feat: enforce SDLC compliance with pre-commit hook and documentation
- Add .git/hooks/pre-commit for automatic SDLC enforcement - Blocks commits on lint warnings - Blocks commits on test failures - Checks test coverage for modified files - Warns on missing documentation updates - Update AGENTS.md with mandatory SDLC compliance section - Visual workflow diagram - Zero tolerance policy - Pre-commit hook documentation - Fix SC2012 lint warnings in run.sh (lines 74, 551) - Changed ls | head to find -print -quit - Add FR-012 Secure Boot with UKI to docs/PRD.md - Trust chain requirements - Key specifications (RSA-4096, SHA-256, 3650 days) - Kernel lockdown requirements - Update docs/security-model.md with Secure Boot trust chain - Full trust chain diagram - Key hierarchy - Kernel lockdown effects - Update docs/TEST-COVERAGE.md with Secure Boot tests - Add tests/unit/secureboot_test.bats (70+ tests for Secure Boot) - Fix test bugs in build-iso and run comprehensive tests - Changed distribution from 'testing' to 'trixie' - Fixed Secure Boot key test patterns for multiline matches 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
@@ -23,8 +23,95 @@ The KNEL-Football security model implements a defense-in-depth approach to creat
|
||||
|
||||
- **UEFI-Only Boot** - No legacy BIOS support prevents boot attacks
|
||||
- **Secure Boot** - Cryptographic verification of bootloader and kernel
|
||||
- **Unified Kernel Image (UKI)** - Signed kernel+initramfs+cmdline bundle
|
||||
- **Kernel Lockdown** - Kernel runs in confidentiality lockdown mode
|
||||
- **Measured Boot** - Boot chain integrity measurement and attestation
|
||||
|
||||
##### Secure Boot Trust Chain
|
||||
|
||||
```
|
||||
┌─────────────────────────────────────────────────────────────────────────────┐
|
||||
│ SECURE BOOT TRUST CHAIN │
|
||||
├─────────────────────────────────────────────────────────────────────────────┤
|
||||
│ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ UEFI Firmware │ ← Root of Trust (Hardware) │
|
||||
│ └──────────┬──────────┘ │
|
||||
│ │ Verifies PK signature │
|
||||
│ ▼ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ PK (Platform Key) │ ← RSA-4096, SHA-256, 3650 days │
|
||||
│ │ Self-signed │ Platform owner authorization │
|
||||
│ └──────────┬──────────┘ │
|
||||
│ │ Signs KEK updates │
|
||||
│ ▼ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ KEK (Key Exchange) │ ← RSA-4096, SHA-256, 3650 days │
|
||||
│ │ Signed by PK │ OS/key exchange authorization │
|
||||
│ └──────────┬──────────┘ │
|
||||
│ │ Signs db updates │
|
||||
│ ▼ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ db (Signature DB) │ ← RSA-4096, SHA-256, 3650 days │
|
||||
│ │ Signed by KEK │ Allowed EFI binaries │
|
||||
│ └──────────┬──────────┘ │
|
||||
│ │ Verifies UKI signature │
|
||||
│ ▼ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ UKI (Unified │ ← Signed EFI binary │
|
||||
│ │ Kernel Image) │ • linuxx64.efi.stub │
|
||||
│ │ │ • os-release │
|
||||
│ │ │ • cmdline (lockdown=confidentiality) │
|
||||
│ │ │ • linux (vmlinuz) │
|
||||
│ │ │ • initrd (initramfs) │
|
||||
│ └──────────┬──────────┘ │
|
||||
│ │ Boots with lockdown │
|
||||
│ ▼ │
|
||||
│ ┌─────────────────────┐ │
|
||||
│ │ Linux Kernel │ ← Kernel Lockdown Mode │
|
||||
│ │ (Confidentiality) │ • module.sig_enforce=1 │
|
||||
│ │ │ • No unsigned modules │
|
||||
│ │ │ • No /dev/mem access │
|
||||
│ │ │ • No kexec │
|
||||
│ └─────────────────────┘ │
|
||||
│ │
|
||||
└─────────────────────────────────────────────────────────────────────────────┘
|
||||
```
|
||||
|
||||
##### Secure Boot Keys
|
||||
|
||||
| Key | Purpose | Algorithm | Validity |
|
||||
|-----|---------|-----------|----------|
|
||||
| PK (Platform Key) | Authorizes KEK updates | RSA-4096, SHA-256 | 3650 days |
|
||||
| KEK (Key Exchange Key) | Authorizes db updates | RSA-4096, SHA-256 | 3650 days |
|
||||
| db (Signature Database) | Signs EFI binaries | RSA-4096, SHA-256 | 3650 days |
|
||||
|
||||
##### UKI Components
|
||||
|
||||
| Section | Content | Purpose |
|
||||
|---------|---------|---------|
|
||||
| .osrel | /etc/os-release | OS identification |
|
||||
| .cmdline | Kernel parameters | lockdown=confidentiality, module.sig_enforce=1 |
|
||||
| .linux | vmlinuz-{version} | Kernel image |
|
||||
| .initrd | initrd.img-{version} | Initial ramdisk |
|
||||
|
||||
##### Kernel Lockdown Effects
|
||||
|
||||
When Secure Boot is active and kernel lockdown is enabled:
|
||||
- **No unsigned kernel modules** - module.sig_enforce=1
|
||||
- **No /dev/mem or /dev/kmem access** - Prevents direct memory manipulation
|
||||
- **No kexec** - Cannot replace running kernel
|
||||
- **No hibernation to untrusted storage** - Prevents data extraction
|
||||
- **No iopl/ioperm** - Restricts I/O port access
|
||||
- **No MSRs from userspace** - Restricts model-specific register access
|
||||
|
||||
##### Secure Boot Enforcement
|
||||
|
||||
- **Build Time**: Keys generated, UKI signed during ISO build
|
||||
- **Install Time**: Keys enrolled in UEFI firmware (setup mode)
|
||||
- **Boot Time**: UEFI verifies UKI signature before boot
|
||||
- **Runtime**: Kernel enforces lockdown mode restrictions
|
||||
|
||||
#### 2. Network Security Layer
|
||||
|
||||
- **Network Isolation** - No general internet access
|
||||
|
||||
Reference in New Issue
Block a user