Files
football/tests/unit/secureboot_test.bats
Charles N Wyble 59122570a6 feat: enforce SDLC compliance with pre-commit hook and documentation
- Add .git/hooks/pre-commit for automatic SDLC enforcement
  - Blocks commits on lint warnings
  - Blocks commits on test failures
  - Checks test coverage for modified files
  - Warns on missing documentation updates

- Update AGENTS.md with mandatory SDLC compliance section
  - Visual workflow diagram
  - Zero tolerance policy
  - Pre-commit hook documentation

- Fix SC2012 lint warnings in run.sh (lines 74, 551)
  - Changed ls | head to find -print -quit

- Add FR-012 Secure Boot with UKI to docs/PRD.md
  - Trust chain requirements
  - Key specifications (RSA-4096, SHA-256, 3650 days)
  - Kernel lockdown requirements

- Update docs/security-model.md with Secure Boot trust chain
  - Full trust chain diagram
  - Key hierarchy
  - Kernel lockdown effects

- Update docs/TEST-COVERAGE.md with Secure Boot tests

- Add tests/unit/secureboot_test.bats (70+ tests for Secure Boot)

- Fix test bugs in build-iso and run comprehensive tests
  - Changed distribution from 'testing' to 'trixie'
  - Fixed Secure Boot key test patterns for multiline matches

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-02-20 08:44:56 -05:00

293 lines
8.6 KiB
Bash

#!/usr/bin/env bats
# KNEL-Football Unit Tests - Secure Boot Implementation
# Reference: PRD.md FR-XXX (Secure Boot with UKI)
# Copyright © 2026 Known Element Enterprises LLC
# License: GNU Affero General Public License v3.0 only
# =============================================================================
# Secure Boot Configuration Variables
# =============================================================================
@test "run.sh defines SB_KEY_DIR variable" {
grep -q "SB_KEY_DIR=" /workspace/run.sh
}
@test "run.sh defines SB_KEYS_SRC variable" {
grep -q "SB_KEYS_SRC=" /workspace/run.sh
}
# =============================================================================
# Secure Boot Key Generation Functions
# =============================================================================
@test "run.sh defines sb_generate_keys function" {
grep -q "sb_generate_keys()" /workspace/run.sh
}
@test "sb_generate_keys creates PK key" {
# PK.key and PK.crt are created by openssl (check for both on separate lines)
grep -q "PK.key" /workspace/run.sh
grep -q "PK.crt" /workspace/run.sh
}
@test "sb_generate_keys creates KEK key" {
# KEK.key and KEK.crt are created by openssl (check for both on separate lines)
grep -q "KEK.key" /workspace/run.sh
grep -q "KEK.crt" /workspace/run.sh
}
@test "sb_generate_keys creates db key" {
# db.key and db.crt are created by openssl (check for both on separate lines)
grep -q "db\.key" /workspace/run.sh
grep -q "db\.crt" /workspace/run.sh
}
@test "sb_generate_keys uses RSA-4096" {
grep -q "rsa:4096" /workspace/run.sh
}
@test "sb_generate_keys uses SHA-256" {
grep -q "sha256" /workspace/run.sh
}
@test "sb_generate_keys uses 3650 day validity" {
grep -q "days 3650" /workspace/run.sh
}
# =============================================================================
# EFI Signature List (ESL) Functions
# =============================================================================
@test "run.sh defines sb_create_esl function" {
grep -q "sb_create_esl()" /workspace/run.sh
}
@test "sb_create_esl uses cert-to-efi-sig-list" {
grep -q "cert-to-efi-sig-list" /workspace/run.sh
}
@test "sb_create_esl generates UUID for ESL" {
grep -q "uuidgen" /workspace/run.sh
}
# =============================================================================
# Auth File Signing Functions
# =============================================================================
@test "run.sh defines sb_sign_esl function" {
grep -q "sb_sign_esl()" /workspace/run.sh
}
@test "sb_sign_esl uses sign-efi-sig-list" {
grep -q "sign-efi-sig-list" /workspace/run.sh
}
@test "sb_sign_esl includes timestamp" {
grep -q "date.*%Y-%m-%d" /workspace/run.sh
}
# =============================================================================
# UKI Build Functions
# =============================================================================
@test "run.sh defines uki_build function" {
grep -q "uki_build()" /workspace/run.sh
}
@test "uki_build finds kernel in chroot" {
grep -q "vmlinuz-" /workspace/run.sh
}
@test "uki_build finds initrd in chroot" {
grep -q "initrd.img" /workspace/run.sh
}
@test "uki_build uses EFI stub" {
grep -q "linuxx64.efi.stub" /workspace/run.sh
}
@test "uki_build uses objcopy for bundling" {
grep -q "objcopy" /workspace/run.sh
}
@test "uki_build adds os-release section" {
grep -q ".osrel" /workspace/run.sh
}
@test "uki_build adds cmdline section" {
grep -q ".cmdline" /workspace/run.sh
}
@test "uki_build adds linux section" {
grep -q ".linux" /workspace/run.sh
}
@test "uki_build adds initrd section" {
grep -q ".initrd" /workspace/run.sh
}
# =============================================================================
# UKI Signing Functions
# =============================================================================
@test "run.sh defines uki_sign function" {
grep -q "uki_sign()" /workspace/run.sh
}
@test "uki_sign uses sbsign" {
grep -q "sbsign" /workspace/run.sh
}
@test "uki_sign uses db key for signing" {
grep -q "sbsign.*db.key" /workspace/run.sh
}
@test "uki_sign verifies signature with sbverify" {
grep -q "sbverify" /workspace/run.sh
}
# =============================================================================
# Secure Boot Setup Function
# =============================================================================
@test "run.sh defines secureboot_setup function" {
grep -q "secureboot_setup()" /workspace/run.sh
}
@test "secureboot_setup generates all keys" {
grep -q "sb_generate_keys" /workspace/run.sh
}
@test "secureboot_setup creates all ESL files" {
grep -q "sb_create_esl" /workspace/run.sh
}
@test "secureboot_setup creates PK auth (self-signed)" {
grep -q 'sb_sign_esl.*"PK".*"PK"' /workspace/run.sh
}
@test "secureboot_setup creates KEK auth (signed by PK)" {
grep -q 'sb_sign_esl.*"KEK".*"PK"' /workspace/run.sh
}
@test "secureboot_setup creates db auth (signed by KEK)" {
grep -q 'sb_sign_esl.*"db".*"KEK"' /workspace/run.sh
}
# =============================================================================
# Docker Build Integration
# =============================================================================
@test "run.sh defines get_secureboot_script function" {
grep -q "get_secureboot_script()" /workspace/run.sh
}
@test "get_secureboot_script outputs sb_docker_setup" {
grep -q "sb_docker_setup()" /workspace/run.sh
}
@test "get_secureboot_script outputs sb_docker_build_uki" {
grep -q "sb_docker_build_uki()" /workspace/run.sh
}
@test "get_secureboot_script outputs sb_docker_copy_keys_to_binary" {
grep -q "sb_docker_copy_keys_to_binary()" /workspace/run.sh
}
# =============================================================================
# ISO Build Integration
# =============================================================================
@test "iso command includes Secure Boot hook creation" {
grep -q "0200-secureboot-uki.hook" /workspace/run.sh
}
@test "Secure Boot hook generates keys" {
grep -q "Generating Platform Key" /workspace/run.sh
grep -q "Generating Key Exchange Key" /workspace/run.sh
grep -q "Generating Signature Database Key" /workspace/run.sh
}
@test "Secure Boot hook creates auth files" {
grep -q "PK.auth" /workspace/run.sh
grep -q "KEK.auth" /workspace/run.sh
grep -q "db.auth" /workspace/run.sh
}
@test "Secure Boot hook builds UKI" {
grep -q "Building Unified Kernel Image" /workspace/run.sh
}
@test "Secure Boot hook signs UKI" {
grep -q "Signing UKI" /workspace/run.sh
}
@test "Secure Boot hook copies keys to ISO" {
grep -q "Copying keys to ISO" /workspace/run.sh
grep -q "secureboot" /workspace/run.sh
}
# =============================================================================
# Kernel Command Line Security
# =============================================================================
@test "UKI cmdline includes lockdown mode" {
grep -q "lockdown=confidentiality" /workspace/run.sh
}
@test "UKI cmdline includes module signature enforcement" {
grep -q "module.sig_enforce" /workspace/run.sh
}
# =============================================================================
# Package Requirements
# =============================================================================
@test "package list includes efitools" {
grep -q "efitools" /workspace/config/package-lists/knel-football.list.chroot
}
@test "package list includes sbsigntools" {
grep -q "sbsigntools" /workspace/config/package-lists/knel-football.list.chroot
}
@test "package list includes systemd-boot" {
grep -q "systemd-boot" /workspace/config/package-lists/knel-football.list.chroot
}
@test "package list includes binutils for objcopy" {
grep -q "binutils" /workspace/config/package-lists/knel-football.list.chroot
}
# =============================================================================
# VM TPM Support
# =============================================================================
@test "VM template includes TPM device" {
grep -q "tpm model" /workspace/vm/template.xml
}
@test "VM TPM uses version 2.0" {
grep -q "version='2.0'" /workspace/vm/template.xml
}
@test "VM TPM uses CRB model" {
grep -q "tpm-crb" /workspace/vm/template.xml
}
# =============================================================================
# Output Verification
# =============================================================================
@test "iso command reports Secure Boot enabled" {
grep -q "Secure Boot: ENABLED" /workspace/run.sh
}
@test "iso command reports UKI signed" {
grep -q "UKI: SIGNED" /workspace/run.sh
}
@test "iso command reports keys location" {
grep -q "Keys: /secureboot/" /workspace/run.sh
}