KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove host FDE requirement, fix remaining audit partials

Browse Source 
Host FDE is no longer required — only guest (ISO) FDE matters per owner
direction. The build host's security posture is the owner's responsibility.
The Docker container already isolates the build process.

Changes:
- run.sh: Removed check_host_fde() function and its call in iso build path
- run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete)
- run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09)
- docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI
- docs/COMPLIANCE.md: Replaced fraudulent  summary with honest aspirational
- config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06)
- src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12)
- tests/: Updated 3 test files for guest encryption instead of host FDE
- AGENTS.md, README.md, audit docs: Removed host FDE references
- STATUS.md: Updated for current state
- JOURNAL.md: Added ADR-017 (host FDE not required)

782 tests pass, 0 fail, 0 shellcheck warnings.

Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble - admin
2026-05-08 14:28:04 -05:00
parent efc497efd6
commit efb6988719
14 changed files with 120 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
config/hooks/installed/encryption-validation.sh
View File

@@ -63,9 +63,13 @@ if [ ! -e /dev/mapper/cryptroot ]; then
exit 0
fi
# Get LUKS container device (typically /dev/sda3 for LVM setup)
LUKS_DEVICE=$(dmsetup info cryptroot | grep "Major:" | head -1)
echo "LUKS device info: $LUKS_DEVICE"
# Get LUKS container device
LUKS_DEVICE=""
for dev in $(lsblk -o NAME,FSTYPE -n 2>/dev/null | awk '$2=="crypto_LUKS" {print "/dev/"$1}'); do
LUKS_DEVICE="$dev"
break
done
[ -z "$LUKS_DEVICE" ] && LUKS_DEVICE="/dev/sda3"
# Check encryption details
echo ""
@@ -77,7 +81,7 @@ echo ""
# Get cipher information
echo "Encryption Details:"
echo "=================="
cryptsetup luksDump /dev/sda3 2>/dev/null | head -30 || true
cryptsetup luksDump "$LUKS_DEVICE" 2>/dev/null | head -30 || echo "Could not read LUKS device $LUKS_DEVICE"
echo ""
# Check if we can determine passphrase strength from entropy