Merge pull request #62 from nix-community/rename-subprojects

Rename subprojects
This commit is contained in:
Julian Stecklina 2023-01-19 23:37:53 +01:00 committed by GitHub
commit 65896e03fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 53 additions and 44 deletions

View File

@ -53,21 +53,24 @@ Boot effective:
These steps will not be covered here. These steps will not be covered here.
### Lanzatool ### `lzbt`, the Lanzaboote tool
At the moment, boot loaders, kernels and initrds on NixOS are signed At the moment, boot loaders, kernels and initrds on NixOS are signed
on the current system. These then need to be prepared as [Unified on the current system. These then need to be prepared as [Unified
Kernel Images Kernel Images
(UKI)](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-2-efi-unified-kernel-images) and placed on the [EFI System Partition (ESP)](https://en.wikipedia.org/wiki/EFI_system_partition). (UKI)](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-2-efi-unified-kernel-images) and placed on the [EFI System Partition (ESP)](https://en.wikipedia.org/wiki/EFI_system_partition).
`lanzatool` is a Linux command line application that takes care of `lzbt` is a Linux command line application that takes care of
this flow. It takes a [NixOS this flow. It takes a [NixOS
bootspec](https://github.com/NixOS/rfcs/pull/125) document, signs the bootspec](https://github.com/NixOS/rfcs/pull/125) document, signs the
relevant files, creates a UKI using lanzaboote (see below) and relevant files, creates a UKI using the stub (see below) and
installs the UKI along with other required files to the installs the UKI along with other required files to the
ESP. `lanzatool` is also aware of multiple NixOS generations and will ESP. `lzbt` is also aware of multiple NixOS generations and will
sign all configurations that should be bootable. sign all configurations that should be bootable.
### Lanzaboote
`lzbt` lives in `rust/tool`.
### Stub
When the Linux kernel and initrd are packed into a UKI, they need an When the Linux kernel and initrd are packed into a UKI, they need an
UEFI application stub. This role is typically filled by UEFI application stub. This role is typically filled by
@ -78,13 +81,13 @@ initrd to be packed into the UKI, which makes it pretty large. As we
need one UKI per NixOS configuration, systems with many configurations need one UKI per NixOS configuration, systems with many configurations
quickly run out of the limited disk space in the ESP. quickly run out of the limited disk space in the ESP.
`lanzaboote` is a UEFI stub that solves the same problem as The Lanzaboote stub is a UEFI stub that solves the same problem as
`systemd-stub`, but allows kernel and initrd to be stored separately `systemd-stub`, but allows kernel and initrd to be stored separately
on the ESP. The chain of trust is maintained by validating the on the ESP. The chain of trust is maintained by validating the
signature on the Linux kernel and embedding a cryptographic hash of signature on the Linux kernel and embedding a cryptographic hash of
the initrd into the signed UKI. the initrd into the signed UKI.
`lanzaboote` lives in `rust/lanzaboote`. The stub lives in `rust/stub`.
## State of Upstreaming to Nixpkgs ## State of Upstreaming to Nixpkgs

View File

@ -82,7 +82,7 @@ secret key so that only root can read it.
### Switching to bootspec ### Switching to bootspec
Lanzatool currently doesn't handle `lzbt` currently doesn't handle
non-[bootspec](https://github.com/grahamc/rfcs/blob/bootspec/rfcs/0125-bootspec.md) non-[bootspec](https://github.com/grahamc/rfcs/blob/bootspec/rfcs/0125-bootspec.md)
generations well generations well
([#55](https://github.com/nix-community/lanzaboote/issues/55)). As ([#55](https://github.com/nix-community/lanzaboote/issues/55)). As

View File

@ -53,7 +53,7 @@
./nix/modules/lanzaboote.nix ./nix/modules/lanzaboote.nix
]; ];
boot.lanzaboote.package = perSystem.config.packages.lanzatool; boot.lanzaboote.package = perSystem.config.packages.tool;
} }
); );
@ -77,7 +77,7 @@
inherit (pkgs) lib; inherit (pkgs) lib;
rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/stub/rust-toolchain.toml;
craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly;
# Build attributes for a Rust application. # Build attributes for a Rust application.
@ -107,16 +107,16 @@
}); });
}; };
lanzabooteCrane = buildRustApp { stubCrane = buildRustApp {
src = craneLib.cleanCargoSource ./rust/lanzaboote; src = craneLib.cleanCargoSource ./rust/stub;
target = "x86_64-unknown-uefi"; target = "x86_64-unknown-uefi";
doCheck = false; doCheck = false;
}; };
lanzaboote = lanzabooteCrane.package; stub = stubCrane.package;
lanzatoolCrane = buildRustApp { toolCrane = buildRustApp {
src = ./rust/lanzatool; src = ./rust/tool;
extraArgs = { extraArgs = {
TEST_SYSTEMD = pkgs.systemd; TEST_SYSTEMD = pkgs.systemd;
checkInputs = with pkgs; [ checkInputs = with pkgs; [
@ -126,34 +126,36 @@
}; };
}; };
lanzatool-unwrapped = lanzatoolCrane.package; tool = toolCrane.package;
wrappedTool = pkgs.runCommand "lzbt"
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
# Clean PATH to only contain what we need to do objcopy. Also
# tell lanzatool where to find our UEFI binaries.
makeWrapper ${tool}/bin/lzbt $out/bin/lzbt \
--set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
--set RUST_BACKTRACE full \
--set LANZABOOTE_STUB ${stub}/bin/lanzaboote_stub.efi
'';
in in
{ {
packages = { packages = {
inherit lanzaboote; inherit stub;
tool = wrappedTool;
lanzatool = pkgs.runCommand "lanzatool" lzbt = wrappedTool;
{
nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin
# Clean PATH to only contain what we need to do objcopy. Also
# tell lanzatool where to find our UEFI binaries.
makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \
--set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \
--set RUST_BACKTRACE full \
--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi
'';
}; };
overlayAttrs = { overlayAttrs = {
inherit (config.packages) lanzatool; inherit (config.packages) tool;
}; };
checks = { checks = {
lanzatool-clippy = lanzatoolCrane.clippy; toolClippy = toolCrane.clippy;
lanzaboote-clippy = lanzabooteCrane.clippy; stubClippy = stubCrane.clippy;
} // (import ./nix/tests/lanzaboote.nix { } // (import ./nix/tests/lanzaboote.nix {
inherit pkgs testPkgs; inherit pkgs testPkgs;
lanzabooteModule = self.nixosModules.lanzaboote; lanzabooteModule = self.nixosModules.lanzaboote;
@ -193,8 +195,8 @@
]; ];
inputsFrom = [ inputsFrom = [
config.packages.lanzaboote config.packages.stub
config.packages.lanzatool config.packages.tool
]; ];
TEST_SYSTEMD = pkgs.systemd; TEST_SYSTEMD = pkgs.systemd;

View File

@ -39,8 +39,8 @@ in
}; };
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.lanzatool; default = pkgs.lzbt;
description = "Lanzatool package"; description = "Lanzaboote tool (lzbt) package";
}; };
}; };
@ -58,7 +58,7 @@ in
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
''} ''}
${cfg.package}/bin/lanzatool install \ ${cfg.package}/bin/lzbt install \
--public-key ${cfg.publicKeyFile} \ --public-key ${cfg.publicKeyFile} \
--private-key ${cfg.privateKeyFile} \ --private-key ${cfg.privateKeyFile} \
--configuration-limit ${toString configurationLimit} \ --configuration-limit ${toString configurationLimit} \

View File

@ -86,7 +86,7 @@ dependencies = [
] ]
[[package]] [[package]]
name = "lanzaboote" name = "lanzaboote_stub"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"ed25519-compact", "ed25519-compact",

View File

@ -1,5 +1,5 @@
[package] [package]
name = "lanzaboote" name = "lanzaboote_stub"
version = "0.1.0" version = "0.1.0"
edition = "2021" edition = "2021"
publish = false publish = false

View File

@ -274,7 +274,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc" checksum = "4217ad341ebadf8d8e724e264f13e593e0648f5b3e94b3896a5df283be015ecc"
[[package]] [[package]]
name = "lanzatool" name = "lanzaboote_tool"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",

View File

@ -1,8 +1,12 @@
[package] [package]
name = "lanzatool" name = "lanzaboote_tool"
version = "0.1.0" version = "0.1.0"
edition = "2021" edition = "2021"
[[bin]]
name = "lzbt"
path = "src/main.rs"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies] [dependencies]

View File

@ -110,7 +110,7 @@ pub fn lanzaboote_install(
let test_systemd = systemd_location_from_env()?; let test_systemd = systemd_location_from_env()?;
let test_systemd_stub = format!("{test_systemd}/lib/systemd/boot/efi/linuxx64.efi.stub"); let test_systemd_stub = format!("{test_systemd}/lib/systemd/boot/efi/linuxx64.efi.stub");
let mut cmd = Command::cargo_bin("lanzatool")?; let mut cmd = Command::cargo_bin("lzbt")?;
let output = cmd let output = cmd
.env("LANZABOOTE_STUB", test_systemd_stub) .env("LANZABOOTE_STUB", test_systemd_stub)
.arg("install") .arg("install")