feat: add mandatory host FDE check for build/test operations

- Add check_host_fde() function to run.sh that detects LUKS encryption - Block ./run.sh iso if host lacks full disk encryption - Block ./run.sh test:iso commands if host lacks FDE - Add FR-011 to PRD.md documenting the host FDE requirement - Update AGENTS.md with new mandatory requirement - Add 9 tests for host FDE check in run_comprehensive_test.bats Rationale: Building a secure OS on an unencrypted host creates supply chain risk. The host must have LUKS encryption to ensure the entire build pipeline is secure. 💘 Generated with Crush Assisted-by: GLM-5 via Crush <crush@charm.land>
2026-02-19 17:11:54 -05:00
parent d4c64b85fa
commit 872da4cf82
5 changed files with 614 additions and 7 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -119,6 +119,30 @@

 **Compliance**: NIST SP 800-63B, CIS Benchmarks for Debian

+### Host System FDE - MANDATORY
+**Requirement**: The host system used to build or test the ISO MUST have FDE enabled
+
+**Why This Matters**:
+- Building a secure OS on an unencrypted host creates supply chain risk
+- An unencrypted test host exposes the secure OS to attacks
+- Defense in depth requires protection at every layer
+
+**Enforcement**:
+- `./run.sh iso` will FAIL if host FDE not detected
+- `./run.sh test:iso` commands will FAIL if host FDE not detected
+- This check CANNOT be bypassed
+
+**Detection Methods**:
+- Checks for LUKS devices via `lsblk`
+- Checks `/etc/crypttab` for encrypted partitions
+- Checks if root filesystem is on dm-crypt device
+- Checks `/sys/block/dm-*` for LUKS devices
+
+**Implementation**:
+- `run.sh` - `check_host_fde()` function
+
+**Compliance**: Supply chain security best practice
+
 ---

 ## 📁 PROJECT STRUCTURE