lanzaboote/flake.nix

{
  description = "Lanzaboot Secure Boot Madness";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";

    crane = {
      url = "github:ipetkov/crane";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot";
    rust-overlay.url = "github:oxalica/rust-overlay";
  };

  outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay }:
    let
      pkgs = import nixpkgs {
        system = "x86_64-linux";
        overlays = [
          rust-overlay.overlays.default
        ];
      };

      lib = pkgs.lib;

      rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml;
      craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly;

      uefi-run = pkgs.callPackage ./nix/uefi-run.nix {
        inherit craneLib;
      };

      # Build attributes for a Rust application.
      buildRustApp = {
        src, target ? null, doCheck ? true
      }: let
        cleanedSrc = craneLib.cleanCargoSource src;
        commonArgs = {
          src = cleanedSrc;
          CARGO_BUILD_TARGET = target;
          inherit doCheck;
        };

        cargoArtifacts = craneLib.buildDepsOnly commonArgs;
      in {
        package = craneLib.buildPackage (commonArgs // {
          inherit cargoArtifacts;
        });

        clippy = craneLib.cargoClippy (commonArgs // {
          inherit cargoArtifacts;
          cargoClippyExtraArgs = "-- --deny warnings";
        });
      };

      lanzabooteCrane = buildRustApp {
        src = ./rust/lanzaboote;
        target = "x86_64-unknown-uefi";
        doCheck = false;
      };

      lanzaboote = lanzabooteCrane.package;

      lanzatoolCrane = buildRustApp {
        src = ./rust/lanzatool;
      };

      lanzatool-unwrapped = lanzatoolCrane.package;

      lanzatool = pkgs.runCommand "lanzatool" {
        nativeBuildInputs = [ pkgs.makeWrapper ];
      } ''
        mkdir -p $out/bin

        # Clean PATH to only contain what we need to do objcopy. Also
        # tell lanzatool where to find our UEFI binaries.
        makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \
          --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
          --set RUST_BACKTRACE full \
          --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi
      '';
    in {
      overlays.default = final: prev: {
        inherit lanzatool;
      };

      nixosModules.lanzaboote = import ./nix/lanzaboote.nix;

      packages.x86_64-linux = {
        inherit lanzaboote lanzatool;
        default = lanzatool;
      };

      devShells.x86_64-linux.default = pkgs.mkShell {
        packages = [
          uefi-run
          lanzatool
          pkgs.openssl
          (pkgs.sbctl.override {
            databasePath = "pki";
          })
          pkgs.sbsigntool
          pkgs.efitools
          pkgs.python39Packages.ovmfvartool
          pkgs.qemu
        ];

        inputsFrom = [
          lanzaboote
        ];
      };

      checks.x86_64-linux = let
        mkSecureBootTest = { name, machine ? {}, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest {
          inherit name testScript;
          nodes.machine = { lib, ... }: {
            imports = [
              self.nixosModules.lanzaboote
              machine
            ];

            nixpkgs.overlays = [ self.overlays.default ];

            virtualisation = {
              useBootLoader = true;
              useEFIBoot = true;
              useSecureBoot = true;
            };

            boot.loader.efi = {
              enable = true;
              canTouchEfiVariables = true;
            };
            boot.lanzaboote = {
              enable = true;
              enrollKeys = lib.mkDefault true;
              pkiBundle = ./pki;
            };
          };
        };
        mkUnsignedTest = { name, path }: mkSecureBootTest {
          inherit name;
          testScript = ''
            import json
            import os.path
            bootspec = None

            def convert_to_esp(store_file_path):
                store_dir = os.path.basename(os.path.dirname(store_file_path))
                filename = os.path.basename(store_file_path)
                return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'

            machine.start()
            bootspec = json.loads(machine.succeed("cat /run/current-system/bootspec/boot.v1.json"))
            src_path = ${path.src}
            dst_path = ${path.dst}
            machine.succeed(f"cp -rf {src_path} {dst_path}")
            machine.succeed("sync")
            machine.crash()
            machine.start()
            machine.wait_for_console_text("panicked")
          '';
        };
      in
        {
          lanzatool-clippy = lanzatoolCrane.clippy;
          lanzaboote-clippy = lanzabooteCrane.clippy;

          # TODO: user mode: OK
          # TODO: how to get in: {deployed, audited} mode ?
          lanzaboote-boot = mkSecureBootTest {
            name = "signed-files-boot-under-secureboot";
            testScript = ''
              machine.start()
              assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
            '';
          };

          lanzaboote-boot-under-sd-stage1 = mkSecureBootTest {
            name = "signed-files-boot-under-secureboot-systemd-stage-1";
            machine = { ... }: {
              boot.initrd.systemd.enable = true;
            };
            testScript = ''
              machine.start()
              assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
            '';
          };

          # So, this is the responsibility of the lanzatool install
          # to run the append-initrd-secret script
          # This test assert that lanzatool still do the right thing
          # preDeviceCommands should not have any root filesystem mounted
          # so it should not be able to find /etc/iamasecret, other than the
          # initrd's one.
          # which should exist IF lanzatool do the right thing.
          lanzaboote-with-initrd-secrets = mkSecureBootTest {
            name = "signed-files-boot-with-secrets-under-secureboot";
            machine = { ... }: {
              boot.initrd.secrets = {
                "/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");
              };

              boot.initrd.preDeviceCommands = ''
                grep "this is a very secure secret" /etc/iamasecret
              '';
            };
            testScript = ''
            machine.start()
            assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
          '';
          };
          is-initrd-secured = mkUnsignedTest {
            name = "unsigned-initrd-do-not-boot-under-secureboot";
            path = {
              src = "bootspec.get('initrd')";
              dst = "convert_to_esp(bootspec.get('initrd'))";
            };
          };
          is-kernel-secured = mkUnsignedTest {
            name = "unsigned-kernel-do-not-boot-under-secureboot";
            path = {
              src = "bootspec.get('kernel')";
              dst = "convert_to_esp(bootspec.get('kernel'))";
            };
          };
          specialisation-works = mkSecureBootTest {
            name = "specialisation-still-boot-under-secureboot";
            machine = { pkgs, ... }: {
              specialisation.variant.configuration = {
                environment.systemPackages = [
                  pkgs.efibootmgr
                ];
              };
            };
            testScript = ''
              machine.start()
              print(machine.succeed("ls -lah /boot/EFI/Linux"))
              print(machine.succeed("cat /run/current-system/bootspec/boot.v1.json"))
              # TODO: make it more reliable to find this filename, i.e. read it from somewhere?
              machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")
              machine.succeed("sync")
              machine.fail("efibootmgr")
              machine.crash()
              machine.start()
              print(machine.succeed("bootctl"))
              # We have efibootmgr in this specialisation.
              machine.succeed("efibootmgr")
            '';
          };
        };
    };
}
Initial import of Rust files 2022-11-21 05:44:04 -05:00			`{`
Fix flake name 2022-11-24 06:29:16 -05:00			`description = "Lanzaboot Secure Boot Madness";`
Initial import of Rust files 2022-11-21 05:44:04 -05:00
			`inputs = {`
			`nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";`
nix: build lanzatool with crane 2022-11-26 10:41:48 -05:00
			`crane = {`
			`url = "github:ipetkov/crane";`
			`inputs.nixpkgs.follows = "nixpkgs";`
			`};`

nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot";`
Initial import of Rust files 2022-11-21 05:44:04 -05:00			`rust-overlay.url = "github:oxalica/rust-overlay";`
			`};`

nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`outputs = { self, nixpkgs, crane, nixpkgs-test, rust-overlay }:`
Initial import of Rust files 2022-11-21 05:44:04 -05:00			`let`
			`pkgs = import nixpkgs {`
			`system = "x86_64-linux";`
			`overlays = [`
			`rust-overlay.overlays.default`
			`];`
			`};`

Use makeWrapper to wrap lanzatool 2022-11-24 06:05:46 -05:00			`lib = pkgs.lib;`

Move Rust tools into a common directory 2022-11-21 19:53:40 -05:00			`rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml;`
nix: build lanzatool with crane 2022-11-26 10:41:48 -05:00			`craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly;`
Initial import of Rust files 2022-11-21 05:44:04 -05:00
Move uefi-run into its own Nix file 2022-11-21 18:42:41 -05:00			`uefi-run = pkgs.callPackage ./nix/uefi-run.nix {`
nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`inherit craneLib;`
Make systemd boot the EFI binary 2022-11-21 09:36:39 -05:00			`};`

nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`# Build attributes for a Rust application.`
			`buildRustApp = {`
			`src, target ? null, doCheck ? true`
			`}: let`
			`cleanedSrc = craneLib.cleanCargoSource src;`
			`commonArgs = {`
			`src = cleanedSrc;`
			`CARGO_BUILD_TARGET = target;`
			`inherit doCheck;`
			`};`
Make systemd boot the EFI binary 2022-11-21 09:36:39 -05:00
nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`cargoArtifacts = craneLib.buildDepsOnly commonArgs;`
			`in {`
			`package = craneLib.buildPackage (commonArgs // {`
			`inherit cargoArtifacts;`
			`});`

			`clippy = craneLib.cargoClippy (commonArgs // {`
			`inherit cargoArtifacts;`
			`cargoClippyExtraArgs = "-- --deny warnings";`
			`});`
lanzatool: init 2022-11-21 19:29:16 -05:00			`};`

nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`lanzabooteCrane = buildRustApp {`
			`src = ./rust/lanzaboote;`
			`target = "x86_64-unknown-uefi";`
			`doCheck = false;`
			`};`
Build tiny empty PE image as initrd carrier 2022-11-23 07:00:55 -05:00
nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`lanzaboote = lanzabooteCrane.package;`
nix: build lanzatool with crane 2022-11-26 10:41:48 -05:00
nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`lanzatoolCrane = buildRustApp {`
			`src = ./rust/lanzatool;`
lanzatool: add wrapper 2022-11-24 05:45:09 -05:00			`};`

nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`lanzatool-unwrapped = lanzatoolCrane.package;`

Use makeWrapper to wrap lanzatool 2022-11-24 06:05:46 -05:00			`lanzatool = pkgs.runCommand "lanzatool" {`
			`nativeBuildInputs = [ pkgs.makeWrapper ];`
			`} ''`
			`mkdir -p $out/bin`

			`# Clean PATH to only contain what we need to do objcopy. Also`
			`# tell lanzatool where to find our UEFI binaries.`
nix: rename lanzatoolBin to lanzatool-unwrapped 2022-11-25 20:16:12 -05:00			`makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \`
lanzatool: improve signer code 2022-11-25 07:07:04 -05:00			`--set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`--set RUST_BACKTRACE full \`
initrd-stub: drop unused stub This is not useful anymore, because we don't need to wrap the initrd anymore. 2022-11-27 20:59:21 -05:00			`--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi`
lanzatool: add wrapper 2022-11-24 05:45:09 -05:00			`'';`
Remove useless rec 2022-11-21 18:45:18 -05:00			`in {`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`overlays.default = final: prev: {`
nix: fix lanzatool integration/merge mixup 2022-11-25 17:42:34 -05:00			`inherit lanzatool;`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`};`

			`nixosModules.lanzaboote = import ./nix/lanzaboote.nix;`

Remove useless rec 2022-11-21 18:45:18 -05:00			`packages.x86_64-linux = {`
initrd-stub: drop unused stub This is not useful anymore, because we don't need to wrap the initrd anymore. 2022-11-27 20:59:21 -05:00			`inherit lanzaboote lanzatool;`
nix: remove remaining cruft from flakes.nix 2022-11-25 20:26:39 -05:00			`default = lanzatool;`
Remove useless rec 2022-11-21 18:45:18 -05:00			`};`
Make systemd boot the EFI binary 2022-11-21 09:36:39 -05:00
Remove useless rec 2022-11-21 18:45:18 -05:00			`devShells.x86_64-linux.default = pkgs.mkShell {`
flake.nix: automagically use deps in shell with inputsFrom 2022-11-22 18:26:00 -05:00			`packages = [`
Remove useless rec 2022-11-21 18:45:18 -05:00			`uefi-run`
Merge remote-tracking branch 'origin/lanzatool' 2022-11-21 19:48:53 -05:00			`lanzatool`
flake: add openssl for pki generation 2022-11-21 20:08:35 -05:00			`pkgs.openssl`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`(pkgs.sbctl.override {`
			`databasePath = "pki";`
			`})`
			`pkgs.sbsigntool`
nixos: actually enable sb 2022-11-24 10:59:16 -05:00			`pkgs.efitools`
nixos: secureboot reached 2022-11-24 21:04:44 -05:00			`pkgs.python39Packages.ovmfvartool`
			`pkgs.qemu`
Remove useless rec 2022-11-21 18:45:18 -05:00			`];`
flake.nix: automagically use deps in shell with inputsFrom 2022-11-22 18:26:00 -05:00
			`inputsFrom = [`
			`lanzaboote`
			`];`
Initial import of Rust files 2022-11-21 05:44:04 -05:00			`};`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`checks.x86_64-linux = let`
			`mkSecureBootTest = { name, machine ? {}, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest {`
			`inherit name testScript;`
			`nodes.machine = { lib, ... }: {`
			`imports = [`
			`self.nixosModules.lanzaboote`
			`machine`
			`];`

nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`nixpkgs.overlays = [ self.overlays.default ];`

nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`virtualisation = {`
			`useBootLoader = true;`
			`useEFIBoot = true;`
nixos: secureboot reached 2022-11-24 21:04:44 -05:00			`useSecureBoot = true;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`};`

			`boot.loader.efi = {`
			`enable = true;`
			`canTouchEfiVariables = true;`
			`};`
			`boot.lanzaboote = {`
			`enable = true;`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`enrollKeys = lib.mkDefault true;`
nixos: actually enable sb 2022-11-24 10:59:16 -05:00			`pkiBundle = ./pki;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`};`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`};`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`};`
			`mkUnsignedTest = { name, path }: mkSecureBootTest {`
			`inherit name;`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`testScript = ''`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`import json`
			`import os.path`
			`bootspec = None`
flake.nix: remove some redundancies 2022-11-26 16:19:15 -05:00
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`def convert_to_esp(store_file_path):`
			`store_dir = os.path.basename(os.path.dirname(store_file_path))`
			`filename = os.path.basename(store_file_path)`
			`return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'`

			`machine.start()`
			`bootspec = json.loads(machine.succeed("cat /run/current-system/bootspec/boot.v1.json"))`
			`src_path = ${path.src}`
			`dst_path = ${path.dst}`
			`machine.succeed(f"cp -rf {src_path} {dst_path}")`
			`machine.succeed("sync")`
			`machine.crash()`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`machine.start()`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`machine.wait_for_console_text("panicked")`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`'';`
			`};`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`in`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`{`
nix: switch everything to crane and drop naersk 2022-11-28 07:48:25 -05:00			`lanzatool-clippy = lanzatoolCrane.clippy;`
			`lanzaboote-clippy = lanzabooteCrane.clippy;`
lanzatool: prepare to enable clippy This still needs work. 2022-11-26 11:05:33 -05:00
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`# TODO: user mode: OK`
			`# TODO: how to get in: {deployed, audited} mode ?`
			`lanzaboote-boot = mkSecureBootTest {`
			`name = "signed-files-boot-under-secureboot";`
			`testScript = ''`
lanzaboot: test systemd stage 1 2022-11-29 14:10:55 -05:00			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
			`};`

			`lanzaboote-boot-under-sd-stage1 = mkSecureBootTest {`
			`name = "signed-files-boot-under-secureboot-systemd-stage-1";`
			`machine = { ... }: {`
			`boot.initrd.systemd.enable = true;`
			`};`
			`testScript = ''`
			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`};`
lanzaboot: test systemd stage 1 2022-11-29 14:10:55 -05:00
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`# So, this is the responsibility of the lanzatool install`
			`# to run the append-initrd-secret script`
			`# This test assert that lanzatool still do the right thing`
			`# preDeviceCommands should not have any root filesystem mounted`
			`# so it should not be able to find /etc/iamasecret, other than the`
			`# initrd's one.`
			`# which should exist IF lanzatool do the right thing.`
			`lanzaboote-with-initrd-secrets = mkSecureBootTest {`
			`name = "signed-files-boot-with-secrets-under-secureboot";`
			`machine = { ... }: {`
			`boot.initrd.secrets = {`
			`"/etc/iamasecret" = (pkgs.writeText "iamsecret" "this is a very secure secret");`
			`};`

			`boot.initrd.preDeviceCommands = ''`
flake.nix: remove some redundancies 2022-11-26 16:19:15 -05:00			`grep "this is a very secure secret" /etc/iamasecret`
			`'';`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`};`
			`testScript = ''`
feature: support initrd secrets 2022-11-25 19:50:51 -05:00			`machine.start()`
			`assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")`
			`'';`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`};`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`is-initrd-secured = mkUnsignedTest {`
			`name = "unsigned-initrd-do-not-boot-under-secureboot";`
			`path = {`
flake.nix: remove some redundancies 2022-11-26 16:19:15 -05:00			`src = "bootspec.get('initrd')";`
			`dst = "convert_to_esp(bootspec.get('initrd'))";`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`};`
			`};`
			`is-kernel-secured = mkUnsignedTest {`
			`name = "unsigned-kernel-do-not-boot-under-secureboot";`
			`path = {`
flake.nix: remove some redundancies 2022-11-26 16:19:15 -05:00			`src = "bootspec.get('kernel')";`
			`dst = "convert_to_esp(bootspec.get('kernel'))";`
nix: fix indentation of checks attribute 2022-11-26 10:42:20 -05:00			`};`
tests: test unsigned initrd/kernel either, plus some machinery for sb tests 2022-11-25 12:42:37 -05:00			`};`
lanzatool: enable specialisation 2022-11-27 05:19:02 -05:00			`specialisation-works = mkSecureBootTest {`
			`name = "specialisation-still-boot-under-secureboot";`
			`machine = { pkgs, ... }: {`
			`specialisation.variant.configuration = {`
			`environment.systemPackages = [`
			`pkgs.efibootmgr`
			`];`
			`};`
			`};`
			`testScript = ''`
			`machine.start()`
			`print(machine.succeed("ls -lah /boot/EFI/Linux"))`
			`print(machine.succeed("cat /run/current-system/bootspec/boot.v1.json"))`
			`# TODO: make it more reliable to find this filename, i.e. read it from somewhere?`
			`machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi")`
			`machine.succeed("sync")`
			`machine.fail("efibootmgr")`
			`machine.crash()`
			`machine.start()`
			`print(machine.succeed("bootctl"))`
			`# We have efibootmgr in this specialisation.`
			`machine.succeed("efibootmgr")`
			`'';`
			`};`
			`};`
Remove useless rec 2022-11-21 18:45:18 -05:00			`};`
Initial import of Rust files 2022-11-21 05:44:04 -05:00			`}`