From b1a026b2ba13b4b82d7f955ca7c98e867876dcf9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 19:31:39 +0000 Subject: [PATCH 1/3] Initial plan From 9092ab28dadfbe5f7c783d2e3b89366d5735b415 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 19:40:18 +0000 Subject: [PATCH 2/3] Create bashpf directory with 77 bash scripts and update all .pf files to call them Co-authored-by: P4X-ng <223870169+P4X-ng@users.noreply.github.com> --- bashpf/build-build.sh | 3 + bashpf/build-package-esp-neg-attest.sh | 3 + bashpf/build-package-esp.sh | 3 + bashpf/build-setup.sh | 3 + bashpf/cleanup.sh | 3 + bashpf/esp.sh | 3 + bashpf/firmware-checksum-add.sh | 5 + bashpf/firmware-checksum-list.sh | 3 + bashpf/firmware-checksum-verify.sh | 4 + bashpf/kernel-config-diff.sh | 3 + bashpf/kernel-config-remediate.sh | 5 + bashpf/kernel-hardening-baseline.sh | 4 + bashpf/kernel-hardening-check.sh | 3 + bashpf/kernel-hardening-report.sh | 8 ++ bashpf/kernel-kexec-check.sh | 3 + bashpf/kernel-kexec-guide.sh | 3 + bashpf/kernel-profile-balanced.sh | 5 + bashpf/kernel-profile-compare.sh | 4 + bashpf/kernel-profile-hardened.sh | 5 + bashpf/kernel-profile-list.sh | 3 + bashpf/kernel-profile-permissive.sh | 5 + bashpf/maint-clean.sh | 3 + bashpf/maint-docs.sh | 3 + bashpf/maint-format.sh | 3 + bashpf/maint-install-git-hooks.sh | 4 + bashpf/maint-lint.sh | 3 + bashpf/maint-pre-push-check.sh | 5 + bashpf/maint-regen-instructions.sh | 3 + bashpf/mok-flow.sh | 4 + bashpf/os-boot-clean.sh | 3 + bashpf/os-kmod-sign.sh | 4 + bashpf/os-mok-enroll.sh | 3 + bashpf/os-mok-list-keys.sh | 3 + bashpf/secure-der-extract.sh | 3 + bashpf/secure-enroll-mok.sh | 3 + bashpf/secure-enroll-secureboot.sh | 3 + bashpf/secure-env.sh | 3 + bashpf/secure-keygen.sh | 3 + bashpf/secure-keys-centralize.sh | 3 + bashpf/secure-keys-prune.sh | 3 + bashpf/secure-make-auth.sh | 3 + bashpf/secure-mok-enroll-new.sh | 4 + bashpf/secure-mok-find-enrolled.sh | 3 + bashpf/secure-mok-inventory.sh | 3 + bashpf/secure-mok-new.sh | 3 + bashpf/secure-mok-status.sh | 3 + bashpf/secure-mok-verify.sh | 3 + bashpf/secure-package-esp-enroll.sh | 3 + bashpf/secure-qemu-enable-ui.sh | 3 + bashpf/secure-unenroll-mok.sh | 3 + bashpf/secureboot-check.sh | 3 + bashpf/secureboot-create-usb.sh | 3 + bashpf/secureboot-create.sh | 3 + bashpf/secureboot-enable-host-kexec.sh | 3 + bashpf/setup.sh | 4 + bashpf/test-qemu-secure-negative-attest.sh | 3 + bashpf/test-qemu-secure-positive.sh | 3 + bashpf/test-qemu-secure-strict.sh | 3 + bashpf/test-qemu-uuefi.sh | 3 + bashpf/test-qemu.sh | 3 + bashpf/uuefi-apply.sh | 3 + bashpf/uuefi-install.sh | 3 + bashpf/uuefi-report.sh | 3 + bashpf/validate-all.sh | 4 + bashpf/verify-esp-robust.sh | 3 + bashpf/verify.sh | 4 + bashpf/workflow-artifact-create.sh | 35 +++++++ bashpf/workflow-cd-prepare.sh | 25 +++++ bashpf/workflow-complete-esp-cd.sh | 11 +++ bashpf/workflow-recovery-reboot-metal.sh | 3 + bashpf/workflow-recovery-reboot-vm.sh | 3 + bashpf/workflow-secureboot-instructions.sh | 3 + bashpf/workflow-test-uuefi.sh | 30 ++++++ bashpf/workflow-usb-prepare.sh | 3 + bashpf/workflow-usb-write-dd.sh | 3 + bashpf/workflow-usb-write.sh | 28 ++++++ bashpf/workflow-verify-artifacts.sh | 34 +++++++ core.pf | 107 +++++++++------------ maint.pf | 15 ++- secure.pf | 27 +++--- workflows.pf | 69 +++---------- 81 files changed, 480 insertions(+), 141 deletions(-) create mode 100755 bashpf/build-build.sh create mode 100755 bashpf/build-package-esp-neg-attest.sh create mode 100755 bashpf/build-package-esp.sh create mode 100755 bashpf/build-setup.sh create mode 100755 bashpf/cleanup.sh create mode 100755 bashpf/esp.sh create mode 100755 bashpf/firmware-checksum-add.sh create mode 100755 bashpf/firmware-checksum-list.sh create mode 100755 bashpf/firmware-checksum-verify.sh create mode 100755 bashpf/kernel-config-diff.sh create mode 100755 bashpf/kernel-config-remediate.sh create mode 100755 bashpf/kernel-hardening-baseline.sh create mode 100755 bashpf/kernel-hardening-check.sh create mode 100755 bashpf/kernel-hardening-report.sh create mode 100755 bashpf/kernel-kexec-check.sh create mode 100755 bashpf/kernel-kexec-guide.sh create mode 100755 bashpf/kernel-profile-balanced.sh create mode 100755 bashpf/kernel-profile-compare.sh create mode 100755 bashpf/kernel-profile-hardened.sh create mode 100755 bashpf/kernel-profile-list.sh create mode 100755 bashpf/kernel-profile-permissive.sh create mode 100755 bashpf/maint-clean.sh create mode 100755 bashpf/maint-docs.sh create mode 100755 bashpf/maint-format.sh create mode 100755 bashpf/maint-install-git-hooks.sh create mode 100755 bashpf/maint-lint.sh create mode 100755 bashpf/maint-pre-push-check.sh create mode 100755 bashpf/maint-regen-instructions.sh create mode 100755 bashpf/mok-flow.sh create mode 100755 bashpf/os-boot-clean.sh create mode 100755 bashpf/os-kmod-sign.sh create mode 100755 bashpf/os-mok-enroll.sh create mode 100755 bashpf/os-mok-list-keys.sh create mode 100755 bashpf/secure-der-extract.sh create mode 100755 bashpf/secure-enroll-mok.sh create mode 100755 bashpf/secure-enroll-secureboot.sh create mode 100755 bashpf/secure-env.sh create mode 100755 bashpf/secure-keygen.sh create mode 100755 bashpf/secure-keys-centralize.sh create mode 100755 bashpf/secure-keys-prune.sh create mode 100755 bashpf/secure-make-auth.sh create mode 100755 bashpf/secure-mok-enroll-new.sh create mode 100755 bashpf/secure-mok-find-enrolled.sh create mode 100755 bashpf/secure-mok-inventory.sh create mode 100755 bashpf/secure-mok-new.sh create mode 100755 bashpf/secure-mok-status.sh create mode 100755 bashpf/secure-mok-verify.sh create mode 100755 bashpf/secure-package-esp-enroll.sh create mode 100755 bashpf/secure-qemu-enable-ui.sh create mode 100755 bashpf/secure-unenroll-mok.sh create mode 100755 bashpf/secureboot-check.sh create mode 100755 bashpf/secureboot-create-usb.sh create mode 100755 bashpf/secureboot-create.sh create mode 100755 bashpf/secureboot-enable-host-kexec.sh create mode 100755 bashpf/setup.sh create mode 100755 bashpf/test-qemu-secure-negative-attest.sh create mode 100755 bashpf/test-qemu-secure-positive.sh create mode 100755 bashpf/test-qemu-secure-strict.sh create mode 100755 bashpf/test-qemu-uuefi.sh create mode 100755 bashpf/test-qemu.sh create mode 100755 bashpf/uuefi-apply.sh create mode 100755 bashpf/uuefi-install.sh create mode 100755 bashpf/uuefi-report.sh create mode 100755 bashpf/validate-all.sh create mode 100755 bashpf/verify-esp-robust.sh create mode 100755 bashpf/verify.sh create mode 100755 bashpf/workflow-artifact-create.sh create mode 100755 bashpf/workflow-cd-prepare.sh create mode 100755 bashpf/workflow-complete-esp-cd.sh create mode 100755 bashpf/workflow-recovery-reboot-metal.sh create mode 100755 bashpf/workflow-recovery-reboot-vm.sh create mode 100755 bashpf/workflow-secureboot-instructions.sh create mode 100755 bashpf/workflow-test-uuefi.sh create mode 100755 bashpf/workflow-usb-prepare.sh create mode 100755 bashpf/workflow-usb-write-dd.sh create mode 100755 bashpf/workflow-usb-write.sh create mode 100755 bashpf/workflow-verify-artifacts.sh diff --git a/bashpf/build-build.sh b/bashpf/build-build.sh new file mode 100755 index 0000000..2077907 --- /dev/null +++ b/bashpf/build-build.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Build production artifacts from staging/ +bash scripts/build/build-production.sh diff --git a/bashpf/build-package-esp-neg-attest.sh b/bashpf/build-package-esp-neg-attest.sh new file mode 100755 index 0000000..a655695 --- /dev/null +++ b/bashpf/build-package-esp-neg-attest.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Create negative attestation ESP (corrupted hash) +bash scripts/esp-packaging/package-esp-neg-attest.sh diff --git a/bashpf/build-package-esp.sh b/bashpf/build-package-esp.sh new file mode 100755 index 0000000..a1d72f3 --- /dev/null +++ b/bashpf/build-package-esp.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Package bootable ESP image +bash scripts/esp-packaging/esp-package.sh diff --git a/bashpf/build-setup.sh b/bashpf/build-setup.sh new file mode 100755 index 0000000..326d2ab --- /dev/null +++ b/bashpf/build-setup.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Bootstrap toolchain & environment +bash scripts/maintenance/toolchain-check.sh diff --git a/bashpf/cleanup.sh b/bashpf/cleanup.sh new file mode 100755 index 0000000..cf595d6 --- /dev/null +++ b/bashpf/cleanup.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Clean build artifacts (DEEP_CLEAN=1 for full ESP clean) +bash scripts/maintenance/cleanup.sh diff --git a/bashpf/esp.sh b/bashpf/esp.sh new file mode 100755 index 0000000..5f8acd7 --- /dev/null +++ b/bashpf/esp.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Convenience: build + package ESP +./pf.py build-build build-package-esp diff --git a/bashpf/firmware-checksum-add.sh b/bashpf/firmware-checksum-add.sh new file mode 100755 index 0000000..431d1d3 --- /dev/null +++ b/bashpf/firmware-checksum-add.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Add firmware to checksum database (set FIRMWARE_PATH, VENDOR, MODEL, VERSION) +[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH= VENDOR= MODEL= VERSION= ./pf.py firmware-checksum-add"; exit 1; } +[ -n "${VENDOR:-}" ] && [ -n "${MODEL:-}" ] && [ -n "${VERSION:-}" ] || { echo "Error: VENDOR, MODEL, and VERSION are required"; exit 1; } +${PYTHON:-python3} utils/firmware_checksum_db.py --add "${FIRMWARE_PATH}" --vendor "${VENDOR}" --model "${MODEL}" --version "${VERSION}" --source "${SOURCE:-manual}" --confidence ${CONFIDENCE:-50} diff --git a/bashpf/firmware-checksum-list.sh b/bashpf/firmware-checksum-list.sh new file mode 100755 index 0000000..0a80604 --- /dev/null +++ b/bashpf/firmware-checksum-list.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# List all firmware checksums in database +${PYTHON:-python3} utils/firmware_checksum_db.py --list diff --git a/bashpf/firmware-checksum-verify.sh b/bashpf/firmware-checksum-verify.sh new file mode 100755 index 0000000..ae2d352 --- /dev/null +++ b/bashpf/firmware-checksum-verify.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Verify firmware file against database (set FIRMWARE_PATH=) +[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH= ./pf.py firmware-checksum-verify"; exit 1; } +${PYTHON:-python3} utils/firmware_checksum_db.py --verify "${FIRMWARE_PATH}" diff --git a/bashpf/kernel-config-diff.sh b/bashpf/kernel-config-diff.sh new file mode 100755 index 0000000..16d931b --- /dev/null +++ b/bashpf/kernel-config-diff.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Compare current kernel config against hardened baseline +${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --diff diff --git a/bashpf/kernel-config-remediate.sh b/bashpf/kernel-config-remediate.sh new file mode 100755 index 0000000..5055422 --- /dev/null +++ b/bashpf/kernel-config-remediate.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Generate kernel config remediation script +mkdir -p out/remediation +${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --remediate --output out/remediation/kernel_remediation.sh +echo "Remediation script generated: out/remediation/kernel_remediation.sh" diff --git a/bashpf/kernel-hardening-baseline.sh b/bashpf/kernel-hardening-baseline.sh new file mode 100755 index 0000000..91980c6 --- /dev/null +++ b/bashpf/kernel-hardening-baseline.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Generate hardened kernel config baseline based on DISA STIG +mkdir -p out/baselines +${PYTHON:-python3} utils/kernel_hardening_analyzer.py --generate-baseline --output out/baselines/hardened_kernel.config diff --git a/bashpf/kernel-hardening-check.sh b/bashpf/kernel-hardening-check.sh new file mode 100755 index 0000000..8939701 --- /dev/null +++ b/bashpf/kernel-hardening-check.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Analyze kernel configuration against DISA STIG and hardening best practices +${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto diff --git a/bashpf/kernel-hardening-report.sh b/bashpf/kernel-hardening-report.sh new file mode 100755 index 0000000..26efe71 --- /dev/null +++ b/bashpf/kernel-hardening-report.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash +# Generate detailed kernel hardening report (text and JSON) +mkdir -p out/reports +${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format text --output out/reports/kernel_hardening_report.txt +${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format json --output out/reports/kernel_hardening_report.json +echo "Reports saved to:" +echo " Text: out/reports/kernel_hardening_report.txt" +echo " JSON: out/reports/kernel_hardening_report.json" diff --git a/bashpf/kernel-kexec-check.sh b/bashpf/kernel-kexec-check.sh new file mode 100755 index 0000000..b44da5a --- /dev/null +++ b/bashpf/kernel-kexec-check.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Check if kexec is available for kernel remediation +${PYTHON:-python3} utils/kernel_config_remediation.py --check-kexec diff --git a/bashpf/kernel-kexec-guide.sh b/bashpf/kernel-kexec-guide.sh new file mode 100755 index 0000000..deb1bc3 --- /dev/null +++ b/bashpf/kernel-kexec-guide.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Show kexec double-jump remediation workflow guide +${PYTHON:-python3} utils/kernel_config_remediation.py --kexec-guide diff --git a/bashpf/kernel-profile-balanced.sh b/bashpf/kernel-profile-balanced.sh new file mode 100755 index 0000000..b439167 --- /dev/null +++ b/bashpf/kernel-profile-balanced.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Generate balanced kernel config (security + flexibility) +mkdir -p out/kernel-profiles +${PYTHON:-python3} utils/kernel_config_profiles.py --profile balanced --output out/kernel-profiles/balanced.config +echo "Profile generated: out/kernel-profiles/balanced.config" diff --git a/bashpf/kernel-profile-compare.sh b/bashpf/kernel-profile-compare.sh new file mode 100755 index 0000000..69eeef1 --- /dev/null +++ b/bashpf/kernel-profile-compare.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Compare current kernel config with profile (set PROFILE=permissive/hardened/balanced) +[ -n "${PROFILE:-}" ] || { echo "Usage: PROFILE= ./pf.py kernel-profile-compare"; exit 1; } +${PYTHON:-python3} utils/kernel_config_profiles.py --profile "${PROFILE}" --compare /boot/config-$(uname -r) diff --git a/bashpf/kernel-profile-hardened.sh b/bashpf/kernel-profile-hardened.sh new file mode 100755 index 0000000..2d13f31 --- /dev/null +++ b/bashpf/kernel-profile-hardened.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Generate hardened kernel config (maximum security) +mkdir -p out/kernel-profiles +${PYTHON:-python3} utils/kernel_config_profiles.py --profile hardened --output out/kernel-profiles/hardened.config +echo "Profile generated: out/kernel-profiles/hardened.config" diff --git a/bashpf/kernel-profile-list.sh b/bashpf/kernel-profile-list.sh new file mode 100755 index 0000000..c1e49e5 --- /dev/null +++ b/bashpf/kernel-profile-list.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# List available kernel configuration profiles (permissive/hardened/balanced) +${PYTHON:-python3} utils/kernel_config_profiles.py --list diff --git a/bashpf/kernel-profile-permissive.sh b/bashpf/kernel-profile-permissive.sh new file mode 100755 index 0000000..c159d19 --- /dev/null +++ b/bashpf/kernel-profile-permissive.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Generate permissive kernel config for BIOS flashing +mkdir -p out/kernel-profiles +${PYTHON:-python3} utils/kernel_config_profiles.py --profile permissive --output out/kernel-profiles/permissive.config +echo "Profile generated: out/kernel-profiles/permissive.config" diff --git a/bashpf/maint-clean.sh b/bashpf/maint-clean.sh new file mode 100755 index 0000000..cf595d6 --- /dev/null +++ b/bashpf/maint-clean.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Clean build artifacts (DEEP_CLEAN=1 for full ESP clean) +bash scripts/maintenance/cleanup.sh diff --git a/bashpf/maint-docs.sh b/bashpf/maint-docs.sh new file mode 100755 index 0000000..038f8ad --- /dev/null +++ b/bashpf/maint-docs.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Update documentation +echo "Documentation updated" diff --git a/bashpf/maint-format.sh b/bashpf/maint-format.sh new file mode 100755 index 0000000..0fdb3c8 --- /dev/null +++ b/bashpf/maint-format.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Format source code +bash scripts/maintenance/format.sh diff --git a/bashpf/maint-install-git-hooks.sh b/bashpf/maint-install-git-hooks.sh new file mode 100755 index 0000000..02c62f0 --- /dev/null +++ b/bashpf/maint-install-git-hooks.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Install pre-push size guard hook +mkdir -p .git/hooks && chmod 0755 .git/hooks +cp scripts/git-hooks/pre-push .git/hooks/pre-push && chmod 0755 .git/hooks/pre-push diff --git a/bashpf/maint-lint.sh b/bashpf/maint-lint.sh new file mode 100755 index 0000000..2aec0a1 --- /dev/null +++ b/bashpf/maint-lint.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Run static analysis +bash scripts/maintenance/lint.sh diff --git a/bashpf/maint-pre-push-check.sh b/bashpf/maint-pre-push-check.sh new file mode 100755 index 0000000..89b449d --- /dev/null +++ b/bashpf/maint-pre-push-check.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +# Run the size guard check locally (no push) +bash -lc 'scripts/git-hooks/pre-push < [FORCE=1] ./pf.py os-kmod-sign"; exit 1; } +"${PYTHON:-python3}" utils/pgmodsign.py "${PATH}" $([ "${FORCE:-0}" = "1" ] && printf -- "--force" || true) diff --git a/bashpf/os-mok-enroll.sh b/bashpf/os-mok-enroll.sh new file mode 100755 index 0000000..bc0e567 --- /dev/null +++ b/bashpf/os-mok-enroll.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Enroll host MOK for module signing +bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}' diff --git a/bashpf/os-mok-list-keys.sh b/bashpf/os-mok-list-keys.sh new file mode 100755 index 0000000..e43afae --- /dev/null +++ b/bashpf/os-mok-list-keys.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# List available MOK certs/keys and enrollment status +bash scripts/mok-management/mok-list-keys.sh diff --git a/bashpf/secure-der-extract.sh b/bashpf/secure-der-extract.sh new file mode 100755 index 0000000..dae53d0 --- /dev/null +++ b/bashpf/secure-der-extract.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Convert DER/PKCS#12 bundle into PEM cert and key (set DER_PATH, OUT_DIR, NAME) +bash -lc 'scripts/secure-boot/der-extract.sh "${DER_PATH:-}" "${OUT_DIR:-out/keys}" "${NAME:-PGMOK}"' diff --git a/bashpf/secure-enroll-mok.sh b/bashpf/secure-enroll-mok.sh new file mode 100755 index 0000000..86c04c5 --- /dev/null +++ b/bashpf/secure-enroll-mok.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Enroll PhoenixGuard MOK certificate +bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}' diff --git a/bashpf/secure-enroll-secureboot.sh b/bashpf/secure-enroll-secureboot.sh new file mode 100755 index 0000000..0ddda8c --- /dev/null +++ b/bashpf/secure-enroll-secureboot.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Auto-enroll custom SB keys in OVMF +bash scripts/secure-boot/enroll-secureboot.sh diff --git a/bashpf/secure-env.sh b/bashpf/secure-env.sh new file mode 100755 index 0000000..5ed05c6 --- /dev/null +++ b/bashpf/secure-env.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Comprehensive security environment check - verify boot integrity, EFI vars, kernel security, and detect bootkits +bash scripts/validation/secure-env-check.sh diff --git a/bashpf/secure-keygen.sh b/bashpf/secure-keygen.sh new file mode 100755 index 0000000..c7e634c --- /dev/null +++ b/bashpf/secure-keygen.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Generate Secure Boot keypairs (RSA-4096) and X.509 certs +bash scripts/secure-boot/generate-sb-keys.sh diff --git a/bashpf/secure-keys-centralize.sh b/bashpf/secure-keys-centralize.sh new file mode 100755 index 0000000..3beafbc --- /dev/null +++ b/bashpf/secure-keys-centralize.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Centralize keys into out/keys +bash scripts/secure-boot/keys-centralize.sh diff --git a/bashpf/secure-keys-prune.sh b/bashpf/secure-keys-prune.sh new file mode 100755 index 0000000..12eb7e7 --- /dev/null +++ b/bashpf/secure-keys-prune.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Backup + remove legacy key locations +bash scripts/secure-boot/keys-centralize.sh --prune diff --git a/bashpf/secure-make-auth.sh b/bashpf/secure-make-auth.sh new file mode 100755 index 0000000..4a28a5e --- /dev/null +++ b/bashpf/secure-make-auth.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Create ESL and AUTH for PK/KEK/db +bash scripts/secure-boot/create-auth-files.sh diff --git a/bashpf/secure-mok-enroll-new.sh b/bashpf/secure-mok-enroll-new.sh new file mode 100755 index 0000000..5274b5c --- /dev/null +++ b/bashpf/secure-mok-enroll-new.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Generate + enroll PhoenixGuard MOK (reboot to complete) +bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"' +bash -lc 'scripts/mok-management/enroll-mok.sh "out/keys/${NAME:-PGMOK}.crt" "out/keys/${NAME:-PGMOK}.der" ${MOK_DRY_RUN:-0}' diff --git a/bashpf/secure-mok-find-enrolled.sh b/bashpf/secure-mok-find-enrolled.sh new file mode 100755 index 0000000..7e9ee0c --- /dev/null +++ b/bashpf/secure-mok-find-enrolled.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Match local certs to enrolled MOKs +bash scripts/mok-management/mok-find-enrolled.sh diff --git a/bashpf/secure-mok-inventory.sh b/bashpf/secure-mok-inventory.sh new file mode 100755 index 0000000..19694c0 --- /dev/null +++ b/bashpf/secure-mok-inventory.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# JSON inventory of keys and enrollment +bash scripts/mok-management/mok-list-keys.sh diff --git a/bashpf/secure-mok-new.sh b/bashpf/secure-mok-new.sh new file mode 100755 index 0000000..4b45d89 --- /dev/null +++ b/bashpf/secure-mok-new.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Generate new PhoenixGuard MOK keypair (use NAME and CN env) +bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"' diff --git a/bashpf/secure-mok-status.sh b/bashpf/secure-mok-status.sh new file mode 100755 index 0000000..5e15fef --- /dev/null +++ b/bashpf/secure-mok-status.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Show Secure Boot state and MOKs +bash scripts/mok-management/mok-status.sh diff --git a/bashpf/secure-mok-verify.sh b/bashpf/secure-mok-verify.sh new file mode 100755 index 0000000..2236018 --- /dev/null +++ b/bashpf/secure-mok-verify.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Verify MOK certificate details +bash -lc 'scripts/mok-management/mok-verify.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"' diff --git a/bashpf/secure-package-esp-enroll.sh b/bashpf/secure-package-esp-enroll.sh new file mode 100755 index 0000000..94e48ca --- /dev/null +++ b/bashpf/secure-package-esp-enroll.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Package enrollment ESP +bash scripts/esp-packaging/esp-package-enroll.sh diff --git a/bashpf/secure-qemu-enable-ui.sh b/bashpf/secure-qemu-enable-ui.sh new file mode 100755 index 0000000..cb9714e --- /dev/null +++ b/bashpf/secure-qemu-enable-ui.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# [QEMU] Launch QEMU with GUI to enable Secure Boot in VM +bash scripts/qemu/qemu-run-secure-ui.sh diff --git a/bashpf/secure-unenroll-mok.sh b/bashpf/secure-unenroll-mok.sh new file mode 100755 index 0000000..906bb14 --- /dev/null +++ b/bashpf/secure-unenroll-mok.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Remove PhoenixGuard MOK certificate +bash -lc 'scripts/mok-management/unenroll-mok.sh "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}"' diff --git a/bashpf/secureboot-check.sh b/bashpf/secureboot-check.sh new file mode 100755 index 0000000..2f63b75 --- /dev/null +++ b/bashpf/secureboot-check.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Check Secure Boot status on host machine +bash scripts/secure-boot/check-secureboot-status.sh diff --git a/bashpf/secureboot-create-usb.sh b/bashpf/secureboot-create-usb.sh new file mode 100755 index 0000000..a240552 --- /dev/null +++ b/bashpf/secureboot-create-usb.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Create SecureBoot USB and write directly (set ISO_PATH and USB_DEVICE) +bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}" --usb-device "${USB_DEVICE}" diff --git a/bashpf/secureboot-create.sh b/bashpf/secureboot-create.sh new file mode 100755 index 0000000..c39b524 --- /dev/null +++ b/bashpf/secureboot-create.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Create turnkey SecureBoot bootable media from ISO (set ISO_PATH=/path/to.iso) +bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}" diff --git a/bashpf/secureboot-enable-host-kexec.sh b/bashpf/secureboot-enable-host-kexec.sh new file mode 100755 index 0000000..035be87 --- /dev/null +++ b/bashpf/secureboot-enable-host-kexec.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# [HOST] Enable Secure Boot on physical machine via double kexec method (requires root) +bash scripts/secure-boot/enable-secureboot-kexec.sh diff --git a/bashpf/setup.sh b/bashpf/setup.sh new file mode 100755 index 0000000..aab53fb --- /dev/null +++ b/bashpf/setup.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Complete project setup: build + package + verify +./pf.py build-setup build-build build-package-esp +./pf.py verify-esp-robust diff --git a/bashpf/test-qemu-secure-negative-attest.sh b/bashpf/test-qemu-secure-negative-attest.sh new file mode 100755 index 0000000..df824e3 --- /dev/null +++ b/bashpf/test-qemu-secure-negative-attest.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# NuclearBoot corruption detection test +bash scripts/testing/qemu-test-secure-negative-attest.sh diff --git a/bashpf/test-qemu-secure-positive.sh b/bashpf/test-qemu-secure-positive.sh new file mode 100755 index 0000000..a181808 --- /dev/null +++ b/bashpf/test-qemu-secure-positive.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Secure Boot positive test +bash scripts/testing/qemu-test-secure-positive.sh diff --git a/bashpf/test-qemu-secure-strict.sh b/bashpf/test-qemu-secure-strict.sh new file mode 100755 index 0000000..4a27b4b --- /dev/null +++ b/bashpf/test-qemu-secure-strict.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Secure Boot strict mode test +bash scripts/testing/qemu-test-secure-strict.sh diff --git a/bashpf/test-qemu-uuefi.sh b/bashpf/test-qemu-uuefi.sh new file mode 100755 index 0000000..7337354 --- /dev/null +++ b/bashpf/test-qemu-uuefi.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# UUEFI application test +bash scripts/testing/qemu-test-uuefi.sh diff --git a/bashpf/test-qemu.sh b/bashpf/test-qemu.sh new file mode 100755 index 0000000..80f43dc --- /dev/null +++ b/bashpf/test-qemu.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Main QEMU boot test +bash scripts/testing/qemu-test.sh diff --git a/bashpf/uuefi-apply.sh b/bashpf/uuefi-apply.sh new file mode 100755 index 0000000..207c0fe --- /dev/null +++ b/bashpf/uuefi-apply.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# UUEFI apply (set BootNext; optionally create entry) +bash scripts/uefi-tools/uuefi-apply.sh diff --git a/bashpf/uuefi-install.sh b/bashpf/uuefi-install.sh new file mode 100755 index 0000000..1d1bd93 --- /dev/null +++ b/bashpf/uuefi-install.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Install UUEFI.efi to system ESP +bash scripts/uefi-tools/uuefi-install.sh diff --git a/bashpf/uuefi-report.sh b/bashpf/uuefi-report.sh new file mode 100755 index 0000000..17826d2 --- /dev/null +++ b/bashpf/uuefi-report.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# UUEFI report (read-only) +bash scripts/uefi-tools/uuefi-report.sh diff --git a/bashpf/validate-all.sh b/bashpf/validate-all.sh new file mode 100755 index 0000000..5252e54 --- /dev/null +++ b/bashpf/validate-all.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Run all validations +bash scripts/validation/validate-keys.sh +bash scripts/validation/validate-esp.sh diff --git a/bashpf/verify-esp-robust.sh b/bashpf/verify-esp-robust.sh new file mode 100755 index 0000000..0bc43ac --- /dev/null +++ b/bashpf/verify-esp-robust.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Robust ESP verification +bash scripts/validation/verify-esp-robust.sh diff --git a/bashpf/verify.sh b/bashpf/verify.sh new file mode 100755 index 0000000..e946303 --- /dev/null +++ b/bashpf/verify.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +# Run validation (validate-all + verify-esp-robust) +./pf.py validate-all +./pf.py verify-esp-robust diff --git a/bashpf/workflow-artifact-create.sh b/bashpf/workflow-artifact-create.sh new file mode 100755 index 0000000..0bde6d0 --- /dev/null +++ b/bashpf/workflow-artifact-create.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash +# Create all necessary artifacts for ESP and CD with secure boot support +ARTIFACT_DIR=out/artifacts +ESP_DIR=out/esp +KEYS_DIR=out/keys +mkdir -p $ARTIFACT_DIR/esp $ARTIFACT_DIR/cd $ARTIFACT_DIR/docs $ESP_DIR $KEYS_DIR + +if [ ! -f staging/boot/NuclearBootEdk2.efi ] || [ ! -f staging/boot/UUEFI.efi ]; then + ./pf.py build-build +fi + +if [ ! -f $KEYS_DIR/PK/PK.key ]; then + ./pf.py secure-keygen +fi + +if [ ! -f $KEYS_DIR/PK/PK.auth ]; then + ./pf.py secure-make-auth +fi + +./pf.py build-package-esp + +if [ -f out/esp/esp.img ]; then + cp out/esp/esp.img $ARTIFACT_DIR/esp/ +fi + +cp staging/boot/NuclearBootEdk2.efi $ARTIFACT_DIR/esp/ +cp staging/boot/KeyEnrollEdk2.efi $ARTIFACT_DIR/esp/ +cp staging/boot/UUEFI.efi $ARTIFACT_DIR/esp/ + +if [ -d $KEYS_DIR ]; then + cp -r $KEYS_DIR $ARTIFACT_DIR/ +fi + +echo '✅ Artifacts created in' $ARTIFACT_DIR +ls -lh $ARTIFACT_DIR/esp/ diff --git a/bashpf/workflow-cd-prepare.sh b/bashpf/workflow-cd-prepare.sh new file mode 100755 index 0000000..3184b68 --- /dev/null +++ b/bashpf/workflow-cd-prepare.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash +# Prepare bootable CD/ISO with ESP and secure boot artifacts +ARTIFACT_DIR=out/artifacts +if [ ! -d $ARTIFACT_DIR/esp ]; then + echo 'Run workflow-artifact-create first' + exit 1 +fi + +CD_BUILD_DIR=nuclear-cd-build +mkdir -p $CD_BUILD_DIR/boot $CD_BUILD_DIR/efi $CD_BUILD_DIR/keys + +if [ -f $ARTIFACT_DIR/esp/esp.img ]; then + cp $ARTIFACT_DIR/esp/esp.img $CD_BUILD_DIR/boot/ +fi + +cp $ARTIFACT_DIR/esp/*.efi $CD_BUILD_DIR/efi/ || true + +if [ -d $ARTIFACT_DIR/keys ]; then + cp -r $ARTIFACT_DIR/keys/* $CD_BUILD_DIR/keys/ || true +fi + +bash scripts/secure-boot/create-secureboot-instructions.sh + +echo '✅ CD structure prepared in' $CD_BUILD_DIR +echo ' Next: Use ISO creation tool to burn to CD' diff --git a/bashpf/workflow-complete-esp-cd.sh b/bashpf/workflow-complete-esp-cd.sh new file mode 100755 index 0000000..0444621 --- /dev/null +++ b/bashpf/workflow-complete-esp-cd.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# Complete workflow: Create artifacts, prepare CD, generate instructions +./pf.py workflow-artifact-create +./pf.py workflow-cd-prepare +./pf.py workflow-secureboot-instructions + +echo "" +echo "✅ Complete ESP and CD workflow finished!" +echo " Artifacts: out/artifacts/" +echo " CD build: nuclear-cd-build/" +echo " Docs: out/artifacts/docs/SECURE_BOOT_SETUP.md" diff --git a/bashpf/workflow-recovery-reboot-metal.sh b/bashpf/workflow-recovery-reboot-metal.sh new file mode 100755 index 0000000..3a1db4f --- /dev/null +++ b/bashpf/workflow-recovery-reboot-metal.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Reboot to normal metal boot (exit recovery environment) +bash scripts/recovery/reboot-to-metal.sh diff --git a/bashpf/workflow-recovery-reboot-vm.sh b/bashpf/workflow-recovery-reboot-vm.sh new file mode 100755 index 0000000..2c23662 --- /dev/null +++ b/bashpf/workflow-recovery-reboot-vm.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Reboot to VM/recovery environment +bash scripts/recovery/reboot-to-vm.sh diff --git a/bashpf/workflow-secureboot-instructions.sh b/bashpf/workflow-secureboot-instructions.sh new file mode 100755 index 0000000..96b58c9 --- /dev/null +++ b/bashpf/workflow-secureboot-instructions.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Generate comprehensive secure boot setup instructions +bash scripts/secure-boot/generate-secureboot-instructions.sh diff --git a/bashpf/workflow-test-uuefi.sh b/bashpf/workflow-test-uuefi.sh new file mode 100755 index 0000000..dac905f --- /dev/null +++ b/bashpf/workflow-test-uuefi.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +# Test UUEFI application in QEMU (requires QEMU, OVMF, mtools) +command -v qemu-system-x86_64 >/dev/null 2>&1 || { echo 'ERROR: qemu-system-x86_64 not found. Install QEMU.'; exit 1; } +command -v mcopy >/dev/null 2>&1 || { echo 'ERROR: mcopy not found. Install mtools.'; exit 1; } + +if [ ! -f out/esp/esp.img ]; then + echo 'Building ESP image...' + ./pf.py build-package-esp +fi + +if [ ! -f staging/boot/UUEFI.efi ]; then + echo 'ERROR: UUEFI.efi not found' + exit 1 +fi + +./pf.py test-qemu-uuefi + +echo '' +echo 'Test results:' +if [ -f out/qemu/serial-uuefi.log ]; then + echo ' Log: out/qemu/serial-uuefi.log' + wc -l out/qemu/serial-uuefi.log +else + echo ' No log file generated' +fi + +if [ -f out/qemu/report-uuefi.xml ]; then + echo ' Report: out/qemu/report-uuefi.xml' + grep -o 'failures="[0-9]*"' out/qemu/report-uuefi.xml +fi diff --git a/bashpf/workflow-usb-prepare.sh b/bashpf/workflow-usb-prepare.sh new file mode 100755 index 0000000..a3a7d9c --- /dev/null +++ b/bashpf/workflow-usb-prepare.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Prepare USB media structure (requires USB_DEVICE) +bash scripts/usb-tools/usb-prepare.sh diff --git a/bashpf/workflow-usb-write-dd.sh b/bashpf/workflow-usb-write-dd.sh new file mode 100755 index 0000000..c7b9d4e --- /dev/null +++ b/bashpf/workflow-usb-write-dd.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash +# Write image to USB using dd (DESTRUCTIVE - requires USB_DEVICE and IMG_PATH) +bash scripts/usb-tools/usb-write-dd.sh diff --git a/bashpf/workflow-usb-write.sh b/bashpf/workflow-usb-write.sh new file mode 100755 index 0000000..b63a5b1 --- /dev/null +++ b/bashpf/workflow-usb-write.sh @@ -0,0 +1,28 @@ +#!/usr/bin/env bash +# Write artifacts to USB drive (DESTRUCTIVE - requires USB_DEVICE) +if [ -z "${USB_DEVICE:-}" ]; then + echo "ERROR: Set USB_DEVICE=/dev/sdX" + exit 1 +fi + +if [ ! -b "${USB_DEVICE}" ]; then + echo "ERROR: ${USB_DEVICE} is not a block device" + exit 1 +fi + +ARTIFACT_DIR=out/artifacts +if [ ! -f $ARTIFACT_DIR/esp/esp.img ]; then + echo "ERROR: ESP image not found. Run workflow-artifact-create first" + exit 1 +fi + +sudo umount ${USB_DEVICE}* 2>/dev/null || true + +echo "Writing ESP image to ${USB_DEVICE}..." +sudo dd if=$ARTIFACT_DIR/esp/esp.img of=${USB_DEVICE} bs=4M status=progress + +sudo sync + +echo "✅ USB drive written successfully" +echo " Device: ${USB_DEVICE}" +echo ' You can now boot from this USB drive' diff --git a/bashpf/workflow-verify-artifacts.sh b/bashpf/workflow-verify-artifacts.sh new file mode 100755 index 0000000..67e597b --- /dev/null +++ b/bashpf/workflow-verify-artifacts.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +# Verify all created artifacts are valid +echo 'Verifying artifacts...' + +ARTIFACT_DIR=out/artifacts +if [ -f $ARTIFACT_DIR/esp/esp.img ]; then + SIZE=$(stat -f%z $ARTIFACT_DIR/esp/esp.img 2>/dev/null || stat -c%s $ARTIFACT_DIR/esp/esp.img) + echo "ESP image: $SIZE bytes" +else + echo 'ESP image missing!' + exit 1 +fi + +for bin in NuclearBootEdk2.efi KeyEnrollEdk2.efi UUEFI.efi; do + if [ ! -f $ARTIFACT_DIR/esp/$bin ]; then + echo "Missing $bin" + exit 1 + else + echo "Found $bin" + fi +done + +if [ ! -d $ARTIFACT_DIR/keys ]; then + echo 'Keys directory missing!' + exit 1 +else + echo 'Keys directory found' +fi + +if command -v fsck.vfat >/dev/null 2>&1; then + fsck.vfat -n $ARTIFACT_DIR/esp/esp.img || echo 'ESP image verification: OK (or fsck not available)' +fi + +echo '✅ All artifacts verified' diff --git a/core.pf b/core.pf index 5dab9ea..d9cdce7 100644 --- a/core.pf +++ b/core.pf @@ -4,254 +4,239 @@ # --- Build Tasks --- task build-setup describe Bootstrap toolchain & environment - shell bash scripts/maintenance/toolchain-check.sh + shell bash bashpf/build-setup.sh end task build-build describe Build production artifacts from staging/ - shell bash scripts/build/build-production.sh + shell bash bashpf/build-build.sh end task build-package-esp describe Package bootable ESP image - shell bash scripts/esp-packaging/esp-package.sh + shell bash bashpf/build-package-esp.sh end task build-package-esp-neg-attest describe Create negative attestation ESP (corrupted hash) - shell bash scripts/esp-packaging/package-esp-neg-attest.sh + shell bash bashpf/build-package-esp-neg-attest.sh end # --- Testing Tasks --- task test-qemu describe Main QEMU boot test - shell bash scripts/testing/qemu-test.sh + shell bash bashpf/test-qemu.sh end task test-qemu-secure-positive describe Secure Boot positive test - shell bash scripts/testing/qemu-test-secure-positive.sh + shell bash bashpf/test-qemu-secure-positive.sh end task test-qemu-uuefi describe UUEFI application test - shell bash scripts/testing/qemu-test-uuefi.sh + shell bash bashpf/test-qemu-uuefi.sh end task test-qemu-secure-strict describe Secure Boot strict mode test - shell bash scripts/testing/qemu-test-secure-strict.sh + shell bash bashpf/test-qemu-secure-strict.sh end task test-qemu-secure-negative-attest describe NuclearBoot corruption detection test - shell bash scripts/testing/qemu-test-secure-negative-attest.sh + shell bash bashpf/test-qemu-secure-negative-attest.sh end # --- Secure Boot Key Management --- task secure-keygen describe Generate Secure Boot keypairs (RSA-4096) and X.509 certs - shell bash scripts/secure-boot/generate-sb-keys.sh + shell bash bashpf/secure-keygen.sh end task secure-env describe Comprehensive security environment check - verify boot integrity, EFI vars, kernel security, and detect bootkits - shell bash scripts/validation/secure-env-check.sh + shell bash bashpf/secure-env.sh end task kernel-hardening-check describe Analyze kernel configuration against DISA STIG and hardening best practices - shell ${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto + shell bash bashpf/kernel-hardening-check.sh end task kernel-hardening-report describe Generate detailed kernel hardening report (text and JSON) - shell bash -c 'mkdir -p out/reports && ${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format text --output out/reports/kernel_hardening_report.txt' - shell ${PYTHON:-python3} utils/kernel_hardening_analyzer.py --auto --format json --output out/reports/kernel_hardening_report.json - shell bash -c 'echo "Reports saved to:"; echo " Text: out/reports/kernel_hardening_report.txt"; echo " JSON: out/reports/kernel_hardening_report.json"' + shell bash bashpf/kernel-hardening-report.sh end task kernel-hardening-baseline describe Generate hardened kernel config baseline based on DISA STIG - shell bash -c 'mkdir -p out/baselines && ${PYTHON:-python3} utils/kernel_hardening_analyzer.py --generate-baseline --output out/baselines/hardened_kernel.config' + shell bash bashpf/kernel-hardening-baseline.sh end task kernel-config-diff describe Compare current kernel config against hardened baseline - shell ${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --diff + shell bash bashpf/kernel-config-diff.sh end task kernel-config-remediate describe Generate kernel config remediation script - shell bash -c 'mkdir -p out/remediation && ${PYTHON:-python3} utils/kernel_config_remediation.py --current /boot/config-$(uname -r) --remediate --output out/remediation/kernel_remediation.sh' - shell bash -c 'echo "Remediation script generated: out/remediation/kernel_remediation.sh"' + shell bash bashpf/kernel-config-remediate.sh end task kernel-kexec-check describe Check if kexec is available for kernel remediation - shell ${PYTHON:-python3} utils/kernel_config_remediation.py --check-kexec + shell bash bashpf/kernel-kexec-check.sh end task kernel-kexec-guide describe Show kexec double-jump remediation workflow guide - shell ${PYTHON:-python3} utils/kernel_config_remediation.py --kexec-guide + shell bash bashpf/kernel-kexec-guide.sh end task kernel-profile-list describe List available kernel configuration profiles (permissive/hardened/balanced) - shell ${PYTHON:-python3} utils/kernel_config_profiles.py --list + shell bash bashpf/kernel-profile-list.sh end task kernel-profile-permissive describe Generate permissive kernel config for BIOS flashing - shell bash -c 'mkdir -p out/kernel-profiles && ${PYTHON:-python3} utils/kernel_config_profiles.py --profile permissive --output out/kernel-profiles/permissive.config' - shell bash -c 'echo "Profile generated: out/kernel-profiles/permissive.config"' + shell bash bashpf/kernel-profile-permissive.sh end task kernel-profile-hardened describe Generate hardened kernel config (maximum security) - shell bash -c 'mkdir -p out/kernel-profiles && ${PYTHON:-python3} utils/kernel_config_profiles.py --profile hardened --output out/kernel-profiles/hardened.config' - shell bash -c 'echo "Profile generated: out/kernel-profiles/hardened.config"' + shell bash bashpf/kernel-profile-hardened.sh end task kernel-profile-balanced describe Generate balanced kernel config (security + flexibility) - shell bash -c 'mkdir -p out/kernel-profiles && ${PYTHON:-python3} utils/kernel_config_profiles.py --profile balanced --output out/kernel-profiles/balanced.config' - shell bash -c 'echo "Profile generated: out/kernel-profiles/balanced.config"' + shell bash bashpf/kernel-profile-balanced.sh end task kernel-profile-compare describe Compare current kernel config with profile (set PROFILE=permissive/hardened/balanced) - shell bash -c '[ -n "${PROFILE:-}" ] || { echo "Usage: PROFILE= ./pf.py kernel-profile-compare"; exit 1; }' - shell ${PYTHON:-python3} utils/kernel_config_profiles.py --profile "${PROFILE}" --compare /boot/config-$(uname -r) + shell bash bashpf/kernel-profile-compare.sh end task secureboot-check describe Check Secure Boot status on host machine - shell bash scripts/secure-boot/check-secureboot-status.sh + shell bash bashpf/secureboot-check.sh end task secureboot-enable-host-kexec describe [HOST] Enable Secure Boot on physical machine via double kexec method (requires root) - shell bash scripts/secure-boot/enable-secureboot-kexec.sh + shell bash bashpf/secureboot-enable-host-kexec.sh end task firmware-checksum-list describe List all firmware checksums in database - shell ${PYTHON:-python3} utils/firmware_checksum_db.py --list + shell bash bashpf/firmware-checksum-list.sh end task firmware-checksum-verify describe Verify firmware file against database (set FIRMWARE_PATH=) - shell bash -c '[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH= ./pf.py firmware-checksum-verify"; exit 1; }' - shell ${PYTHON:-python3} utils/firmware_checksum_db.py --verify "${FIRMWARE_PATH}" + shell bash bashpf/firmware-checksum-verify.sh end task firmware-checksum-add describe Add firmware to checksum database (set FIRMWARE_PATH, VENDOR, MODEL, VERSION) - shell bash -c '[ -n "${FIRMWARE_PATH:-}" ] || { echo "Usage: FIRMWARE_PATH= VENDOR= MODEL= VERSION= ./pf.py firmware-checksum-add"; exit 1; }' - shell bash -c '[ -n "${VENDOR:-}" ] && [ -n "${MODEL:-}" ] && [ -n "${VERSION:-}" ] || { echo "Error: VENDOR, MODEL, and VERSION are required"; exit 1; }' - shell ${PYTHON:-python3} utils/firmware_checksum_db.py --add "${FIRMWARE_PATH}" --vendor "${VENDOR}" --model "${MODEL}" --version "${VERSION}" --source "${SOURCE:-manual}" --confidence ${CONFIDENCE:-50} + shell bash bashpf/firmware-checksum-add.sh end task secure-make-auth describe Create ESL and AUTH for PK/KEK/db - shell bash scripts/secure-boot/create-auth-files.sh + shell bash bashpf/secure-make-auth.sh end # --- MOK (Machine Owner Key) Management --- task os-mok-enroll describe Enroll host MOK for module signing - shell bash -lc 'scripts/mok-management/enroll-mok.sh "${MOK_CERT_PEM:-out/keys/mok/PGMOK.crt}" "${MOK_CERT_DER:-out/keys/mok/PGMOK.der}" ${MOK_DRY_RUN:-0}' + shell bash bashpf/os-mok-enroll.sh end task os-mok-list-keys describe List available MOK certs/keys and enrollment status - shell bash scripts/mok-management/mok-list-keys.sh + shell bash bashpf/os-mok-list-keys.sh end task secure-mok-new describe Generate new PhoenixGuard MOK keypair (use NAME and CN env) - shell bash -lc 'scripts/mok-management/mok-new.sh "${NAME:-PGMOK}" "${CN:-PhoenixGuard Module Key}"' + shell bash bashpf/secure-mok-new.sh end # --- Module Signing --- task os-kmod-sign describe Sign one module file or recursively sign directory (set PATH, FORCE=1 optional) - shell bash -lc '[ -n "${PATH:-}" ] || { echo "Usage: PATH= [FORCE=1] ./pf.py os-kmod-sign"; exit 1; }' - shell bash -lc '"${PYTHON:-python3}" utils/pgmodsign.py "${PATH}" $([ "${FORCE:-0}" = "1" ] && printf -- "--force" || true)' + shell bash bashpf/os-kmod-sign.sh end # --- UUEFI Operations --- task uuefi-install describe Install UUEFI.efi to system ESP - shell bash scripts/uefi-tools/uuefi-install.sh + shell bash bashpf/uuefi-install.sh end task uuefi-apply describe UUEFI apply (set BootNext; optionally create entry) - shell bash scripts/uefi-tools/uuefi-apply.sh + shell bash bashpf/uuefi-apply.sh end task uuefi-report describe UUEFI report (read-only) - shell bash scripts/uefi-tools/uuefi-report.sh + shell bash bashpf/uuefi-report.sh end # --- Boot Management --- task os-boot-clean describe Clean stale UEFI boot entries (set OS_BOOT_RM, OS_BOOT_ORDER, OS_BOOT_NEXT) - shell bash scripts/maintenance/os-boot-clean.sh + shell bash bashpf/os-boot-clean.sh end # --- Validation --- task validate-all describe Run all validations - shell bash scripts/validation/validate-keys.sh - shell bash scripts/validation/validate-esp.sh + shell bash bashpf/validate-all.sh end task verify-esp-robust describe Robust ESP verification - shell bash scripts/validation/verify-esp-robust.sh + shell bash bashpf/verify-esp-robust.sh end # --- SecureBoot Bootable Media --- task secureboot-create describe Create turnkey SecureBoot bootable media from ISO (set ISO_PATH=/path/to.iso) - shell bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}" + shell bash bashpf/secureboot-create.sh end task secureboot-create-usb describe Create SecureBoot USB and write directly (set ISO_PATH and USB_DEVICE) - shell bash create-secureboot-bootable-media.sh --iso "${ISO_PATH}" --usb-device "${USB_DEVICE}" + shell bash bashpf/secureboot-create-usb.sh end # --- Convenience Workflows --- task esp describe Convenience: build + package ESP - shell ./pf.py build-build build-package-esp + shell bash bashpf/esp.sh end task setup describe Complete project setup: build + package + verify - shell ./pf.py build-setup build-build build-package-esp - shell ./pf.py verify-esp-robust + shell bash bashpf/setup.sh end task verify describe Run validation (validate-all + verify-esp-robust) - shell ./pf.py validate-all - shell ./pf.py verify-esp-robust + shell bash bashpf/verify.sh end task mok-flow describe Full MOK workflow: generate keys, enroll MOK - shell ./pf.py secure-mok-new - shell ./pf.py os-mok-enroll + shell bash bashpf/mok-flow.sh end task cleanup describe Clean build artifacts (DEEP_CLEAN=1 for full ESP clean) - shell bash scripts/maintenance/cleanup.sh + shell bash bashpf/cleanup.sh end diff --git a/maint.pf b/maint.pf index ca766ba..b2b5cc7 100644 --- a/maint.pf +++ b/maint.pf @@ -1,35 +1,34 @@ task maint-regen-instructions describe Generate copilot-instructions.md - shell bash scripts/maintenance/regen-instructions.sh + shell bash bashpf/maint-regen-instructions.sh end task maint-lint describe Run static analysis - shell bash scripts/maintenance/lint.sh + shell bash bashpf/maint-lint.sh end task maint-format describe Format source code - shell bash scripts/maintenance/format.sh + shell bash bashpf/maint-format.sh end task maint-docs describe Update documentation - shell bash -lc 'echo Documentation updated' + shell bash bashpf/maint-docs.sh end task maint-clean describe Clean build artifacts (DEEP_CLEAN=1 for full ESP clean) - shell bash scripts/maintenance/cleanup.sh + shell bash bashpf/maint-clean.sh end task maint-install-git-hooks describe Install pre-push size guard hook - shell mkdir -p .git/hooks && chmod 0755 .git/hooks - shell cp scripts/git-hooks/pre-push .git/hooks/pre-push && chmod 0755 .git/hooks/pre-push + shell bash bashpf/maint-install-git-hooks.sh end task maint-pre-push-check describe Run the size guard check locally (no push) - shell bash -lc 'scripts/git-hooks/pre-push </dev/null || stat -c%s \$ARTIFACT_DIR/esp/esp.img); echo \"ESP image: \$SIZE bytes\"; else echo 'ESP image missing!'; exit 1; fi" - shell bash -c "ARTIFACT_DIR=out/artifacts && for bin in NuclearBootEdk2.efi KeyEnrollEdk2.efi UUEFI.efi; do if [ ! -f \$ARTIFACT_DIR/esp/\$bin ]; then echo \"Missing \$bin\"; exit 1; else echo \"Found \$bin\"; fi; done" - shell bash -c "ARTIFACT_DIR=out/artifacts && if [ ! -d \$ARTIFACT_DIR/keys ]; then echo 'Keys directory missing!'; exit 1; else echo 'Keys directory found'; fi" - shell bash -c "ARTIFACT_DIR=out/artifacts && if command -v fsck.vfat >/dev/null 2>&1; then fsck.vfat -n \$ARTIFACT_DIR/esp/esp.img || echo 'ESP image verification: OK (or fsck not available)'; fi" - shell echo '✅ All artifacts verified' + shell bash bashpf/workflow-verify-artifacts.sh end task workflow-usb-write describe Write artifacts to USB drive (DESTRUCTIVE - requires USB_DEVICE) - shell bash -c 'if [ -z "${USB_DEVICE:-}" ]; then echo "ERROR: Set USB_DEVICE=/dev/sdX"; exit 1; fi' - shell bash -c 'if [ ! -b "${USB_DEVICE}" ]; then echo "ERROR: ${USB_DEVICE} is not a block device"; exit 1; fi' - shell bash -c 'ARTIFACT_DIR=out/artifacts && if [ ! -f $ARTIFACT_DIR/esp/esp.img ]; then echo "ERROR: ESP image not found. Run workflow-artifact-create first"; exit 1; fi' - shell bash -c 'sudo umount ${USB_DEVICE}* 2>/dev/null || true' - shell bash -c 'echo "Writing ESP image to ${USB_DEVICE}..."' - shell bash -c 'ARTIFACT_DIR=out/artifacts && sudo dd if=$ARTIFACT_DIR/esp/esp.img of=${USB_DEVICE} bs=4M status=progress' - shell sudo sync - shell bash -c 'echo "✅ USB drive written successfully"' - shell bash -c 'echo " Device: ${USB_DEVICE}"' - shell echo ' You can now boot from this USB drive' + shell bash bashpf/workflow-usb-write.sh end task workflow-test-uuefi describe Test UUEFI application in QEMU (requires QEMU, OVMF, mtools) - shell bash -c "command -v qemu-system-x86_64 >/dev/null 2>&1 || { echo 'ERROR: qemu-system-x86_64 not found. Install QEMU.'; exit 1; }" - shell bash -c "command -v mcopy >/dev/null 2>&1 || { echo 'ERROR: mcopy not found. Install mtools.'; exit 1; }" - shell bash -c "if [ ! -f out/esp/esp.img ]; then echo 'Building ESP image...'; ./pf.py build-package-esp; fi" - shell bash -c "if [ ! -f staging/boot/UUEFI.efi ]; then echo 'ERROR: UUEFI.efi not found'; exit 1; fi" - shell ./pf.py test-qemu-uuefi - shell echo '' - shell echo 'Test results:' - shell bash -c "if [ -f out/qemu/serial-uuefi.log ]; then echo ' Log: out/qemu/serial-uuefi.log'; wc -l out/qemu/serial-uuefi.log; else echo ' No log file generated'; fi" - shell bash -c "if [ -f out/qemu/report-uuefi.xml ]; then echo ' Report: out/qemu/report-uuefi.xml'; grep -o 'failures=\"[0-9]*\"' out/qemu/report-uuefi.xml; fi" + shell bash bashpf/workflow-test-uuefi.sh end task workflow-usb-prepare describe Prepare USB media structure (requires USB_DEVICE) - shell bash scripts/usb-tools/usb-prepare.sh + shell bash bashpf/workflow-usb-prepare.sh end task workflow-usb-write-dd describe Write image to USB using dd (DESTRUCTIVE - requires USB_DEVICE and IMG_PATH) - shell bash scripts/usb-tools/usb-write-dd.sh + shell bash bashpf/workflow-usb-write-dd.sh end task workflow-recovery-reboot-metal describe Reboot to normal metal boot (exit recovery environment) - shell bash scripts/recovery/reboot-to-metal.sh + shell bash bashpf/workflow-recovery-reboot-metal.sh end task workflow-recovery-reboot-vm describe Reboot to VM/recovery environment - shell bash scripts/recovery/reboot-to-vm.sh + shell bash bashpf/workflow-recovery-reboot-vm.sh end From e01633985ca33895ff0310b3b857352abfb2bf1f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sun, 1 Mar 2026 19:42:12 +0000 Subject: [PATCH 3/3] Fix variable quoting in workflow bash scripts Co-authored-by: P4X-ng <223870169+P4X-ng@users.noreply.github.com> --- bashpf/workflow-artifact-create.sh | 22 +++++++++++----------- bashpf/workflow-cd-prepare.sh | 16 ++++++++-------- bashpf/workflow-usb-write.sh | 4 ++-- bashpf/workflow-verify-artifacts.sh | 10 +++++----- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/bashpf/workflow-artifact-create.sh b/bashpf/workflow-artifact-create.sh index 0bde6d0..16ad049 100755 --- a/bashpf/workflow-artifact-create.sh +++ b/bashpf/workflow-artifact-create.sh @@ -3,33 +3,33 @@ ARTIFACT_DIR=out/artifacts ESP_DIR=out/esp KEYS_DIR=out/keys -mkdir -p $ARTIFACT_DIR/esp $ARTIFACT_DIR/cd $ARTIFACT_DIR/docs $ESP_DIR $KEYS_DIR +mkdir -p "$ARTIFACT_DIR/esp" "$ARTIFACT_DIR/cd" "$ARTIFACT_DIR/docs" "$ESP_DIR" "$KEYS_DIR" if [ ! -f staging/boot/NuclearBootEdk2.efi ] || [ ! -f staging/boot/UUEFI.efi ]; then ./pf.py build-build fi -if [ ! -f $KEYS_DIR/PK/PK.key ]; then +if [ ! -f "$KEYS_DIR/PK/PK.key" ]; then ./pf.py secure-keygen fi -if [ ! -f $KEYS_DIR/PK/PK.auth ]; then +if [ ! -f "$KEYS_DIR/PK/PK.auth" ]; then ./pf.py secure-make-auth fi ./pf.py build-package-esp if [ -f out/esp/esp.img ]; then - cp out/esp/esp.img $ARTIFACT_DIR/esp/ + cp out/esp/esp.img "$ARTIFACT_DIR/esp/" fi -cp staging/boot/NuclearBootEdk2.efi $ARTIFACT_DIR/esp/ -cp staging/boot/KeyEnrollEdk2.efi $ARTIFACT_DIR/esp/ -cp staging/boot/UUEFI.efi $ARTIFACT_DIR/esp/ +cp staging/boot/NuclearBootEdk2.efi "$ARTIFACT_DIR/esp/" +cp staging/boot/KeyEnrollEdk2.efi "$ARTIFACT_DIR/esp/" +cp staging/boot/UUEFI.efi "$ARTIFACT_DIR/esp/" -if [ -d $KEYS_DIR ]; then - cp -r $KEYS_DIR $ARTIFACT_DIR/ +if [ -d "$KEYS_DIR" ]; then + cp -r "$KEYS_DIR" "$ARTIFACT_DIR/" fi -echo '✅ Artifacts created in' $ARTIFACT_DIR -ls -lh $ARTIFACT_DIR/esp/ +echo '✅ Artifacts created in' "$ARTIFACT_DIR" +ls -lh "$ARTIFACT_DIR/esp/" diff --git a/bashpf/workflow-cd-prepare.sh b/bashpf/workflow-cd-prepare.sh index 3184b68..be8c59d 100755 --- a/bashpf/workflow-cd-prepare.sh +++ b/bashpf/workflow-cd-prepare.sh @@ -1,25 +1,25 @@ #!/usr/bin/env bash # Prepare bootable CD/ISO with ESP and secure boot artifacts ARTIFACT_DIR=out/artifacts -if [ ! -d $ARTIFACT_DIR/esp ]; then +if [ ! -d "$ARTIFACT_DIR/esp" ]; then echo 'Run workflow-artifact-create first' exit 1 fi CD_BUILD_DIR=nuclear-cd-build -mkdir -p $CD_BUILD_DIR/boot $CD_BUILD_DIR/efi $CD_BUILD_DIR/keys +mkdir -p "$CD_BUILD_DIR/boot" "$CD_BUILD_DIR/efi" "$CD_BUILD_DIR/keys" -if [ -f $ARTIFACT_DIR/esp/esp.img ]; then - cp $ARTIFACT_DIR/esp/esp.img $CD_BUILD_DIR/boot/ +if [ -f "$ARTIFACT_DIR/esp/esp.img" ]; then + cp "$ARTIFACT_DIR/esp/esp.img" "$CD_BUILD_DIR/boot/" fi -cp $ARTIFACT_DIR/esp/*.efi $CD_BUILD_DIR/efi/ || true +cp "$ARTIFACT_DIR/esp/"*.efi "$CD_BUILD_DIR/efi/" || true -if [ -d $ARTIFACT_DIR/keys ]; then - cp -r $ARTIFACT_DIR/keys/* $CD_BUILD_DIR/keys/ || true +if [ -d "$ARTIFACT_DIR/keys" ]; then + cp -r "$ARTIFACT_DIR/keys/"* "$CD_BUILD_DIR/keys/" || true fi bash scripts/secure-boot/create-secureboot-instructions.sh -echo '✅ CD structure prepared in' $CD_BUILD_DIR +echo '✅ CD structure prepared in' "$CD_BUILD_DIR" echo ' Next: Use ISO creation tool to burn to CD' diff --git a/bashpf/workflow-usb-write.sh b/bashpf/workflow-usb-write.sh index b63a5b1..cd6f17f 100755 --- a/bashpf/workflow-usb-write.sh +++ b/bashpf/workflow-usb-write.sh @@ -11,7 +11,7 @@ if [ ! -b "${USB_DEVICE}" ]; then fi ARTIFACT_DIR=out/artifacts -if [ ! -f $ARTIFACT_DIR/esp/esp.img ]; then +if [ ! -f "$ARTIFACT_DIR/esp/esp.img" ]; then echo "ERROR: ESP image not found. Run workflow-artifact-create first" exit 1 fi @@ -19,7 +19,7 @@ fi sudo umount ${USB_DEVICE}* 2>/dev/null || true echo "Writing ESP image to ${USB_DEVICE}..." -sudo dd if=$ARTIFACT_DIR/esp/esp.img of=${USB_DEVICE} bs=4M status=progress +sudo dd if="$ARTIFACT_DIR/esp/esp.img" of=${USB_DEVICE} bs=4M status=progress sudo sync diff --git a/bashpf/workflow-verify-artifacts.sh b/bashpf/workflow-verify-artifacts.sh index 67e597b..a95681b 100755 --- a/bashpf/workflow-verify-artifacts.sh +++ b/bashpf/workflow-verify-artifacts.sh @@ -3,8 +3,8 @@ echo 'Verifying artifacts...' ARTIFACT_DIR=out/artifacts -if [ -f $ARTIFACT_DIR/esp/esp.img ]; then - SIZE=$(stat -f%z $ARTIFACT_DIR/esp/esp.img 2>/dev/null || stat -c%s $ARTIFACT_DIR/esp/esp.img) +if [ -f "$ARTIFACT_DIR/esp/esp.img" ]; then + SIZE=$(stat -f%z "$ARTIFACT_DIR/esp/esp.img" 2>/dev/null || stat -c%s "$ARTIFACT_DIR/esp/esp.img") echo "ESP image: $SIZE bytes" else echo 'ESP image missing!' @@ -12,7 +12,7 @@ else fi for bin in NuclearBootEdk2.efi KeyEnrollEdk2.efi UUEFI.efi; do - if [ ! -f $ARTIFACT_DIR/esp/$bin ]; then + if [ ! -f "$ARTIFACT_DIR/esp/$bin" ]; then echo "Missing $bin" exit 1 else @@ -20,7 +20,7 @@ for bin in NuclearBootEdk2.efi KeyEnrollEdk2.efi UUEFI.efi; do fi done -if [ ! -d $ARTIFACT_DIR/keys ]; then +if [ ! -d "$ARTIFACT_DIR/keys" ]; then echo 'Keys directory missing!' exit 1 else @@ -28,7 +28,7 @@ else fi if command -v fsck.vfat >/dev/null 2>&1; then - fsck.vfat -n $ARTIFACT_DIR/esp/esp.img || echo 'ESP image verification: OK (or fsck not available)' + fsck.vfat -n "$ARTIFACT_DIR/esp/esp.img" || echo 'ESP image verification: OK (or fsck not available)' fi echo '✅ All artifacts verified'