msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
a1b3b38f6a2a9d49776ae3f2330526b8698513f9d12a81bd999c8afdae98f889
CISS.debian.live.builder/docs/MAN_CISS_ISO_BOOT_CHAIN.md
Marc S. Weidner 5f370c2cdb
All checks were successful
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m8s
Details
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m31s
Details
V8.13.408.2025.11.13 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-13 06:26:44 +01:00

186 lines
7.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
gitea: none
include_toc: true
---
# 1. CISS.debian.live.builder
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.408.2025.11.13<br>
# 2. CISS.debian.live.builder Boot & Trust Chain (Technical Documentation)
**Status:** 2025-11-12
**Audience:** CICA CISO, CISS staff, technically proficient administrators
**Summary:** The CISS.debian Live-ISO establishes a two-stage verification chain without Microsoft-db: an early ISO-edge check (signature and FPR pin) *before* LUKS unlock, and a late root-FS attestation *after* unlock, reinforced by `dm-crypt (AES-XTS)` and `dm-integrity (HMAC-SHA-512)`.
# 3. Overview
* **Trust anchor:** Pinned fingerprint (FPR) of the signing key embedded at build time in initramfs hooks.
* **Integrity & authenticity verification:**
1. **Early:** Verify `sha512sum.txt` at the ISO edge using `gpgv` and FPR pin.
2. **Late:** Verify an attestation hash list inside the decrypted root FS using `gpgv` and FPR pin.
* **Storage-level AEAD (functional):** `dm-crypt` (AES-XTS-512) and `dm-integrity` (HMAC-SHA-512, 4 KiB).
* **Remotely unlock:** Hardened Dropbear (modern primitives only), no passwords, no agent/forwarding.
# 4. Primitives & Parameters (concise)
| Component | Primitive / Parameter | Purpose |
|--------------|-----------------------------------------------------------|-------------------------------------------------------|
| LUKS2 | `aes-xts-plain64`, `--key-size 512`, `--sector-size 4096` | Confidentiality (2×256-bit XTS) |
| dm-integrity | `hmac-sha512` (keyed), journal | Adversary-resistant per-sector integrity/authenticity |
| PBKDF | `argon2id`, `--iter-time 1000` ms | Key derivation, hardware-agnostic |
| Signatures | Ed25519, RSA-4096 (FPR pinned) | Public verifiability, non-repudiation |
| Verification | `gpgv --no-default-keyring` | No agent dependency in initramfs |
| Hash lists | `sha512sum` format | Deterministic content verification |
| Dropbear | Modern KEX/AEAD (per `localoptions.h`) | Minimal attack surface, remote unlock |
# 5. End-to-End Boot Flow
```mermaid
sequenceDiagram
autonumber
participant FW as UEFI/BIOS
participant GRUB as GRUB
participant K as Kernel
participant I as initramfs + live-boot
participant D as Dropbear (optional)
participant C25 as CISS 0025 (live-premount)
participant C30 as CISS 0030 (live-bottom, early)
participant LUKS as LUKS2 + dm-integrity
participant RS as RootFS (SquashFS/Overlay)
participant C45 as CISS 0045 (live-bottom, late)
FW->>GRUB: Load kernel + initramfs
GRUB->>K: Boot kernel
K->>I: Pivot to initramfs (live-boot phases)
I->>D: (optional) Start Dropbear (remote unlock)
I->>C25: Run 0025: LUKS open (dm-crypt+integrity), mount SquashFS
C25->>LUKS: Unlock (Argon2id PBKDF → XTS + HMAC)
I->>C30: Run 0030: Verify ISO edge (gpgv, FPR pin, optional self-hash)
C30-->>I: OK → continue; FAIL → abort
I->>RS: Assemble overlay, switch_root
I->>C45: Run 0045: Verify root fs (gpgv, FPR pin) + dmsetup health
C45-->>I: OK → handoff to userspace; FAIL → abort
```
# 6. LUKS/dm-integrity Layering
```mermaid
graph TD
A[Plain device (rootfs.crypt)] --> B[dm-integrity<br/>HMAC-SHA-512, 4 KiB]
B --> C[dm-crypt<br/>AES-XTS-512]
C --> D[Mapped device /dev/mapper/crypt_liveiso]
D --> E[SquashFS mount /run/live/rootfs]
```
**Note:** Encrypt-then-MAC at the block layer (functionally AEAD-equivalent). Any manipulation ⇒ hard I/O error.
# 7. Build-Time Core Step (LUKS)
```sh
cryptsetup luksFormat \
--batch-mode \
--cipher aes-xts-plain64 \
--integrity hmac-sha512 \
--iter-time 1000 \
--key-file "/proc/$$/fd/${KEYFD}" \
--key-size 512 \
--label crypt_liveiso \
--luks2-keyslots-size 16777216 \
--luks2-metadata-size 4194304 \
--pbkdf argon2id \
--sector-size 4096 \
--type luks2 \
--use-random \
--verbose \
"${LUKSFS}"
```
**Signing keys:** Ed25519 and RSA-4096; **FPR pinned at build time** in hooks. Signing keys are **additionally** signed by an offline GPG Root-CA (out-of-band trust chain).
# 8. Early ISO-Edge Verification (CISS modified hook 0030, live-bottom)
**Goal:** Before consuming any medium content, verify:
1. **Detached signature of `sha512sum.txt`** using `gpgv` against the embedded public key.
2. **FPR pinning:** Parse `VALIDSIG` and require exact match with the build-time pinned FPR.
3. **Optional:** *Script self-IA* hash the executed hook and compare against the signed list (drift/bitrot detector).
**Core call (initramfs):**
```sh
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify sha512sum.txt.sig sha512sum.txt
# parse [GNUPG:] VALIDSIG ... <FPR> ...
```
# 9. Late Root-FS Attestation and dmsetup Health (CISS hook 0045, live-bottom)
**Goal:** After LUKS unlock, validate the **decrypted** contents and the **actual** mapping topology.
* **Attestation files:** `/.ciss/attest/rootfs.sha512[.sig]`
* **Key source:** `/etc/ciss/keys/*.gpg` (accepted only if FPR == build-pin)
* **Health check:** `dmsetup table --showkeys` → top `crypt` (AES-XTS), child `integrity` (HMAC-SHA-512, 4096 B)
**Core calls (initramfs):**
```sh
# 1) Signature and FPR pin (no agent)
/usr/bin/gpgv --no-default-keyring --keyring "$KEYFILE" --status-fd 1 --verify "$SIG" "$DATA"
# 2) Optional: Content hash verification
( cd "$ROOTMP" && /usr/bin/sha512sum -c --strict --quiet "$DATA" )
# 3) dmsetup health
dmsetup table --showkeys /dev/mapper/crypt_liveiso
dmsetup table --showkeys CHILD # expect integrity hmac sha512 4096
```
# 9. Failure Policy (fail-closed, deterministic)
* **Abort** on: missing `VALIDSIG`, FPR mismatch, missing key/signature, or a deviating `dmsetup` topology.
# 10. Dropbear (Hardened Remotely Unlock)
```text
• Public-key auth only, no passwords
• Modern KEX/AEAD (e.g., curve25519, sntrup761x25519-sha512, mlkem768x25519-sha256; AES-GCM)
• No agent/X11/TCP forwarding, no SFTP
• Strict timeouts/keep-alives, restricted cipher/KEX set
• Port 42137 (per CISS convention)
```
*Concrete selection compiled via your `localoptions.h` at ISO build time.*
# 11. Integration Points & Paths
* **Hooks (build view):** `/usr/lib/live/boot/0025-...`, `/usr/lib/live/boot/0030-...`, `/usr/lib/live/boot/0045-...`
* **Hooks (boot view):** `/scripts/live-premount/0025-...`, `/scripts/live-bottom/0030-...`, `/scripts/live-bottom/0045-...`
* **Key files:**
* ISO edge (for 0030): embedded public key blob (project-specific name)
* Root FS (for 0045): `/etc/ciss/keys/*.gpg`
* **Mounts (typical):** `/run/live/rootfs`, `/run/live/overlay`
# 12. Diagram: Trust Chain & Verification Paths
```mermaid
flowchart TD
A[Build time<br/>pin EXP_FPR + embed ISO key] --> B[ISO artifacts<br/>sha512sum.txt + .sig]
B --> C[Boot early (0030)<br/>gpgv verify + FPR pin]
C -->|OK| D[LUKS open (0025)]
D --> E[Mount RootFS]
E --> F[Boot late (0045)<br/>gpgv verify + FPR pin (root key)]
F --> G[dmsetup health<br/>crypt(XTS) over integrity(HMAC-SHA512)]
C -- FAIL --> X[Abort]
F -- FAIL --> X
G -- FAIL --> X
```
# 13. Closing Remark
This achieves a portable, self-contained trust chain without a Microsoft-db, providing strong protection against medium tampering, bitrot and active attacks **both before and after decryption**. The dual verification phases plus `dmsetup` health make the state transparent and deterministic.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
Reference in New Issue View Git Blame Copy Permalink