KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add mandatory host FDE check for build/test operations

Browse Source 
- Add check_host_fde() function to run.sh that detects LUKS encryption
- Block ./run.sh iso if host lacks full disk encryption
- Block ./run.sh test:iso commands if host lacks FDE
- Add FR-011 to PRD.md documenting the host FDE requirement
- Update AGENTS.md with new mandatory requirement
- Add 9 tests for host FDE check in run_comprehensive_test.bats

Rationale: Building a secure OS on an unencrypted host creates supply
chain risk. The host must have LUKS encryption to ensure the entire
build pipeline is secure.

💘 Generated with Crush

Assisted-by: GLM-5 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-02-19 17:11:54 -05:00
parent d4c64b85fa
commit 872da4cf82
5 changed files with 614 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/PRD.md
View File

@@ -291,6 +291,38 @@ The system MUST implement full disk encryption using LUKS (Linux Unified Key Set
- MD5 checksum file
- Build report (optional)
### FR-011: Host System Full Disk Encryption (MANDATORY)
**Priority:** P0 (Critical)
**Status:** Required
**Description:**
The host system used to build or test KNEL-Football ISO images MUST have full disk encryption enabled. Building a secure operating system on an unencrypted host defeats the entire security model and creates a supply chain risk.
**Requirements:**
1. **LUKS Encryption Required** - Host must use LUKS for disk encryption
2. **Build Enforcement** - `./run.sh iso` command MUST fail if host FDE not detected
3. **VM Test Enforcement** - `./run.sh test:iso` commands MUST fail if host FDE not detected
4. **No Bypass** - This check cannot be disabled or bypassed
5. **Clear Error Message** - Users receive clear guidance on how to enable FDE
**Detection Methods:**
- Check for LUKS devices via `lsblk -o TYPE,FSTYPE`
- Check `/etc/crypttab` for configured encrypted partitions
- Check if root filesystem is on a dm-crypt device
- Check for dm-crypt devices in `/sys/block/dm-*`
**Rationale:**
- An unencrypted build host could be compromised, affecting all built ISOs
- An unencrypted test host exposes the secure OS to attacks during testing
- Supply chain security requires securing the entire build pipeline
- Defense in depth requires protection at every layer
**User Guidance (if FDE not detected):**
1. Backup all data
2. Reinstall with "Guided - use entire disk and set up encrypted LVM"
3. Or use tools like encrypt-existing-debian for in-place encryption
---
## Non-Functional Requirements