Edge Security Model¶
mTLS and CRL¶
Enforced at transport layer:
TLS 1.3 handshake with mutual certificate validation
optional CRL revocation check from local CRL file
domain mismatch rejection after handshake
See mTLS and Domain Validation.
Reconstruction Signature Policy¶
edged precheck OS-update path is fail-closed:
reads
${state_root}/runtime/manifest.jsonrequires
${state_root}/identity/manifest-verify.pubverifies
${state_root}/runtime/manifest.json.sigruns reconstruction only on the verified manifest bytes
If key/signature verification fails, precheck exits 5 and daemon startup must
not proceed through the provided systemd dependency chain.
Safe Install Operations Constraints¶
Reconstruction operations are typed and constrained.
Supported ops:
copy_binaryverify_config
Path restrictions:
source must be under
{state_root}/runtime/binaries/destination must be under
{state_root}shell metacharacters in paths are rejected
Hash/signature gates:
optional BLAKE3 hash check for copied binary
Ed25519 manifest signature verification before operation execution
What Is Not Implemented¶
arbitrary shell execution in reconstruction manifest
remote key fetch during reconstruction
bypass mode that ignores invalid signatures in precheck path
How To Verify¶
# Signature gate and reconstruction path tests
GOWORK=off go test ./edge/bootstrap -run 'TestVerifyManifestSignature|TestRunReconstruction' -v
GOWORK=off go test ./edge/cmd/edged -run Precheck -v
# Transport auth/domain/CRL checks
GOWORK=off go test ./edge/transport -run 'TestTCPTLS|TestReload' -v
GOWORK=off go test ./edge/fi -run '^TestFI_Transport_' -v
Evidence¶
Code:
edge/transport/tcptls.goedge/transport/crl.goedge/cmd/edged/main.go(runPrecheck)edge/bootstrap/install.go(VerifyManifestSignature,ValidateInstallOperation)edge/bootstrap/bootstrap.go(RunReconstruction)
Tests:
edge/transport/transport_test.goedge/fi/fi_transport_test.goedge/bootstrap/install_test.goedge/bootstrap/bootstrap_test.goedge/cmd/edged/precheck_test.go