Files

reachableceo efc497efd6 fix: add M-09/M-10/M-11/H-09 - reproducibility, GPG signing, cache integrity

M-09: SOURCE_DATE_EPOCH set at build start, BUILD-INFO.txt written with
build metadata for reproducibility verification.

M-10: GPG signing of ISO and SHA256 checksum. Uses persistent key at
config/gpg-keys/signing.key if available, otherwise generates ephemeral
key per build and exports pubkey alongside artifacts.

M-11: Docker base image digest-pinned to sha256:1d3c8111... preventing
supply chain tampering with the build environment.

H-09: Build cache integrity verification via SHA256 manifest. On cache
save, records checksums of all cached files. On restore, verifies each
file. Corrupted cache triggers fresh download instead of silent use.

Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg with
version pins for Secure Boot and signing support in build container.

Reference: DeepReport-2026-05-08.md findings M-09, M-10, M-11, H-09

💘 Generated with Crush

Assisted-by: GLM-5.1 via Crush <crush@charm.land>

2026-05-08 13:03:24 -05:00

5.5 KiB

Raw Blame History

KNEL-Football Project Status Report

Last Updated: 2026-05-08 (Session 8 - Batch 4 - M-09/M-10/M-11/H-09) Maintained By: AI Agent (Crush) Purpose: Quick-glance status for project manager

Current Status: 🔧 ALL TECHNICAL FIXES APPLIED — ISO REBUILD BLOCKED BY HOST FDE

Executive Summary

All 28 non-deferred findings from DeepReport-2026-05-08.md have been addressed in code. ISO cannot be rebuilt because the build host lacks LUKS encryption — the FDE check (C-02 fix) correctly blocks builds on unencrypted hosts per PRD FR-011.

What's Needed From You (Human Action Required)

Enable host FDE — Your build host at /dev/nvme0n1p2 has no LUKS. Options:
- Backup + reinstall with encrypted LVM
- Use encrypt-existing-debian for in-place encryption
Rebuild ISO — After enabling host FDE: ./run.sh iso
Git history scrub — git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths then force-push
Test on real hardware — Install ISO, verify cryptsetup luksDump shows Argon2id

Remediation Progress — All Technical Fixes Done

#	Finding	Severity	Status	How Fixed
C-01	Argon2id KDF not enforced	CRITICAL	✅	preseed early_command patches partman-crypto
C-02	Host FDE check never called	CRITICAL	✅	check_host_fde() now called, blocks build
C-03	Docker --privileged	CRITICAL	✅	Fine-grained caps (SYS_ADMIN,MKNOD,etc)
C-04	SB keys unencrypted	CRITICAL	✅	chmod 700 dir, chmod 600 keys
C-05	USB noexec/nosuid/nodev	CRITICAL	✅	All mount options added + input validation
C-06	Plaintext creds in git	CRITICAL	⬜ HUMAN	Needs git-filter-repo (destructive)
H-01	StrictHostKeyChecking ask	HIGH	✅	Changed to yes
H-02	sshd_config written	HIGH	✅	Removed from both live hook AND src/
H-03	src/firewall missing ct state	HIGH	✅	Added established,related
H-04	QR temp file insecure	HIGH	✅	chmod 600
H-05	cryptsetup broken syntax	HIGH	✅	printf pipe instead of echo+heredoc
H-06	Hardcoded /dev/sda3	HIGH	✅	find-luks-device.sh helper
H-07	sbverify returns success on fail	HIGH	✅	Now returns 1 (fatal)
H-08	Missing module.sig_enforce	HIGH	✅	Added to all 3 UKI build paths
H-09	Build cache no integrity	HIGH	✅	Cache manifest + SHA256 verification
M-01	apply_security_hardening missing calls	MEDIUM	✅	Now calls FIM + SSH client
M-02	Sudo group conflict	MEDIUM	✅	Removed football from sudo group
M-03	PAM not configured	MEDIUM	✅	enforce_for_root in common-password
M-04	Recovery key generation	MEDIUM	✅	Fixed bs=32 count=1
M-05	Firewall allows any WG endpoint	MEDIUM	✅	Single port 51820
M-06	AIDE not initialized	MEDIUM	✅	aideinit + daily cron
M-07	Mount hardening fstab only	MEDIUM	✅	Auto-adds missing entries
M-08	USB no audit logging	MEDIUM	✅	logger -t usb-automount
M-09	Build not reproducible	MEDIUM	✅	SOURCE_DATE_EPOCH + BUILD-INFO.txt
M-10	No GPG signing	MEDIUM	✅	Ephemeral or persistent GPG signing
M-11	Docker base not digest-pinned	MEDIUM	✅	sha256:1d3c8111... in Dockerfile
M-12	WiFi blacklist incomplete	MEDIUM	✅	Added 8 more modern drivers

Legend: ✅ Done | ⬜ Needs human action

What Was Done This Session

Batch 1 (commit `2b422cf`)

C-02, C-05, H-01, H-02, H-03, H-04, H-07, H-08, M-01, M-02, M-05, M-07, M-08, M-12

3 tests updated to match new security posture

Batch 2 (commit `ae1344c`)

C-01 (first attempt - later fixed properly), C-03, C-04, M-03, M-06, L-01, L-05, L-07

JOURNAL.md updated with ADR-014/015/016

Batch 3 (commit `3d2ef3d`) — Honest fixes

C-01 done RIGHT (preseed early_command, not dead-code cryptsetup), H-02 for real (src/ sshd_config removed), COMPLIANCE.md marked aspirational, VERIFICATION-REPORT warning added, AIDE error reporting fixed, .dockerignore added, .gitignore fixed

Batch 4 (this commit)

M-09: SOURCE_DATE_EPOCH + BUILD-INFO.txt for reproducibility M-10: GPG signing of ISO and checksums (ephemeral or persistent key) M-11: Docker base image digest-pinned H-09: Build cache integrity via SHA256 manifest Dockerfile: Added sbsigntool, shim-signed, systemd-boot-efi, gpg

Build Verification

Item	Status
Docker image	✅ Built successfully with new packages
Lint (shellcheck)	✅ 0 warnings
Tests	✅ 786 pass, 0 fail
ISO build	❌ Blocked — host lacks FDE (correct behavior)

What You Need To Do

Step 1: Enable Host FDE

Your build host /dev/nvme0n1p2 has no LUKS. You must encrypt it before building.

Step 2: Rebuild ISO

./run.sh iso        # Will work after host FDE enabled

Step 3: Scrub Git History (C-06)

# Install git-filter-repo
pip install git-filter-repo

# Remove demo.preseed.cfg from all history
git filter-repo --path config/includes.installer/demo.preseed.cfg --invert-paths
git push --force origin main

Step 4: Validate on Real Hardware

Install the ISO
Run cryptsetup luksDump /dev/sda3 — verify KDF shows argon2id
Try ssh localhost — should be refused (no server)
Insert USB — verify mount has noexec,nosuid,nodev
Check grep StrictHostKeyChecking /etc/ssh/ssh_config — should be "yes"

This file is maintained by the AI agent. For AI memory and insights, see JOURNAL.md.

5.5 KiB Raw Blame History