#!/usr/bin/env bats # KNEL-Football Unit Tests - Secure Boot Implementation # Reference: PRD.md FR-XXX (Secure Boot with UKI) # Copyright © 2026 Known Element Enterprises LLC # License: GNU Affero General Public License v3.0 only # ============================================================================= # Secure Boot Configuration Variables # ============================================================================= @test "run.sh defines SB_KEY_DIR variable" { grep -q "SB_KEY_DIR=" /workspace/run.sh } @test "run.sh defines SB_KEYS_SRC variable" { grep -q "SB_KEYS_SRC=" /workspace/run.sh } # ============================================================================= # Secure Boot Key Generation Functions # ============================================================================= @test "run.sh defines sb_generate_keys function" { grep -q "sb_generate_keys()" /workspace/run.sh } @test "sb_generate_keys creates PK key" { # PK.key and PK.crt are created by openssl (check for both on separate lines) grep -q "PK.key" /workspace/run.sh grep -q "PK.crt" /workspace/run.sh } @test "sb_generate_keys creates KEK key" { # KEK.key and KEK.crt are created by openssl (check for both on separate lines) grep -q "KEK.key" /workspace/run.sh grep -q "KEK.crt" /workspace/run.sh } @test "sb_generate_keys creates db key" { # db.key and db.crt are created by openssl (check for both on separate lines) grep -q "db\.key" /workspace/run.sh grep -q "db\.crt" /workspace/run.sh } @test "sb_generate_keys uses RSA-4096" { grep -q "rsa:4096" /workspace/run.sh } @test "sb_generate_keys uses SHA-256" { grep -q "sha256" /workspace/run.sh } @test "sb_generate_keys uses 3650 day validity" { grep -q "days 3650" /workspace/run.sh } # ============================================================================= # EFI Signature List (ESL) Functions # ============================================================================= @test "run.sh defines sb_create_esl function" { grep -q "sb_create_esl()" /workspace/run.sh } @test "sb_create_esl uses cert-to-efi-sig-list" { grep -q "cert-to-efi-sig-list" /workspace/run.sh } @test "sb_create_esl generates UUID for ESL" { grep -q "uuidgen" /workspace/run.sh } # ============================================================================= # Auth File Signing Functions # ============================================================================= @test "run.sh defines sb_sign_esl function" { grep -q "sb_sign_esl()" /workspace/run.sh } @test "sb_sign_esl uses sign-efi-sig-list" { grep -q "sign-efi-sig-list" /workspace/run.sh } @test "sb_sign_esl includes timestamp" { grep -q "date.*%Y-%m-%d" /workspace/run.sh } # ============================================================================= # UKI Build Functions # ============================================================================= @test "run.sh defines uki_build function" { grep -q "uki_build()" /workspace/run.sh } @test "uki_build finds kernel in chroot" { grep -q "vmlinuz-" /workspace/run.sh } @test "uki_build finds initrd in chroot" { grep -q "initrd.img" /workspace/run.sh } @test "uki_build uses EFI stub" { grep -q "linuxx64.efi.stub" /workspace/run.sh } @test "uki_build uses objcopy for bundling" { grep -q "objcopy" /workspace/run.sh } @test "uki_build adds os-release section" { grep -q ".osrel" /workspace/run.sh } @test "uki_build adds cmdline section" { grep -q ".cmdline" /workspace/run.sh } @test "uki_build adds linux section" { grep -q ".linux" /workspace/run.sh } @test "uki_build adds initrd section" { grep -q ".initrd" /workspace/run.sh } # ============================================================================= # UKI Signing Functions # ============================================================================= @test "run.sh defines uki_sign function" { grep -q "uki_sign()" /workspace/run.sh } @test "uki_sign uses sbsign" { grep -q "sbsign" /workspace/run.sh } @test "uki_sign uses db key for signing" { grep -q "sbsign.*db.key" /workspace/run.sh } @test "uki_sign verifies signature with sbverify" { grep -q "sbverify" /workspace/run.sh } # ============================================================================= # Secure Boot Setup Function # ============================================================================= @test "run.sh defines secureboot_setup function" { grep -q "secureboot_setup()" /workspace/run.sh } @test "secureboot_setup generates all keys" { grep -q "sb_generate_keys" /workspace/run.sh } @test "secureboot_setup creates all ESL files" { grep -q "sb_create_esl" /workspace/run.sh } @test "secureboot_setup creates PK auth (self-signed)" { grep -q 'sb_sign_esl.*"PK".*"PK"' /workspace/run.sh } @test "secureboot_setup creates KEK auth (signed by PK)" { grep -q 'sb_sign_esl.*"KEK".*"PK"' /workspace/run.sh } @test "secureboot_setup creates db auth (signed by KEK)" { grep -q 'sb_sign_esl.*"db".*"KEK"' /workspace/run.sh } # ============================================================================= # Docker Build Integration # ============================================================================= @test "run.sh defines get_secureboot_script function" { grep -q "get_secureboot_script()" /workspace/run.sh } @test "get_secureboot_script outputs sb_docker_setup" { grep -q "sb_docker_setup()" /workspace/run.sh } @test "get_secureboot_script outputs sb_docker_build_uki" { grep -q "sb_docker_build_uki()" /workspace/run.sh } @test "get_secureboot_script outputs sb_docker_copy_keys_to_binary" { grep -q "sb_docker_copy_keys_to_binary()" /workspace/run.sh } # ============================================================================= # ISO Build Integration # ============================================================================= @test "iso command includes Secure Boot hook creation" { grep -q "0200-secureboot-uki.hook" /workspace/run.sh } @test "Secure Boot hook generates keys" { grep -q "Generating Platform Key" /workspace/run.sh grep -q "Generating Key Exchange Key" /workspace/run.sh grep -q "Generating Signature Database Key" /workspace/run.sh } @test "Secure Boot hook creates auth files" { grep -q "PK.auth" /workspace/run.sh grep -q "KEK.auth" /workspace/run.sh grep -q "db.auth" /workspace/run.sh } @test "Secure Boot hook builds UKI" { grep -q "Building Unified Kernel Image" /workspace/run.sh } @test "Secure Boot hook signs UKI" { grep -q "Signing UKI" /workspace/run.sh } @test "Secure Boot hook copies keys to ISO" { grep -q "Copying keys to ISO" /workspace/run.sh grep -q "secureboot" /workspace/run.sh } # ============================================================================= # Kernel Command Line Security # ============================================================================= @test "UKI cmdline includes lockdown mode" { grep -q "lockdown=confidentiality" /workspace/run.sh } @test "UKI cmdline includes module signature enforcement" { grep -q "module.sig_enforce" /workspace/run.sh } # ============================================================================= # Package Requirements # ============================================================================= @test "package list includes efitools" { grep -q "efitools" /workspace/config/package-lists/knel-football.list.chroot } @test "package list includes sbsigntool" { grep -q "sbsigntool" /workspace/config/package-lists/knel-football.list.chroot } @test "package list includes systemd-boot" { grep -q "systemd-boot" /workspace/config/package-lists/knel-football.list.chroot } @test "package list includes binutils for objcopy" { grep -q "binutils" /workspace/config/package-lists/knel-football.list.chroot } # ============================================================================= # VM TPM Support # ============================================================================= @test "VM template includes TPM device" { grep -q "tpm model" /workspace/vm/template.xml } @test "VM TPM uses version 2.0" { grep -q "version='2.0'" /workspace/vm/template.xml } @test "VM TPM uses CRB model" { grep -q "tpm-crb" /workspace/vm/template.xml } # ============================================================================= # Output Verification # ============================================================================= @test "iso command reports Secure Boot enabled" { grep -q "Secure Boot: ENABLED" /workspace/run.sh } @test "iso command reports UKI signed" { grep -q "UKI: SIGNED" /workspace/run.sh } @test "iso command reports keys location" { grep -q "Keys: /secureboot/" /workspace/run.sh }