KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove host FDE requirement, fix remaining audit partials

Browse Source 
Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent  summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 14:28:04 -05:00
parent efc497efd6
commit efb6988719
14 changed files with 120 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
JOURNAL.md
View File

@@ -6,6 +6,34 @@
---
## Entry 2026-05-08 (Session 9): Host FDE Removal + Final Partials Fix
### Context
Owner confirmed host FDE is NOT a requirement — only guest (ISO) FDE matters.
Removed all host FDE enforcement. Fixed remaining partial findings from re-audit.
### Changes
- Removed `check_host_fde()` from run.sh entirely
- Removed host FDE call from iso build path
- Removed FR-011 (Host FDE) from PRD.md — FR-011 now = Secure Boot/UKI
- Updated all tests (3 files) to test guest encryption instead of host FDE
- Fixed AGENTS.md, README.md, audit docs for host FDE removal
- Fixed C-04: Added chmod 700/600 to inline SECUREBOOT_HOOK key generation
- Fixed H-06: encryption-validation.sh now uses lsblk discovery instead of hardcoded /dev/sda3
- Fixed H-09: Cache manifest no longer capped at 20 files, proper multi-line format
- Fixed M-12: Synced src/security-hardening.sh WiFi blacklist (27 drivers) with live hook
- Fixed COMPLIANCE.md: Replaced fraudulent ✅ summary table with honest aspirational markers
### ADR-017: Host FDE Not Required
- **Decision**: Remove host FDE enforcement entirely
- **Rationale**: Build host security is the owner's responsibility. The ISO's guest FDE is what matters for the threat model (portable terminal accessing tier0). Docker container already isolates the build.
- **Consequence**: `./run.sh iso` no longer checks host encryption status
### Test Results
- 782 pass, 0 fail, 0 shellcheck warnings
---
## Entry 2026-05-08 (Session 8): Post-Audit Deep Remediation
### Context