Add Linux client support (.NET 8) for cross-platform Secure Boot monitoring

README.md

@@ -126,12 +126,22 @@ Interactive Chart.js visualizations showing compliance trends and deployment sta
   - **Web API**: HTTP POST directly to the dashboard ingestion endpoint
 - Configured via `appsettings.json` with fleet-specific settings
 
-### 2. **SecureBootWatcher.Shared** (netstandard2.0)
+### 2. **SecureBootWatcher.LinuxClient** (.NET 8) **NEW**
+- Runs on Linux systems with UEFI firmware support
+- Cross-platform client for monitoring Secure Boot certificates on Linux
+- Reads EFI variables from `/sys/firmware/efi/efivars`
+- Queries systemd journal (journald) for boot-related events
+- Enumerates UEFI certificates using direct EFI variable access
+- Supports same three reporting sinks as Windows client
+- Targets `linux-x64` and `linux-arm64` architectures
+- Configured via `appsettings.json` with fleet-specific settings
+
+### 3. **SecureBootWatcher.Shared** (netstandard2.0)
 - Shared models, configuration, validation, and storage contracts
 - Used by client, API, and web projects for consistent DTOs
 - Includes certificate enumeration models and validation logic
 
-### 3. **SecureBootDashboard.Api** (ASP.NET Core 8)
+### 4. **SecureBootDashboard.Api** (ASP.NET Core 8)
 - REST API for ingesting reports and querying aggregated data
 - Two storage backends:
   - **EF Core + SQL Server**: full relational persistence with migrations
@@ -145,7 +155,7 @@ Interactive Chart.js visualizations showing compliance trends and deployment sta
   - `GET /api/SecureBootReports/{id}` – individual report details
   - `GET /health` – health checks
 
-### 4. **SecureBootDashboard.Web** (ASP.NET Core 8 Razor Pages)
+### 5. **SecureBootDashboard.Web** (ASP.NET Core 8 Razor Pages)
 - Modern, responsive dashboard UI for viewing devices, reports, and compliance
 - **Features**:
   - Splash screen with smooth animations
@@ -161,19 +171,27 @@ Interactive Chart.js visualizations showing compliance trends and deployment sta
 ## Prerequisites
 
 ### Development
-- **.NET SDK 8.0+** (for API & Web projects)
-- **.NET Framework 4.8 Developer Pack** (for client)
+- **.NET SDK 8.0+** (for API, Web, and Linux client projects)
+- **.NET Framework 4.8 Developer Pack** (for Windows client)
 - **SQL Server** (LocalDB, Express, or full instance) *or* configure file storage
 - **Visual Studio 2022** or **VS Code** with C# extensions
-- **PowerShell 5.0+** (for certificate enumeration and deployment scripts)
+- **PowerShell 5.0+** (for Windows certificate enumeration and deployment scripts)
 
-### Runtime (Client)
+### Runtime (Windows Client)
 - **Windows 10/11** or **Windows Server 2016+** with UEFI firmware
 - **.NET Framework 4.8 runtime**
 - **PowerShell 5.0+** with SecureBoot module
 - Administrator/SYSTEM privileges (for registry and certificate access)
 - Network or Azure connectivity for sinks
 
+### Runtime (Linux Client) **NEW**
+- **Linux distribution** with UEFI firmware support (Ubuntu 20.04+, RHEL 8+, Debian 11+, etc.)
+- **.NET 8 runtime** (`dotnet-runtime-8.0`)
+- **systemd** with journald (for event logging)
+- Root/sudo privileges (for EFI variable access at `/sys/firmware/efi/efivars`)
+- Network or Azure connectivity for sinks
+- Optional: `mokutil` for Secure Boot status checking
+
 ### Runtime (Dashboard API/Web)
 - **Azure App Service** (Linux or Windows) *or* on-premises IIS/Kestrel
 - **SQL Server** (Azure SQL Database, SQL Managed Instance, or on-prem) *or* file storage mount
@@ -271,13 +289,27 @@ Navigate to:
 - **Web Dashboard**: `https://localhost:7001`
 - **API Swagger**: `https://localhost:5001/swagger`
 
-### 7. Run the Client
+### 7. Run the Windows Client
 ```powershell
 cd SecureBootWatcher.Client\bin\Debug\net48
 .\SecureBootWatcher.Client.exe
 ```
 Watch logs for successful registry snapshot, certificate enumeration, event capture, and confirm payloads reach your API.
 
+### 8. Run the Linux Client (Optional)
+```bash
+cd SecureBootWatcher.LinuxClient
+dotnet run
+
+# Or publish and run as self-contained:
+dotnet publish -c Release -r linux-x64 --self-contained
+cd bin/Release/net8.0/linux-x64/publish
+sudo ./SecureBootWatcher.LinuxClient
+```
+**Note**: Root/sudo privileges are required to access EFI variables at `/sys/firmware/efi/efivars`.
+
+Watch logs for successful EFI variable access, certificate enumeration, journal event capture, and confirm payloads reach your API.
+
 ---
 
 ## 📚 Documentation
@@ -491,7 +523,7 @@ For questions, issues, or support:
 - [ ] Enhanced analytics (30/60/90 day trends)
 
 ### v2.0 (Q3 2025)
-- [ ] Linux client support (.NET 8)
+- [x] Linux client support (.NET 8) **COMPLETED**
 - [ ] API v2 with GraphQL
 - [ ] Machine learning anomaly detection
 - [ ] Integration with ServiceNow/Jira

SecureBootWatcher.Client.Tests/obj/Debug/net48/SecureBootWatcher.Client.Tests.AssemblyInfo.cs

@@ -1,7 +1,6 @@
 //------------------------------------------------------------------------------
 // <auto-generated>
 //     This code was generated by a tool.
-//     Runtime Version:4.0.30319.42000
 //
 //     Changes to this file may cause incorrect behavior and will be lost if
 //     the code is regenerated.

SecureBootWatcher.Client.Tests/obj/Debug/net48/SecureBootWatcher.Client.Tests.GeneratedMSBuildEditorConfig.editorconfig

@@ -1,7 +1,7 @@
 is_global = true
 build_property.IsMSTestTestAdapterReferenced = true
 build_property.RootNamespace = SecureBootWatcher.Client.Tests
-build_property.ProjectDir = C:\Users\nefario\source\repos\robgrame\Nimbus.BootCertWatcher\SecureBootWatcher.Client.Tests\
+build_property.ProjectDir = /home/runner/work/Nimbus.BootCertWatcher/Nimbus.BootCertWatcher/SecureBootWatcher.Client.Tests/
 build_property.EnableComHosting = 
 build_property.EnableGeneratedComInterfaceComImportInterop = 
 build_property.CsWinRTUseWindowsUIXamlProjections = false

SecureBootWatcher.Client/Services/PowerShellSecureBootCertificateEnumerator.cs

@@ -89,11 +89,11 @@ public async Task<SecureBootCertificateCollection> EnumerateAsync(CancellationTo
               var script = "Confirm-SecureBootUEFI";
     var result = await ExecutePowerShellAsync(script, cancellationToken);
 
-      if (result.Contains("True", StringComparison.OrdinalIgnoreCase))
+      if (result.IndexOf("True", StringComparison.OrdinalIgnoreCase) >= 0)
     {
            return true;
         }
-                else if (result.Contains("False", StringComparison.OrdinalIgnoreCase))
+                else if (result.IndexOf("False", StringComparison.OrdinalIgnoreCase) >= 0)
          {
         return false;
         }
@@ -128,7 +128,7 @@ private async Task EnumerateDatabaseAsync(
 
        var base64Data = await ExecutePowerShellAsync(script, cancellationToken);
 
-   if (string.IsNullOrWhiteSpace(base64Data) || base64Data.Contains("Error", StringComparison.OrdinalIgnoreCase))
+   if (string.IsNullOrWhiteSpace(base64Data) || base64Data.IndexOf("Error", StringComparison.OrdinalIgnoreCase) >= 0)
     {
     _logger.LogDebug("No data returned for {Database}", databaseName);
  return;

SecureBootWatcher.LinuxClient.Tests/SecureBootWatcher.LinuxClient.Tests.csproj

@@ -0,0 +1,31 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+
+    <IsPackable>false</IsPackable>
+    <IsTestProject>true</IsTestProject>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="coverlet.collector" Version="6.0.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.8.0" />
+    <PackageReference Include="xunit" Version="2.5.3" />
+    <PackageReference Include="xunit.runner.visualstudio" Version="2.5.3" />
+    <PackageReference Include="Moq" Version="4.20.70" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.10" />
+    <PackageReference Include="Microsoft.Extensions.Options" Version="9.0.10" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <Using Include="Xunit" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\SecureBootWatcher.LinuxClient\SecureBootWatcher.LinuxClient.csproj" />
+    <ProjectReference Include="..\SecureBootWatcher.Shared\SecureBootWatcher.Shared.csproj" />
+  </ItemGroup>
+
+</Project>

SecureBootWatcher.LinuxClient.Tests/Services/LinuxRegistrySnapshotProviderTests.cs

@@ -0,0 +1,56 @@
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using SecureBootWatcher.LinuxClient.Services;
+using SecureBootWatcher.Shared.Models;
+
+namespace SecureBootWatcher.LinuxClient.Tests.Services;
+
+public class LinuxRegistrySnapshotProviderTests
+{
+    [Fact]
+    public async Task CaptureAsync_ShouldReturnSnapshot()
+    {
+        // Arrange
+        var logger = NullLogger<LinuxRegistrySnapshotProvider>.Instance;
+        var provider = new LinuxRegistrySnapshotProvider(logger);
+
+        // Act
+        var result = await provider.CaptureAsync(CancellationToken.None);
+
+        // Assert
+        Assert.NotNull(result);
+        Assert.True(result.CollectedAtUtc <= DateTimeOffset.UtcNow);
+        Assert.True(result.CollectedAtUtc > DateTimeOffset.UtcNow.AddMinutes(-1));
+    }
+
+    [Fact]
+    public async Task CaptureAsync_ShouldSetDeploymentState()
+    {
+        // Arrange
+        var logger = NullLogger<LinuxRegistrySnapshotProvider>.Instance;
+        var provider = new LinuxRegistrySnapshotProvider(logger);
+
+        // Act
+        var result = await provider.CaptureAsync(CancellationToken.None);
+
+        // Assert
+        Assert.NotEqual(SecureBootDeploymentState.NotStarted, result.DeploymentState);
+        // Linux systems will return Unknown (no EFI vars path) or Unknown (EFI vars exist)
+        // since UEFI CA 2023 tracking is Windows-specific
+    }
+
+    [Fact]
+    public async Task CaptureAsync_WithCancellationToken_ShouldComplete()
+    {
+        // Arrange
+        var logger = NullLogger<LinuxRegistrySnapshotProvider>.Instance;
+        var provider = new LinuxRegistrySnapshotProvider(logger);
+        using var cts = new CancellationTokenSource();
+
+        // Act
+        var result = await provider.CaptureAsync(cts.Token);
+
+        // Assert
+        Assert.NotNull(result);
+    }
+}

SecureBootWatcher.LinuxClient/Configuration/ConfigurationExtensions.cs

@@ -0,0 +1,15 @@
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.DependencyInjection;
+using SecureBootWatcher.Shared.Configuration;
+
+namespace SecureBootWatcher.LinuxClient.Configuration
+{
+    internal static class ConfigurationExtensions
+    {
+        public static IServiceCollection AddSecureBootWatcherOptions(this IServiceCollection services, IConfiguration configuration)
+        {
+            services.Configure<SecureBootWatcherOptions>(configuration.GetSection("SecureBootWatcher"));
+            return services;
+        }
+    }
+}