Add Secure Boot chain with MOK signing, TPM2 vault sealing, and measured boot (M17)

UEFI Secure Boot with custom Machine Owner Key (RSA 4096), TPM2 vault key
sealing to PCR 0/2/4/7 (firmware, option ROM, bootloader, SB state), and
boot chain integrity verification on every boot. Passphrase fallback on
PCR mismatch allows recovery after legitimate updates. vTPM detection for
VM environments. 35 validation tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: SecAI-Hub

files/scripts/generate-mok.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+#
+# Secure AI Appliance — Machine Owner Key (MOK) Generation
+#
+# Generates a MOK key pair for UEFI Secure Boot signing during image build.
+# The private key signs the bootloader and kernel; the public key (DER cert)
+# is enrolled in the MOK database on first boot via mokutil.
+#
+# Usage: generate-mok.sh [output-dir]
+#
+# Output:
+#   <output-dir>/secureai-mok.key   — private key (PEM, keep secret)
+#   <output-dir>/secureai-mok.pem   — public certificate (PEM)
+#   <output-dir>/secureai-mok.der   — public certificate (DER, for MOK enrollment)
+#
+set -euo pipefail
+
+OUTPUT_DIR="${1:-/etc/secure-ai/keys}"
+MOK_KEY="${OUTPUT_DIR}/secureai-mok.key"
+MOK_PEM="${OUTPUT_DIR}/secureai-mok.pem"
+MOK_DER="${OUTPUT_DIR}/secureai-mok.der"
+
+CERT_SUBJECT="/CN=SecAI OS Secure Boot Signing Key/O=SecAI"
+CERT_DAYS=3650  # 10 years
+
+echo "=== Generating Machine Owner Key (MOK) ==="
+
+mkdir -p "$OUTPUT_DIR"
+
+if [ -f "$MOK_KEY" ] && [ -f "$MOK_DER" ]; then
+    echo "MOK already exists at ${OUTPUT_DIR}, skipping generation."
+    echo "Delete existing keys to regenerate."
+    exit 0
+fi
+
+# Generate RSA 4096 key + self-signed certificate
+openssl req -new -x509 \
+    -newkey rsa:4096 \
+    -keyout "$MOK_KEY" \
+    -out "$MOK_PEM" \
+    -nodes \
+    -days "$CERT_DAYS" \
+    -subj "$CERT_SUBJECT" \
+    -addext "extendedKeyUsage=codeSigning" \
+    -sha256
+
+# Convert PEM to DER (required by mokutil)
+openssl x509 -in "$MOK_PEM" -outform DER -out "$MOK_DER"
+
+# Restrictive permissions
+chmod 600 "$MOK_KEY"
+chmod 644 "$MOK_PEM" "$MOK_DER"
+
+echo "MOK generated:"
+echo "  Private key: ${MOK_KEY}"
+echo "  Certificate: ${MOK_PEM}"
+echo "  DER cert:    ${MOK_DER}"
+echo ""
+echo "To sign a kernel/bootloader:"
+echo "  sbsign --key ${MOK_KEY} --cert ${MOK_PEM} --output signed.efi unsigned.efi"
+echo ""
+echo "To enroll on first boot:"
+echo "  mokutil --import ${MOK_DER}"
+echo "=== MOK Generation Complete ==="

files/system/etc/secure-ai/config/appliance.yaml

@@ -90,6 +90,19 @@ auth:
   # Escalated lockout after 15 failed attempts (seconds).
   escalated_lockout: 900
 
+secure_boot:
+  # UEFI Secure Boot + TPM2 measured boot (M17).
+  # MOK (Machine Owner Key) signs bootloader and kernel.
+  # TPM2 seals the LUKS vault key to PCR values (firmware, kernel, bootloader,
+  # secure boot state). If the boot chain is tampered, TPM refuses to unseal
+  # and the user must enter the passphrase manually.
+  # PCR binding: PCR 0 (firmware), 2 (option ROM), 4 (bootloader), 7 (SB state).
+  tpm2_pcr_binding: "sha256:0,2,4,7"
+  # Allow passphrase fallback when PCR mismatch (e.g., after legitimate update).
+  passphrase_fallback: true
+  # Auto-reseal after rpm-ostree upgrade (requires user passphrase confirmation).
+  auto_reseal_on_update: false
+
 sandbox:
   # Per-service process isolation (M16).
   # seccomp: JSON profiles in /etc/secure-ai/seccomp/ define allowed syscalls.

files/system/usr/lib/systemd/system/secure-ai-boot-verify.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Secure AI Boot Chain Integrity Verification
+After=local-fs.target
+Before=secure-ai-registry.service secure-ai-ui.service
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/secure-ai/verify-boot-chain.sh
+RemainAfterExit=yes
+
+# Needs access to /sys/firmware/efi, /dev/tpmrm0, /boot
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateNetwork=yes
+NoNewPrivileges=yes
+
+# Write results to logs
+ReadWritePaths=/var/lib/secure-ai/logs /run/secure-ai
+
+[Install]
+WantedBy=multi-user.target

files/system/usr/libexec/secure-ai/enroll-secureboot.sh

@@ -0,0 +1,182 @@
+#!/usr/bin/env bash
+#
+# Secure AI Appliance — Secure Boot MOK Enrollment
+#
+# Enrolls the SecAI Machine Owner Key (MOK) into the system's UEFI MOK
+# database. After enrollment, only kernels/bootloaders signed with this
+# key will be trusted.
+#
+# This script is called during firstboot. The user must reboot and
+# confirm enrollment in the MOK Manager (MokManager.efi) screen.
+#
+# Usage: enroll-secureboot.sh [--check-only]
+#
+set -euo pipefail
+
+MOK_DER="/etc/secure-ai/keys/secureai-mok.der"
+MOK_PEM="/etc/secure-ai/keys/secureai-mok.pem"
+STATE_FILE="/run/secure-ai/secureboot-state"
+
+log() {
+    echo "[enroll-secureboot] $*"
+    logger -t enroll-secureboot "$*"
+}
+
+write_state() {
+    mkdir -p "$(dirname "$STATE_FILE")" 2>/dev/null || true
+    echo "{\"secure_boot\":\"$1\",\"mok_enrolled\":\"$2\",\"detail\":\"$3\"}" > "$STATE_FILE"
+}
+
+check_secure_boot() {
+    # Check if Secure Boot is enabled
+    if [ -d /sys/firmware/efi ]; then
+        local sb_state
+        sb_state=$(mokutil --sb-state 2>/dev/null || echo "unknown")
+        case "$sb_state" in
+            *enabled*|*Enabled*)
+                echo "enabled"
+                return 0
+                ;;
+            *disabled*|*Disabled*)
+                echo "disabled"
+                return 1
+                ;;
+        esac
+    fi
+    echo "unavailable"
+    return 1
+}
+
+check_mok_enrolled() {
+    # Check if our MOK is already enrolled
+    if [ ! -f "$MOK_DER" ]; then
+        return 1
+    fi
+
+    if command -v mokutil &>/dev/null; then
+        # Get the fingerprint of our cert
+        local our_fp
+        our_fp=$(openssl x509 -in "$MOK_PEM" -noout -fingerprint -sha256 2>/dev/null | \
+                 sed 's/.*=//;s/://g' | tr '[:upper:]' '[:lower:]')
+
+        # Check enrolled keys
+        if mokutil --list-enrolled 2>/dev/null | grep -qi "$our_fp"; then
+            return 0
+        fi
+    fi
+    return 1
+}
+
+cmd_check() {
+    echo "=== Secure Boot Status ==="
+
+    local sb_state
+    sb_state=$(check_secure_boot)
+    echo "UEFI Secure Boot: ${sb_state}"
+
+    if [ "$sb_state" = "unavailable" ]; then
+        echo "System does not support UEFI Secure Boot."
+        echo "This may be a legacy BIOS system or a VM without UEFI."
+        write_state "unavailable" "false" "no_uefi"
+        return
+    fi
+
+    if [ "$sb_state" = "disabled" ]; then
+        echo "Secure Boot is disabled in firmware."
+        echo "Enable it in BIOS/UEFI settings for full boot chain verification."
+        write_state "disabled" "false" "sb_disabled"
+        return
+    fi
+
+    # Check MOK enrollment
+    if [ ! -f "$MOK_DER" ]; then
+        echo "SecAI MOK certificate not found at ${MOK_DER}"
+        echo "Run generate-mok.sh during image build to create it."
+        write_state "enabled" "false" "no_mok_cert"
+        return
+    fi
+
+    if check_mok_enrolled; then
+        echo "SecAI MOK: ENROLLED"
+        write_state "enabled" "true" "fully_configured"
+    else
+        echo "SecAI MOK: NOT ENROLLED"
+        echo "Run: enroll-secureboot.sh (without --check-only) to enroll."
+        write_state "enabled" "false" "mok_not_enrolled"
+    fi
+
+    # Check if kernel is signed
+    if command -v sbverify &>/dev/null; then
+        local kernel
+        kernel=$(ls /boot/vmlinuz-* 2>/dev/null | sort -V | tail -1 || echo "")
+        if [ -n "$kernel" ]; then
+            if sbverify --cert "$MOK_PEM" "$kernel" 2>/dev/null; then
+                echo "Kernel signature: VALID"
+            else
+                echo "Kernel signature: NOT SIGNED or INVALID"
+                echo "  The kernel may not be signed with the SecAI MOK."
+            fi
+        fi
+    fi
+
+    echo "=== End Secure Boot Status ==="
+}
+
+cmd_enroll() {
+    log "Starting MOK enrollment..."
+
+    if [ ! -f "$MOK_DER" ]; then
+        log "ERROR: MOK certificate not found at ${MOK_DER}"
+        log "Generate it first: /usr/libexec/secure-ai/generate-mok.sh"
+        exit 1
+    fi
+
+    local sb_state
+    sb_state=$(check_secure_boot)
+
+    if [ "$sb_state" = "unavailable" ]; then
+        log "WARNING: UEFI not available. MOK enrollment skipped."
+        write_state "unavailable" "false" "no_uefi"
+        exit 0
+    fi
+
+    if check_mok_enrolled; then
+        log "SecAI MOK is already enrolled."
+        write_state "$sb_state" "true" "already_enrolled"
+        exit 0
+    fi
+
+    if ! command -v mokutil &>/dev/null; then
+        log "ERROR: mokutil not found. Install it: dnf install mokutil"
+        exit 1
+    fi
+
+    log "Importing MOK certificate..."
+    log "You will be prompted for a one-time password."
+    log "Remember this password — you'll need it on the next reboot"
+    log "when the MOK Manager asks you to confirm enrollment."
+
+    mokutil --import "$MOK_DER"
+
+    log ""
+    log "MOK import request registered."
+    log "IMPORTANT: Reboot the system. At the MOK Manager screen:"
+    log "  1. Select 'Enroll MOK'"
+    log "  2. Select 'Continue'"
+    log "  3. Enter the one-time password you just set"
+    log "  4. Select 'Reboot'"
+    log ""
+    log "After reboot, the SecAI signing key will be trusted."
+
+    write_state "$sb_state" "pending" "enrollment_pending_reboot"
+}
+
+# --- Main ---
+case "${1:---check-only}" in
+    --check-only|check|status) cmd_check ;;
+    enroll|--enroll)           cmd_enroll ;;
+    *)
+        echo "Usage: $0 [--check-only | enroll]"
+        exit 1
+        ;;
+esac

files/system/usr/libexec/secure-ai/firstboot.sh

@@ -153,6 +153,34 @@ if [ -w /proc/sys/kernel/yama/ptrace_scope ]; then
     echo 1 > /proc/sys/kernel/yama/ptrace_scope 2>/dev/null || true
 fi
 
+# --- Secure Boot + TPM2 checks (M17) ---
+log "Checking Secure Boot status..."
+/usr/libexec/secure-ai/enroll-secureboot.sh --check-only 2>&1 | while IFS= read -r line; do log "$line"; done || true
+
+log "Checking TPM2 status..."
+/usr/libexec/secure-ai/tpm2-seal-vault.sh status 2>&1 | while IFS= read -r line; do log "$line"; done || true
+
+# Create TPM2 key directory
+mkdir -p "${SECURE_AI_ROOT}/keys/tpm2"
+chmod 700 "${SECURE_AI_ROOT}/keys/tpm2"
+
+# If TPM2 is available and vault key is not yet sealed, log instructions
+if [ -e /dev/tpmrm0 ] || [ -e /dev/tpm0 ]; then
+    if [ ! -f "${SECURE_AI_ROOT}/keys/tpm2/vault-key.sealed.pub" ]; then
+        log ""
+        log "TPM2 detected. To seal the vault key to the boot chain:"
+        log "  sudo /usr/libexec/secure-ai/tpm2-seal-vault.sh seal"
+        log "This binds vault auto-unlock to the current firmware + kernel state."
+        log ""
+    fi
+fi
+
+# Run boot chain verification
+log "Running boot chain integrity verification..."
+/usr/libexec/secure-ai/verify-boot-chain.sh 2>&1 | while IFS= read -r line; do log "$line"; done || {
+    log "WARNING: boot chain verification failed"
+}
+
 # Write marker (read-only to prevent tampering)
 date -Iseconds > "$MARKER"
 chmod 444 "$MARKER"