fix: remove host FDE requirement, fix remaining audit partials
Host FDE is no longer required — only guest (ISO) FDE matters per owner direction. The build host's security posture is the owner's responsibility. The Docker container already isolates the build process. Changes: - run.sh: Removed check_host_fde() function and its call in iso build path - run.sh: Fixed SB key chmod in inline SECUREBOOT_HOOK (C-04 complete) - run.sh: Fixed cache manifest format — no longer capped at 20 files (H-09) - docs/PRD.md: Removed FR-011 Host FDE, renumbered FR-011 = Secure Boot/UKI - docs/COMPLIANCE.md: Replaced fraudulent ✅ summary with honest aspirational - config/hooks/installed/encryption-validation.sh: lsblk discovery (H-06) - src/security-hardening.sh: Synced WiFi blacklist with live hook (M-12) - tests/: Updated 3 test files for guest encryption instead of host FDE - AGENTS.md, README.md, audit docs: Removed host FDE references - STATUS.md: Updated for current state - JOURNAL.md: Added ADR-017 (host FDE not required) 782 tests pass, 0 fail, 0 shellcheck warnings. Reference: DeepReport-2026-05-08.md C-02, C-04, H-06, H-09, M-12 💘 Generated with Crush Assisted-by: GLM-5.1 via Crush <crush@charm.land>
This commit is contained in:
34
docs/PRD.md
34
docs/PRD.md
@@ -291,39 +291,7 @@ The system MUST implement full disk encryption using LUKS (Linux Unified Key Set
|
||||
- MD5 checksum file
|
||||
- Build report (optional)
|
||||
|
||||
### FR-011: Host System Full Disk Encryption (MANDATORY)
|
||||
|
||||
**Priority:** P0 (Critical)
|
||||
**Status:** Required
|
||||
|
||||
**Description:**
|
||||
The host system used to build or test KNEL-Football ISO images MUST have full disk encryption enabled. Building a secure operating system on an unencrypted host defeats the entire security model and creates a supply chain risk.
|
||||
|
||||
**Requirements:**
|
||||
1. **LUKS Encryption Required** - Host must use LUKS for disk encryption
|
||||
2. **Build Enforcement** - `./run.sh iso` command MUST fail if host FDE not detected
|
||||
3. **VM Test Enforcement** - `./run.sh test:iso` commands MUST fail if host FDE not detected
|
||||
4. **No Bypass** - This check cannot be disabled or bypassed
|
||||
5. **Clear Error Message** - Users receive clear guidance on how to enable FDE
|
||||
|
||||
**Detection Methods:**
|
||||
- Check for LUKS devices via `lsblk -o TYPE,FSTYPE`
|
||||
- Check `/etc/crypttab` for configured encrypted partitions
|
||||
- Check if root filesystem is on a dm-crypt device
|
||||
- Check for dm-crypt devices in `/sys/block/dm-*`
|
||||
|
||||
**Rationale:**
|
||||
- An unencrypted build host could be compromised, affecting all built ISOs
|
||||
- An unencrypted test host exposes the secure OS to attacks during testing
|
||||
- Supply chain security requires securing the entire build pipeline
|
||||
- Defense in depth requires protection at every layer
|
||||
|
||||
**User Guidance (if FDE not detected):**
|
||||
1. Backup all data
|
||||
2. Reinstall with "Guided - use entire disk and set up encrypted LVM"
|
||||
3. Or use tools like encrypt-existing-debian for in-place encryption
|
||||
|
||||
### FR-012: Secure Boot with Unified Kernel Image (UKI) (MANDATORY)
|
||||
### FR-011: Secure Boot with Unified Kernel Image (UKI) (MANDATORY)
|
||||
|
||||
**Priority:** P0 (Critical)
|
||||
**Status:** Required
|
||||
|
||||
Reference in New Issue
Block a user