];
2 --> 3["Container file /run/live/medium/live/ciss_rootfs.crypt"];
3 --> 4["dm-integrity layer (HMAC-SHA-512, 4 KiB)"];
4 --> 5["dm-crypt LUKS2 (AES-XTS-512) → /dev/mapper/crypt_liveiso"];
5 --> 6["Mount SquashFS from /dev/mapper/crypt_liveiso → /run/live/rootfs"];
Note: Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
7. CISS Live ISO LUKS Build-Time Core Steps
cryptsetup luksFormat \
--batch-mode \
--cipher aes-xts-plain64 \
--integrity hmac-sha512 \
--iter-time 1000 \
--key-file "/proc/$$/fd/${KEYFD}" \
--key-size 512 \
--label crypt_liveiso \
--luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \
--pbkdf argon2id \
--sector-size 4096 \
--type luks2 \
--use-random \
--verbose \
"${LUKSFS}"
Signing keys: Ed25519 and RSA-4096; FPR pinned at build time in hooks. Signing keys are additionally signed by an offline GPG Root-CA (out-of-band trust chain).
8. Early ISO-Edge Verification (CISS modified hook 0030-ciss-verify-checksums, live-bottom)
Goal: Before consuming any medium content, verify:
- Detached signature of
sha512sum.txtusinggpgvagainst the embedded public key. - FPR pinning: Parse
VALIDSIGand require exact match with the build-time pinned FPR. - Optional: Script self-IA – hash the executed hook and compare against the signed list (drift/bitrot detector).
Core call (initramfs):
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt
# parse [GNUPG:] VALIDSIG ... <FPR> ...
9. Late Root-FS Attestation and dmsetup Health (CISS hook 0042_ciss_post_decrypt_attest, called by 9990-overlay.sh)
Goal: After LUKS unlock, validate the decrypted contents and the actual mapping topology.
- Attestation files:
/root/.ciss/attestation/<FPR>.sha512sum.txt[.sig] - Key source:
/etc/ciss/keys/*.gpg(accepted only if FPR == build-pin)
Core calls (initramfs):
# 1) Signature and FPR pin (no agent)
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA"
# 2) Optional: Content hash verification
( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
10. Failure Policy (fail-closed, deterministic)
- Abort on: missing
VALIDSIG, FPR mismatch, missing key / signature.
11. CISS hardened and built dropbear
• Public-key auth only, no passwords
• Modern KEX / AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
• No agent / X11 / TCP forwarding, no SFTP
• Strict timeouts / keep-alives, restricted cipher / KEX set
• Port 44137 (per CISS convention)
Concrete selection compiled via localoptions.h at ISO build time.
12. Integration Points & Paths
- Hooks (build view):
- Hooks (boot view):
/scripts/live-premount/0022-ciss-overlay-tmpfs,/scripts/live-premount/0024-ciss-crypt-squash,/scripts/live-premount/0026-ciss-early-sysctl,/scripts/live-bottom/0030-ciss-verify-checksums,/scripts/live-bottom/0042-ciss-post-decrypt-attest
- Key files:
- ISO edge (for 0030): embedded public key blob (project-specific FPR)
- Root FS (for 0042):
/etc/ciss/keys/<FPR>.gpg
- Mounts (typical):
/run/live/rootfs,/run/live/overlay
13. Diagram: CISS Live ISO Build, Boot, and Run Time Trust Chain & Verification Paths
flowchart TD
subgraph ISO Build Time
A["Embed and pin GPG FPR (into ISO & RootFS as needed)"] e00@--> B["Generate ISO-edge sha512sum.txt and .sig"];
B e01@--> C["Build filesystem.squashfs and wrap it into ciss_rootfs.crypt"];
e00@{ animation: fast }
e01@{ animation: fast }
end
subgraph ISO Boot Time
C e02@--> D["0024 LUKS2, dm-integrity HMAC-SHA512"];
D e03@-->|SUCCESSFUL| E["ciss_rootfs.crypt opened"];
E e04@--> F["Mounting RootFS"];
F e05@--> G["0030 verification of authenticity and integrity via embedded and pinned GPG of ISO edge"];
G e06@-->|SUCCESSFUL| H["ISO edge verified"];
H e07@--> I["0042 post-decrypt-attestation of RootFS"];
I e08@-->|SUCCESSFUL| J["RootFS attestation successful"];
e02@{ animation: fast }
e03@{ animation: fast }
e04@{ animation: fast }
e05@{ animation: fast }
e06@{ animation: fast }
e07@{ animation: fast }
e08@{ animation: fast }
end
subgraph ISO Run Time
J e09@--> K{{"CISS.debian.live.builder ISO running"}};
X{{"CISS.debian.live.builder Boot process halted"}};
e09@{ animation: fast }
end
D -- FAIL --> X;
G -- FAIL --> X;
I -- FAIL --> X;
14. Closing Remarks
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot, and active attacks both before and after decryption. The dual-verification phases make the state transparent and deterministic.
no tracking | no logging | no advertising | no profiling | no bullshit