From 2fce3c080214896c0faf1c69214392d82071a4f4 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 13 Jan 2023 20:50:50 +0100 Subject: [PATCH 1/3] treewde: simplify subproject directory names This commit only moves the directories instead of chaning any names inside files. --- flake.nix | 6 +++--- rust/{lanzaboote => stub}/.cargo/config | 0 rust/{lanzaboote => stub}/Cargo.lock | 0 rust/{lanzaboote => stub}/Cargo.toml | 0 rust/{lanzaboote => stub}/rust-toolchain.toml | 0 rust/{lanzaboote => stub}/src/linux_loader.rs | 0 rust/{lanzaboote => stub}/src/main.rs | 0 rust/{lanzaboote => stub}/src/pe_section.rs | 0 rust/{lanzaboote => stub}/src/uefi_helpers.rs | 0 rust/{lanzatool => tool}/Cargo.lock | 0 rust/{lanzatool => tool}/Cargo.toml | 0 rust/{lanzatool => tool}/bootspec.json | 0 rust/{lanzatool => tool}/src/cli.rs | 0 rust/{lanzatool => tool}/src/esp.rs | 0 rust/{lanzatool => tool}/src/gc.rs | 0 rust/{lanzatool => tool}/src/generation.rs | 0 rust/{lanzatool => tool}/src/install.rs | 0 rust/{lanzatool => tool}/src/main.rs | 0 rust/{lanzatool => tool}/src/os_release.rs | 0 rust/{lanzatool => tool}/src/pe.rs | 0 rust/{lanzatool => tool}/src/signature.rs | 0 rust/{lanzatool => tool}/tests/common/mod.rs | 0 rust/{lanzatool => tool}/tests/fixtures/uefi-keys/db.key | 0 rust/{lanzatool => tool}/tests/fixtures/uefi-keys/db.pem | 0 rust/{lanzatool => tool}/tests/gc.rs | 0 rust/{lanzatool => tool}/tests/os_release.rs | 0 26 files changed, 3 insertions(+), 3 deletions(-) rename rust/{lanzaboote => stub}/.cargo/config (100%) rename rust/{lanzaboote => stub}/Cargo.lock (100%) rename rust/{lanzaboote => stub}/Cargo.toml (100%) rename rust/{lanzaboote => stub}/rust-toolchain.toml (100%) rename rust/{lanzaboote => stub}/src/linux_loader.rs (100%) rename rust/{lanzaboote => stub}/src/main.rs (100%) rename rust/{lanzaboote => stub}/src/pe_section.rs (100%) rename rust/{lanzaboote => stub}/src/uefi_helpers.rs (100%) rename rust/{lanzatool => tool}/Cargo.lock (100%) rename rust/{lanzatool => tool}/Cargo.toml (100%) rename rust/{lanzatool => tool}/bootspec.json (100%) rename rust/{lanzatool => tool}/src/cli.rs (100%) rename rust/{lanzatool => tool}/src/esp.rs (100%) rename rust/{lanzatool => tool}/src/gc.rs (100%) rename rust/{lanzatool => tool}/src/generation.rs (100%) rename rust/{lanzatool => tool}/src/install.rs (100%) rename rust/{lanzatool => tool}/src/main.rs (100%) rename rust/{lanzatool => tool}/src/os_release.rs (100%) rename rust/{lanzatool => tool}/src/pe.rs (100%) rename rust/{lanzatool => tool}/src/signature.rs (100%) rename rust/{lanzatool => tool}/tests/common/mod.rs (100%) rename rust/{lanzatool => tool}/tests/fixtures/uefi-keys/db.key (100%) rename rust/{lanzatool => tool}/tests/fixtures/uefi-keys/db.pem (100%) rename rust/{lanzatool => tool}/tests/gc.rs (100%) rename rust/{lanzatool => tool}/tests/os_release.rs (100%) diff --git a/flake.nix b/flake.nix index 7ad55c1..30024a4 100644 --- a/flake.nix +++ b/flake.nix @@ -77,7 +77,7 @@ inherit (pkgs) lib; - rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; + rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/stub/rust-toolchain.toml; craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; # Build attributes for a Rust application. @@ -108,7 +108,7 @@ }; lanzabooteCrane = buildRustApp { - src = craneLib.cleanCargoSource ./rust/lanzaboote; + src = craneLib.cleanCargoSource ./rust/stub; target = "x86_64-unknown-uefi"; doCheck = false; }; @@ -116,7 +116,7 @@ lanzaboote = lanzabooteCrane.package; lanzatoolCrane = buildRustApp { - src = ./rust/lanzatool; + src = ./rust/tool; extraArgs = { TEST_SYSTEMD = pkgs.systemd; checkInputs = with pkgs; [ diff --git a/rust/lanzaboote/.cargo/config b/rust/stub/.cargo/config similarity index 100% rename from rust/lanzaboote/.cargo/config rename to rust/stub/.cargo/config diff --git a/rust/lanzaboote/Cargo.lock b/rust/stub/Cargo.lock similarity index 100% rename from rust/lanzaboote/Cargo.lock rename to rust/stub/Cargo.lock diff --git a/rust/lanzaboote/Cargo.toml b/rust/stub/Cargo.toml similarity index 100% rename from rust/lanzaboote/Cargo.toml rename to rust/stub/Cargo.toml diff --git a/rust/lanzaboote/rust-toolchain.toml b/rust/stub/rust-toolchain.toml similarity index 100% rename from rust/lanzaboote/rust-toolchain.toml rename to rust/stub/rust-toolchain.toml diff --git a/rust/lanzaboote/src/linux_loader.rs b/rust/stub/src/linux_loader.rs similarity index 100% rename from rust/lanzaboote/src/linux_loader.rs rename to rust/stub/src/linux_loader.rs diff --git a/rust/lanzaboote/src/main.rs b/rust/stub/src/main.rs similarity index 100% rename from rust/lanzaboote/src/main.rs rename to rust/stub/src/main.rs diff --git a/rust/lanzaboote/src/pe_section.rs b/rust/stub/src/pe_section.rs similarity index 100% rename from rust/lanzaboote/src/pe_section.rs rename to rust/stub/src/pe_section.rs diff --git a/rust/lanzaboote/src/uefi_helpers.rs b/rust/stub/src/uefi_helpers.rs similarity index 100% rename from rust/lanzaboote/src/uefi_helpers.rs rename to rust/stub/src/uefi_helpers.rs diff --git a/rust/lanzatool/Cargo.lock b/rust/tool/Cargo.lock similarity index 100% rename from rust/lanzatool/Cargo.lock rename to rust/tool/Cargo.lock diff --git a/rust/lanzatool/Cargo.toml b/rust/tool/Cargo.toml similarity index 100% rename from rust/lanzatool/Cargo.toml rename to rust/tool/Cargo.toml diff --git a/rust/lanzatool/bootspec.json b/rust/tool/bootspec.json similarity index 100% rename from rust/lanzatool/bootspec.json rename to rust/tool/bootspec.json diff --git a/rust/lanzatool/src/cli.rs b/rust/tool/src/cli.rs similarity index 100% rename from rust/lanzatool/src/cli.rs rename to rust/tool/src/cli.rs diff --git a/rust/lanzatool/src/esp.rs b/rust/tool/src/esp.rs similarity index 100% rename from rust/lanzatool/src/esp.rs rename to rust/tool/src/esp.rs diff --git a/rust/lanzatool/src/gc.rs b/rust/tool/src/gc.rs similarity index 100% rename from rust/lanzatool/src/gc.rs rename to rust/tool/src/gc.rs diff --git a/rust/lanzatool/src/generation.rs b/rust/tool/src/generation.rs similarity index 100% rename from rust/lanzatool/src/generation.rs rename to rust/tool/src/generation.rs diff --git a/rust/lanzatool/src/install.rs b/rust/tool/src/install.rs similarity index 100% rename from rust/lanzatool/src/install.rs rename to rust/tool/src/install.rs diff --git a/rust/lanzatool/src/main.rs b/rust/tool/src/main.rs similarity index 100% rename from rust/lanzatool/src/main.rs rename to rust/tool/src/main.rs diff --git a/rust/lanzatool/src/os_release.rs b/rust/tool/src/os_release.rs similarity index 100% rename from rust/lanzatool/src/os_release.rs rename to rust/tool/src/os_release.rs diff --git a/rust/lanzatool/src/pe.rs b/rust/tool/src/pe.rs similarity index 100% rename from rust/lanzatool/src/pe.rs rename to rust/tool/src/pe.rs diff --git a/rust/lanzatool/src/signature.rs b/rust/tool/src/signature.rs similarity index 100% rename from rust/lanzatool/src/signature.rs rename to rust/tool/src/signature.rs diff --git a/rust/lanzatool/tests/common/mod.rs b/rust/tool/tests/common/mod.rs similarity index 100% rename from rust/lanzatool/tests/common/mod.rs rename to rust/tool/tests/common/mod.rs diff --git a/rust/lanzatool/tests/fixtures/uefi-keys/db.key b/rust/tool/tests/fixtures/uefi-keys/db.key similarity index 100% rename from rust/lanzatool/tests/fixtures/uefi-keys/db.key rename to rust/tool/tests/fixtures/uefi-keys/db.key diff --git a/rust/lanzatool/tests/fixtures/uefi-keys/db.pem b/rust/tool/tests/fixtures/uefi-keys/db.pem similarity index 100% rename from rust/lanzatool/tests/fixtures/uefi-keys/db.pem rename to rust/tool/tests/fixtures/uefi-keys/db.pem diff --git a/rust/lanzatool/tests/gc.rs b/rust/tool/tests/gc.rs similarity index 100% rename from rust/lanzatool/tests/gc.rs rename to rust/tool/tests/gc.rs diff --git a/rust/lanzatool/tests/os_release.rs b/rust/tool/tests/os_release.rs similarity index 100% rename from rust/lanzatool/tests/os_release.rs rename to rust/tool/tests/os_release.rs From 5bb33f33895b4b1079c762eff8874778cb8d3892 Mon Sep 17 00:00:00 2001 From: nikstur Date: Fri, 13 Jan 2023 22:10:40 +0100 Subject: [PATCH 2/3] treewide: simplify subproject names Lanzatool is renamed to 'tool' and lanzaboote is renamed to 'stub'. The name of the lanzatool binary is now 'lzbt' standing for LanZaBooteTool. --- flake.nix | 52 ++++++++++++++++++----------------- nix/modules/lanzaboote.nix | 6 ++-- rust/stub/Cargo.lock | 2 +- rust/stub/Cargo.toml | 2 +- rust/tool/Cargo.lock | 2 +- rust/tool/Cargo.toml | 6 +++- rust/tool/tests/common/mod.rs | 2 +- 7 files changed, 39 insertions(+), 33 deletions(-) diff --git a/flake.nix b/flake.nix index 30024a4..9f74d54 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ ./nix/modules/lanzaboote.nix ]; - boot.lanzaboote.package = perSystem.config.packages.lanzatool; + boot.lanzaboote.package = perSystem.config.packages.tool; } ); @@ -107,15 +107,15 @@ }); }; - lanzabooteCrane = buildRustApp { + stubCrane = buildRustApp { src = craneLib.cleanCargoSource ./rust/stub; target = "x86_64-unknown-uefi"; doCheck = false; }; - lanzaboote = lanzabooteCrane.package; + stub = stubCrane.package; - lanzatoolCrane = buildRustApp { + toolCrane = buildRustApp { src = ./rust/tool; extraArgs = { TEST_SYSTEMD = pkgs.systemd; @@ -126,34 +126,36 @@ }; }; - lanzatool-unwrapped = lanzatoolCrane.package; + tool = toolCrane.package; + + wrappedTool = pkgs.runCommand "lzbt" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + + # Clean PATH to only contain what we need to do objcopy. Also + # tell lanzatool where to find our UEFI binaries. + makeWrapper ${tool}/bin/lzbt $out/bin/lzbt \ + --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \ + --set RUST_BACKTRACE full \ + --set LANZABOOTE_STUB ${stub}/bin/lanzaboote_stub.efi + ''; in { packages = { - inherit lanzaboote; - - lanzatool = pkgs.runCommand "lanzatool" - { - nativeBuildInputs = [ pkgs.makeWrapper ]; - } '' - mkdir -p $out/bin - - # Clean PATH to only contain what we need to do objcopy. Also - # tell lanzatool where to find our UEFI binaries. - makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \ - --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \ - --set RUST_BACKTRACE full \ - --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi - ''; + inherit stub; + tool = wrappedTool; + lzbt = wrappedTool; }; overlayAttrs = { - inherit (config.packages) lanzatool; + inherit (config.packages) tool; }; checks = { - lanzatool-clippy = lanzatoolCrane.clippy; - lanzaboote-clippy = lanzabooteCrane.clippy; + toolClippy = toolCrane.clippy; + stubClippy = stubCrane.clippy; } // (import ./nix/tests/lanzaboote.nix { inherit pkgs testPkgs; lanzabooteModule = self.nixosModules.lanzaboote; @@ -193,8 +195,8 @@ ]; inputsFrom = [ - config.packages.lanzaboote - config.packages.lanzatool + config.packages.stub + config.packages.tool ]; TEST_SYSTEMD = pkgs.systemd; diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix index 2f9105c..1ac03f2 100644 --- a/nix/modules/lanzaboote.nix +++ b/nix/modules/lanzaboote.nix @@ -39,8 +39,8 @@ in }; package = mkOption { type = types.package; - default = pkgs.lanzatool; - description = "Lanzatool package"; + default = pkgs.lzbt; + description = "Lanzaboote tool (lzbt) package"; }; }; @@ -58,7 +58,7 @@ in ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine ''} - ${cfg.package}/bin/lanzatool install \ + ${cfg.package}/bin/lzbt install \ --public-key ${cfg.publicKeyFile} \ --private-key ${cfg.privateKeyFile} \ --configuration-limit ${toString configurationLimit} \ diff --git a/rust/stub/Cargo.lock b/rust/stub/Cargo.lock index 8d0a54c..015c4e3 100644 --- a/rust/stub/Cargo.lock +++ b/rust/stub/Cargo.lock @@ -86,7 +86,7 @@ dependencies = [ ] [[package]] -name = "lanzaboote" +name = "lanzaboote_stub" version = "0.1.0" dependencies = [ "ed25519-compact", diff --git a/rust/stub/Cargo.toml b/rust/stub/Cargo.toml index e3fb344..c0b96aa 100644 --- a/rust/stub/Cargo.toml +++ b/rust/stub/Cargo.toml @@ -1,5 +1,5 @@ [package] -name = "lanzaboote" +name = "lanzaboote_stub" version = "0.1.0" edition = "2021" publish = false diff --git a/rust/tool/Cargo.lock b/rust/tool/Cargo.lock index 4dd43d1..213b9f7 100644 --- a/rust/tool/Cargo.lock +++ b/rust/tool/Cargo.lock @@ -274,7 +274,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc" [[package]] -name = "lanzatool" +name = "lanzaboote_tool" version = "0.1.0" dependencies = [ "anyhow", diff --git a/rust/tool/Cargo.toml b/rust/tool/Cargo.toml index a5a189e..864accf 100644 --- a/rust/tool/Cargo.toml +++ b/rust/tool/Cargo.toml @@ -1,8 +1,12 @@ [package] -name = "lanzatool" +name = "lanzaboote_tool" version = "0.1.0" edition = "2021" +[[bin]] +name = "lzbt" +path = "src/main.rs" + # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [dependencies] diff --git a/rust/tool/tests/common/mod.rs b/rust/tool/tests/common/mod.rs index 71a7cde..42ad44a 100644 --- a/rust/tool/tests/common/mod.rs +++ b/rust/tool/tests/common/mod.rs @@ -110,7 +110,7 @@ pub fn lanzaboote_install( let test_systemd = systemd_location_from_env()?; let test_systemd_stub = format!("{test_systemd}/lib/systemd/boot/efi/linuxx64.efi.stub"); - let mut cmd = Command::cargo_bin("lanzatool")?; + let mut cmd = Command::cargo_bin("lzbt")?; let output = cmd .env("LANZABOOTE_STUB", test_systemd_stub) .arg("install") From f49b312c0a3ca3a5b7c548d831ebba5bf6ee10df Mon Sep 17 00:00:00 2001 From: nikstur Date: Thu, 19 Jan 2023 20:36:23 +0100 Subject: [PATCH 3/3] docs: simplify subproject names --- README.md | 17 ++++++++++------- docs/QUICK_START.md | 2 +- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 0c52a77..43915c2 100644 --- a/README.md +++ b/README.md @@ -53,21 +53,24 @@ Boot effective: These steps will not be covered here. -### Lanzatool +### `lzbt`, the Lanzaboote tool At the moment, boot loaders, kernels and initrds on NixOS are signed on the current system. These then need to be prepared as [Unified Kernel Images (UKI)](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-2-efi-unified-kernel-images) and placed on the [EFI System Partition (ESP)](https://en.wikipedia.org/wiki/EFI_system_partition). -`lanzatool` is a Linux command line application that takes care of +`lzbt` is a Linux command line application that takes care of this flow. It takes a [NixOS bootspec](https://github.com/NixOS/rfcs/pull/125) document, signs the -relevant files, creates a UKI using lanzaboote (see below) and +relevant files, creates a UKI using the stub (see below) and installs the UKI along with other required files to the -ESP. `lanzatool` is also aware of multiple NixOS generations and will +ESP. `lzbt` is also aware of multiple NixOS generations and will sign all configurations that should be bootable. -### Lanzaboote + +`lzbt` lives in `rust/tool`. + +### Stub When the Linux kernel and initrd are packed into a UKI, they need an UEFI application stub. This role is typically filled by @@ -78,13 +81,13 @@ initrd to be packed into the UKI, which makes it pretty large. As we need one UKI per NixOS configuration, systems with many configurations quickly run out of the limited disk space in the ESP. -`lanzaboote` is a UEFI stub that solves the same problem as +The Lanzaboote stub is a UEFI stub that solves the same problem as `systemd-stub`, but allows kernel and initrd to be stored separately on the ESP. The chain of trust is maintained by validating the signature on the Linux kernel and embedding a cryptographic hash of the initrd into the signed UKI. -`lanzaboote` lives in `rust/lanzaboote`. +The stub lives in `rust/stub`. ## State of Upstreaming to Nixpkgs diff --git a/docs/QUICK_START.md b/docs/QUICK_START.md index 8016c46..6cf9fa2 100644 --- a/docs/QUICK_START.md +++ b/docs/QUICK_START.md @@ -82,7 +82,7 @@ secret key so that only root can read it. ### Switching to bootspec -Lanzatool currently doesn't handle +`lzbt` currently doesn't handle non-[bootspec](https://github.com/grahamc/rfcs/blob/bootspec/rfcs/0125-bootspec.md) generations well ([#55](https://github.com/nix-community/lanzaboote/issues/55)). As