min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: enable synthesis support 

Bootspec has a mechanism called synthesis where you can synthesize
bootspecs if they are not present based on the generation link only.

This is useful for "vanilla bootspec" which does not contain any
extensions, as this is what we do right now.

If we need extensions, we can also implement our synthesis mechanism on
the top of it.

Enabling synthesis gives us the superpower to support non-bootspec
users. :-)
This commit is contained in:
Raito Bezarius 2023-04-24 23:57:47 +02:00
parent 484b2c2fe4
commit 4ef6957f88
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nix/tests/lanzaboote.nix
View File

@ -239,6 +239,18 @@ in
''; '';
}; };
# We test if we can install Lanzaboote without Bootspec support.
synthesis = mkSecureBootTest {
name = "lanzaboote-synthesis";
machine = { lib, ... }: {
boot.bootspec.enable = lib.mkForce false;
};
testScript = ''
machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
'';
};
systemd-boot-loader-config = mkSecureBootTest { systemd-boot-loader-config = mkSecureBootTest {
name = "lanzaboote-systemd-boot-loader-config"; name = "lanzaboote-systemd-boot-loader-config";
machine = { machine = {

13
rust/tool/src/generation.rs
View File

@ -42,10 +42,15 @@ pub struct Generation {
impl Generation { impl Generation {
pub fn from_link(link: &GenerationLink) -> Result<Self> { pub fn from_link(link: &GenerationLink) -> Result<Self> {
let bootspec_path = link.path.join("boot.json"); let bootspec_path = link.path.join("boot.json");
let boot_json: BootJson = serde_json::from_slice( let boot_json: BootJson = fs::read(bootspec_path)
&fs::read(bootspec_path).context("Failed to read bootspec file")?, .context("Failed to read bootspec file")
) .and_then(|raw| serde_json::from_slice(&raw).context("Failed to read bootspec JSON"))
.context("Failed to parse bootspec json")?; // TODO: this should be much easier, add a From<GenerationVX> for BootspecGeneration
// this should enable us to do `into()` on the Result
// anyhow compatibility of bootspec would be nice too.
.or_else(|_err| BootJson::synthesize_latest(&link.path)
.map_err(|err| anyhow!(err))
.context("Failed to read a bootspec (missing bootspec?) and failed to synthesize a valid replacement bootspec."))?;
// TODO: replace me when https://github.com/DeterminateSystems/bootspec/pull/109 lands. // TODO: replace me when https://github.com/DeterminateSystems/bootspec/pull/109 lands.
let bootspec: BootSpec = match boot_json.generation { let bootspec: BootSpec = match boot_json.generation {