ADR-042: Security RVF
February 21, 2026 · View on GitHub
| Field | Value |
|---|---|
| Status | Accepted |
| Date | 2025-02-21 |
| Authors | ruv |
| Supersedes | — |
| Implements | ADR-041 Tier 1 (Security Container) |
Context
ADR-041 identified 15 npm packages suitable for RVF cognitive containers. This ADR
specifies the ultimate security RVF — a single .rvf file that combines:
- AIDefence — 5-layer adversarial defense (prompt injection, jailbreak, PII, behavioral, policy)
- TEE attestation — Hardware-bound trust (SGX, SEV-SNP, TDX, ARM CCA)
- Hardened Linux microkernel — Minimal attack surface boot image + KernelBinding anti-tamper
- Coherence Gate — Anytime-valid permission authorization
- RBAC + Ed25519 signing — Role-based access with cryptographic proof
- Witness chain audit — Tamper-evident hash-chained event log
- Self-bootstrapping — Dual WASM (Interpreter + Microkernel) for standalone execution
- Dashboard — Embedded security monitoring UI (DASHBOARD_SEG)
- Quantization — Scalar (int8, 4x) + Binary (1-bit, 32x) compression
- Lifecycle — Filter deletion, compaction, and permanent freeze/seal
The result is a self-contained, bootable, cryptographically sealed security appliance with 30 verified capabilities, end-to-end from silicon to application layer.
Decision
Build security_hardened.rvf as a capstone example in examples/rvf/examples/ that
exercises every security primitive in the RVF format.
Architecture
security_hardened.rvf
├── KERNEL_SEG (0x0E) Hardened Linux 6.x + KernelBinding (128B anti-tamper)
├── EBPF_SEG (0x0F) Packet filter + syscall policy enforcer
├── WASM_SEG #1 (0x10) AIDefence engine (prompt injection, PII, jailbreak)
├── WASM_SEG #2 (0x10) Interpreter runtime (self-bootstrapping)
├── DASHBOARD_SEG (0x11) Security monitoring web UI
├── VEC_SEG (0x01) Threat signature embeddings (512-dim)
├── INDEX_SEG (0x02) HNSW index over threat vectors (m=32)
├── CRYPTO_SEG (0x0C) Ed25519 keys + TEE-bound key records
├── WITNESS_SEG (0x0A) 30-entry security lifecycle chain
├── META_SEG (0x07) Security policy + RBAC config + AIDefence rules
├── PROFILE_SEG (0x0B) Domain profile: RVSecurity
├── PolicyKernel (0x31) Gate thresholds + coherence config
├── MANIFEST_SEG (0x05) Signed manifest with hardening fields
└── Signature Footer Ed25519 over entire artifact
Segment Budget
| Segment | Purpose | Size Budget |
|---|---|---|
| KERNEL_SEG | Hardened Linux bzImage | ~1.6 MB |
| EBPF_SEG | Firewall + syscall filter | ~8 KB |
| WASM_SEG | AIDefence WASM engine | ~256 KB |
| VEC_SEG | Threat embeddings (1000 x 512) | ~2 MB |
| INDEX_SEG | HNSW graph | ~512 KB |
| CRYPTO_SEG | Keys + TEE attestation records | ~4 KB |
| WITNESS_SEG | 30-entry audit chain | ~2 KB |
| META_SEG | Policy JSON + RBAC matrix | ~4 KB |
| PROFILE_SEG | Domain profile | ~512 B |
| PolicyKernel | Gate config | ~1 KB |
| MANIFEST_SEG | Signed directory | ~512 B |
| Total | ~4.4 MB |
Security Layers
Layer 1: Hardware Root of Trust (TEE)
┌─────────────────────────────────────┐
│ AttestationHeader (112 bytes) │
│ ├── platform: SGX/SEV-SNP/TDX/CCA │
│ ├── measurement: MRENCLAVE │
│ ├── signer_id: MRSIGNER │
│ ├── nonce: anti-replay │
│ ├── svn: security version │
│ └── quote: opaque attestation blob │
└─────────────────────────────────────┘
- Hardware TEE attestation records in CRYPTO_SEG
- TEE-bound key records: keys sealed to enclave measurement
- Platform verification: correct TEE + measurement + validity window
- Multi-platform: SGX, SEV-SNP, TDX, ARM CCA in single witness chain
Layer 2: Kernel Hardening
KernelHeader flags:
KERNEL_FLAG_SIGNED = 0x0001
KERNEL_FLAG_COMPRESSED = 0x0002
KERNEL_FLAG_REQUIRES_TEE = 0x0004
KERNEL_FLAG_MEASURED = 0x0008
KERNEL_FLAG_REQUIRES_KVM = 0x0010
KERNEL_FLAG_ATTESTATION_READY = 0x0400
Linux tinyconfig + hardening options:
CONFIG_SECURITY_LOCKDOWN_LSM=y— Kernel lockdownCONFIG_SECURITY_LANDLOCK=y— Landlock sandboxingCONFIG_SECCOMP=y— Syscall filteringCONFIG_STATIC_USERMODEHELPER=y— No dynamic module loadingCONFIG_STRICT_KERNEL_RWX=y— W^X enforcementCONFIG_INIT_ON_ALLOC_DEFAULT_ON=y— Memory init on allocCONFIG_BLK_DEV_INITRD=y— Initramfs support- No loadable modules, no debugfs, no procfs write, no sysfs write
Layer 3: eBPF Enforcement
Two eBPF programs embedded:
-
XDP Packet Filter — Drop all traffic except allowed ports
- Allow: TCP 8443 (HTTPS API), TCP 9090 (metrics)
- Drop everything else at XDP layer (before kernel stack)
-
Seccomp Syscall Filter — Allowlist-only syscalls
- Allow: read, write, mmap, munmap, close, exit, futex, epoll_*
- Deny: execve, fork, clone3, ptrace, mount, umount, ioctl(TIOCSTI)
Layer 4: AIDefence (WASM Engine)
The WASM segment contains a compiled AIDefence engine with:
| Detector | Latency | Description |
|---|---|---|
| Prompt Injection | <5ms | 30+ regex patterns + semantic similarity |
| Jailbreak | <5ms | DAN, role manipulation, system prompt extraction |
| PII Detection | <5ms | Email, phone, SSN, credit card, API keys, IP |
| Control Characters | <1ms | Unicode homoglyphs, null bytes, escape sequences |
| Behavioral Analysis | <100ms | EMA baseline deviation per user |
| Policy Verification | <500ms | Custom pattern matching + domain allowlists |
Threat levels: none → low → medium → high → critical
Default block threshold: medium (configurable via META_SEG policy)
Layer 5: Cryptographic Integrity
- Ed25519 signing (RFC 8032): Every segment signed individually
- Witness chain: HMAC-SHA256 hash-chained audit entries
- Content hashing: SHAKE-256 truncated hashes in HardeningFields
- SecurityPolicy::Paranoid: Full chain verification on mount
- Key rotation: Witness entry records rotation event
Layer 6: Access Control (RBAC + Coherence Gate)
Role Matrix:
┌──────────┬───────┬──────┬────────┬───────┬──────────┐
│ Role │ Write │ Read │ Derive │ Audit │ Gate │
├──────────┼───────┼──────┼────────┼───────┼──────────┤
│ Admin │ ✓ │ ✓ │ ✓ │ ✓ │ permit │
│ Operator │ ✓ │ ✓ │ ✗ │ ✓ │ permit │
│ Analyst │ ✗ │ ✓ │ ✗ │ ✓ │ defer │
│ Reader │ ✗ │ ✓ │ ✗ │ ✗ │ defer │
│ Auditor │ ✗ │ ✓ │ ✗ │ ✓ │ permit │
│ Guest │ ✗ │ ✗ │ ✗ │ ✗ │ deny │
└──────────┴───────┴──────┴────────┴───────┴──────────┘
Coherence Gate thresholds (PolicyKernel segment):
permit_threshold: 0.85defer_threshold: 0.50deny_threshold: 0.0escalation_window_ns: 300_000_000_000 (5 min)max_deferred_queue: 100
Capabilities Confirmed
| # | Capability | Segment | Verification |
|---|---|---|---|
| 1 | TEE attestation (SGX, SEV-SNP, TDX, ARM CCA) | CRYPTO_SEG | Quote validation + binding check |
| 2 | TEE-bound key records | CRYPTO_SEG | Platform + measurement + validity |
| 3 | Hardened kernel boot | KERNEL_SEG | Flags: SIGNED, REQUIRES_TEE, MEASURED |
| 4 | KernelBinding anti-tamper | KERNEL_SEG | manifest_root_hash + policy_hash binding |
| 5 | eBPF packet filter | EBPF_SEG | XDP drop except allowlisted ports |
| 6 | eBPF syscall filter | EBPF_SEG | Seccomp allowlist enforcement |
| 7 | AIDefence prompt injection | WASM_SEG | 12 pattern detection |
| 8 | AIDefence jailbreak detect | WASM_SEG | DAN, role manipulation, 8 patterns |
| 9 | AIDefence PII scanning | WASM_SEG | Email, SSN, credit card, API keys |
| 10 | AIDefence code/encoding attack | WASM_SEG | XSS, eval, base64, unicode tricks |
| 11 | Self-bootstrapping | WASM_SEG x2 | Interpreter + Microkernel dual WASM |
| 12 | Security monitoring dashboard | DASHBOARD_SEG | Embedded security UI |
| 13 | Ed25519 segment signing | CRYPTO_SEG | Per-segment cryptographic proof |
| 14 | Witness chain audit trail | WITNESS_SEG | 30-entry HMAC-SHA256 chain |
| 15 | Content hash hardening | MANIFEST_SEG | SHAKE-256 content verification |
| 16 | Security policy (Paranoid) | MANIFEST_SEG | Full chain verification on mount |
| 17 | RBAC access control | META_SEG | 6 roles with permission matrix |
| 18 | Coherence Gate authorization | PolicyKernel | Anytime-valid decision with witness receipts |
| 19 | Key rotation | CRYPTO_SEG + WITNESS | Old key rejected, new key active |
| 20 | Tamper detection | WITNESS_SEG | 3/3 attacks rejected |
| 21 | Multi-tenant isolation | Store derivation | Lineage-linked derived stores |
| 22 | COW branching | Store branching | Forensic-grade immutable snapshots |
| 23 | Audited k-NN queries | WITNESS_SEG | Witness entry on every search |
| 24 | Threat vector similarity | VEC_SEG + INDEX | k-NN over 1000 threat embeddings |
| 25 | Data exfiltration detection | WASM_SEG | curl/wget/fetch/webhook patterns |
| 26 | Scalar quantization (int8) | rvf-quant | 4x compression, L2 distance preserved |
| 27 | Binary quantization (1-bit) | rvf-quant | 32x compression, Hamming distance |
| 28 | Filter deletion + compaction | Store lifecycle | Purge + reclaim dead space |
| 29 | QEMU requirements check | rvf-launch | Bootability proof (dry-run) |
| 30 | Freeze/seal | Store freeze | Permanent read-only immutability |
MCP Tools (Security Container)
When served via MCP, the security RVF exposes these tools:
| # | Tool | Description |
|---|---|---|
| 1 | aidefence_scan | Analyze input for all threat types |
| 2 | aidefence_sanitize | Remove/mask dangerous content |
| 3 | aidefence_validate_response | Check LLM output safety |
| 4 | aidefence_audit_log | Get audit trail entries |
| 5 | gate_permit | Request action authorization |
| 6 | gate_receipt | Retrieve witness receipt by sequence |
| 7 | gate_replay | Deterministic decision replay |
| 8 | tee_attest | Generate TEE attestation record |
| 9 | tee_verify | Verify attestation quote |
| 10 | tee_bind_key | Create TEE-bound key record |
| 11 | rbac_check | Verify role permissions |
| 12 | rbac_assign | Assign role to principal |
| 13 | threat_search | k-NN over threat embeddings |
| 14 | threat_ingest | Add new threat signatures |
| 15 | witness_chain | Get/verify witness chain |
| 16 | policy_get | Read security policy config |
HTTP API Endpoints
Port 8443 (TLS required in production)
POST /api/v1/scan AIDefence threat analysis
POST /api/v1/sanitize Input sanitization
POST /api/v1/validate Response validation
GET /api/v1/audit Audit log (paginated)
POST /api/v1/gate/permit Gate authorization request
GET /api/v1/gate/receipt/:seq Receipt by sequence
POST /api/v1/tee/attest Generate attestation
POST /api/v1/tee/verify Verify quote
POST /api/v1/rbac/check Permission check
POST /api/v1/threats/search Threat similarity search
GET /api/v1/status System health
GET /api/v1/policy Security policy config
Implementation
Files Created
| # | Path | Description |
|---|---|---|
| 1 | examples/rvf/examples/security_hardened.rs | Capstone security RVF example |
| 2 | docs/adr/ADR-042-Security-RVF-AIDefence-TEE.md | This ADR |
Files Modified
| # | Path | Changes |
|---|---|---|
| 1 | examples/rvf/Cargo.toml | Add security_hardened example entry |
Verification
# Build the example
cd examples/rvf && cargo build --example security_hardened
# Run the example (creates + verifies the security RVF)
cargo run --example security_hardened
# Expected output (v3.0 — 30 capabilities):
# Phase 1: Threat vector knowledge base (1000 embeddings)
# Phase 2: Hardened kernel + KernelBinding (KERNEL_SEG)
# Phase 3: eBPF packet + syscall filters (EBPF_SEG)
# Phase 4: AIDefence WASM #1 Microkernel (WASM_SEG)
# Phase 4b: WASM #2 Interpreter (self-bootstrapping)
# Phase 5: Security monitoring dashboard (DASHBOARD_SEG)
# Phase 6: TEE attestation (SGX, SEV-SNP, TDX, ARM CCA)
# Phase 7: TEE-bound key records
# Phase 8: RBAC access control (6 roles)
# Phase 9: Coherence Gate policy (PolicyKernel)
# Phase 10: Scalar + Binary quantization
# Phase 11: 30-entry witness chain
# Phase 12: Ed25519 signing + Paranoid verification
# Phase 13: Tamper detection (3 tests)
# Phase 14: Filter deletion + compaction
# Phase 15: Multi-tenant isolation + COW
# Phase 16: AIDefence live tests (10 threat types)
# Phase 17: QEMU requirements check
# Phase 18: Component verification
# Phase 19: Freeze — permanent immutability seal
# All 30 capabilities verified.
References
- ADR-033: Mandatory manifest signatures + HardeningFields
- ADR-041: RVF Cognitive Container identification
- ADR-041a: Detailed container implementations
rvf-types/src/attestation.rs: AttestationHeader, TeePlatformrvf-types/src/security.rs: SecurityPolicy, HardeningFieldsrvf-crypto: Ed25519, witness chains, TEE attestationruvbot/src/security/AIDefenceGuard.ts: AIDefence implementation