Require emergency drill evidence validation

2026-06-02 00:08:16 +02:00
parent 6bd822ae71
commit cd82285efe
2 changed files with 19 additions and 0 deletions
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1931,6 +1931,11 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
        'make -C ../railiance-platform openbao-validate-restore-evidence '
        'OPENBAO_RESTORE_EVIDENCE="$OPENBAO_RESTORE_EVIDENCE"'
    )
+    validate_emergency_evidence_command = (
+        'export OPENBAO_EMERGENCY_EVIDENCE="${OPENBAO_EMERGENCY_EVIDENCE:-/tmp/netkingdom-openbao-emergency-drill/evidence.json}"\n'
+        'make -C ../railiance-platform openbao-validate-emergency-evidence '
+        'OPENBAO_EMERGENCY_EVIDENCE="$OPENBAO_EMERGENCY_EVIDENCE"'
+    )
    privacyidea_realm_command = f"bash {shlex.quote(str(PRIVACYIDEA_REALM_REPAIR))}"

    return [
@@ -2029,6 +2034,12 @@ def runbook_command_payloads(data: dict[str, Any]) -> list[dict[str, str]]:
            openbao_status_command,
            downstream_taint,
        ),
+        action(
+            "Validate emergency drill evidence",
+            "Validate non-secret evidence for an attended emergency seal/unseal drill. The evidence records timing, sealed-state proof, quorum availability, post-unseal verification, and absence of secret material.",
+            validate_emergency_evidence_command,
+            downstream_taint,
+        ),
        action(
            "Prepare restore drill workspace",
            "Create a local restricted directory for temporary snapshot evidence.",
--- a/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
+++ b/workplans/NET-WP-0017-it-security-readiness-for-user-onboarding.md
@@ -221,6 +221,14 @@ control surface now includes a **Validate restore drill evidence** runbook
 card. T02 should not count the restore gate closed until a real non-secret
 evidence file from the prior or repeated drill passes that validator.

+**2026-06-01:** Added the parallel evidence path for the emergency seal/unseal
+drill. Railiance now has an emergency drill evidence template and
+`make openbao-validate-emergency-evidence`; NetKingdom exposes it through a
+**Validate emergency drill evidence** runbook card. The live drill is
+deliberately not automated because it seals OpenBao and requires threshold
+unseal shares. T02 should count the emergency drill gate closed only after an
+attended drill records non-secret evidence and that evidence validates.
+
 ### T03 - Close Trial Taint And Retire Bootstrap Admin Paths

 ```task