Commit Graph

56 Commits

Author SHA1 Message Date
Julian Stecklina 56386ae1c3 fixtures: add snakeoil dbx pem
sbctl 0.12 wants to have the forbidden signatures or fails to enroll
keys.
2023-10-24 00:23:48 +02:00
Julian Stecklina 65003165c8 tests: downgrade from edk2 202308 to 202305 2023-10-19 21:14:45 +02:00
Alois Wohlschlager db39223a7c
stub: make handling of insecure boot more explicit
When Secure Boot is not available (unsupported or disabled), Lanzaboote
will attempt to boot kernels and initrds even when they fail the hash
verification. Previously, this would happen by falling back to use
LoadImage on the kernel, which fails if Secure Boot is available, as the
kernel is not signed.
The SecureBoot variable offers a more explicit way of checking whether
Secure Boot is available. If the firmware supports Secure Boot, it
initializes this variable to 1 if it is enabled, and to 0 if it is
disabled. Applications are not supposed to modify this variable, and in
particular, since only trusted applications are loaded when Secure Boot
is active, we can assume it is never changed to 0 or deleted if Secure
Boot is active.
Hence, we can be sure of Secure Boot being inactive if this variable is
absent or set to 0, and thus treat all hash verification errors as
non-fatal and proceed to boot arbitrary kernels and initrds (a warning
is still logged in this case). In all other cases, we treat all hash
verification failures as fatal security violations, as it must be done
in the case where Secure Boot is active (it is expected that this does
not lead to any false positives in practice, unless there are bigger
problems anyway).
2023-10-15 15:58:01 +02:00
Maximilian Bosch 16c6776763
Fix build with `documentation.nixos.includeAllModules = true;`
This includes the options of all modules used in the evaluation, not
just the ones from `<nixpkgs/nixos>` in the local manual.

Right now this breaks with

    error: attribute 'loader' missing

    at /nix/store/wf59fvxch3l5s7x0pnpfv7b26q6y010x-source/nix/modules/lanzaboote.nix:26:17:

        25|     configurationLimit = mkOption {
        26|       default = config.boot.loader.systemd-boot.configurationLimit;
          |                 ^
        27|       example = 120;

I'm not sure what's up with `config.boot.loader` (had the exact same
issue with `disko`), but using `defaultText` is the common workaround
for that.
2023-10-13 22:35:58 +02:00
Alois Wohlschlager ca070a9eec
tool: make stubs input-addressed
The stubs on the ESP are now input-addressed, where the inputs are the
system toplevel and the public key used for signature. This way, it is
guaranteed that any stub at a given path will boot the desired system,
even in the presence of one of the two edge-cases where it was not
previously guaranteed:
* The latest generation was deleted at one point, and its generation
  number was reused by a different system configuration. This is
  detected because the toplevel will change.
* The secure boot signing key was rotated, so old stubs would not boot
  at all any more. This is detected because the public key will change.

Avoiding these two cases will allow to skip reinstallation of stubs that
are already in place at the correct path.
2023-10-03 22:08:10 +02:00
Alois Wohlschlager 240914d763
tool: make kernels and initrds content-addressed
Kernels and initrds on the ESP are now content-addressed. By definition,
it is impossible for two different kernels or initrds to ever end up at
the same place, even in the presence of changing initrd secrets or other
unreproducibility.

The basic advantage of this is that installing the kernel or initrd for
a generation can never break another generation. In turn, this enables
the following two improvements:
* All generations can be installed independently. In particular, the
  installation can be performed in one pass, one generation at a time.
  As a result, the code is significantly simplified, and memory usage
  (due to the temporary files) does not grow with the number of
  generations any more.
* Generations that already have their files in place on the ESP do not
  need to be reinstalled. This will be taken advantage of in a
  subsequent commit.
2023-10-03 22:08:03 +02:00
Raito Bezarius a55db483fb nix/modules/uki: fix ukify build
Previously, we were not on recent enough nixpkgs to see the new `withBootloader` flag
which is required to build ukify.

Fixes the test.
2023-09-29 20:07:42 +02:00
nikstur 0b5ce324d7 tool: clean up a few minor details 2023-09-14 16:35:53 +02:00
Raito Bezarius f81c30d7d9 module: use kernel package hostPlatform if nixpkgs.hostPlatform is not available
Sometimes, it is not…
2023-09-14 16:35:53 +02:00
Raito Bezarius e5c1d74e3f tool: introduce --target-system to choose target architecture
We will hard fail in case of encountering different architectures in bootspec.
This should still be compatible with cross-compiling systems in the future.
2023-09-14 16:35:53 +02:00
nikstur 0109e357aa Revert "Merge pull request #147 from nix-community/nixpkgs-infrastructure"
This reverts commit 59e3ebb19f, reversing
changes made to 9f97a908e4.
2023-08-12 02:41:54 +02:00
Raito Bezarius b77ef07cec project: perform clippy/rustfmt checking via a higher order derivation transformer
Instead of patching the derivation in-place via flags, we just have
a higher order function that takes the Rust package derivation and override it
into a Rustfmt / Clippy oriented derivation: it turns off checks and adds its
required dependencies.
2023-06-10 18:08:35 +02:00
Raito Bezarius 5b22893473 project: move to nixpkgs Rust infrastructure
This builds the stub and tool using `rustPlatform.buildRustPackage`
which features a stable Rust compiler, recent enough to support UEFI
targets.

In the future, it will rely on properly defined targets for UEFI in
nixpkgs.
2023-06-10 18:03:58 +02:00
nikstur 7ecafb2947 stub: add fat variant
A compile time feature is introduced that allows to build "fat" stubs
that can be used to build "fat" UKIs. "fat" here means that the actual
kernel and initrd are embedded in the PE binary, not only the file path
and hash. This brings us one step closer to feature partiy with
systemd-stub and thus one step closer to replacing it fully. Such a
"fat" or "real" UKI is also interesting for image-based deployments of
NixOS.
2023-05-24 22:09:28 +02:00
Raito Bezarius f603e0c134 tests: support TPM2 + SecureBoot tests
Test that our measurements exposes a TPM PCR index in the userspace
through efivarfs.
2023-05-18 19:06:32 +02:00
Raito Bezarius 9dd9116b1e stub: export boot loader interface efivars 2023-05-05 20:11:55 +02:00
Raito Bezarius 4ef6957f88 feat: enable synthesis support
Bootspec has a mechanism called synthesis where you can synthesize
bootspecs if they are not present based on the generation link only.

This is useful for "vanilla bootspec" which does not contain any
extensions, as this is what we do right now.

If we need extensions, we can also implement our synthesis mechanism on
the top of it.

Enabling synthesis gives us the superpower to support non-bootspec
users. :-)
2023-04-29 22:55:39 +02:00
Raito Bezarius 9fe979d2d6 tests: adopt bootspec v1 format 2023-04-29 15:21:38 +02:00
nikstur a886416d69 treewide: remove nixpkgs-test 2023-04-24 22:25:57 +02:00
Lily Foster 4066b0a894
nix: clean up fwupd-efi handling a little bit 2023-04-04 06:38:19 -04:00
Ryan Lahfa 7c55847aaf
Merge pull request #134 from kanashimia/hardcoding
nixos-module: add settings key for the loader.conf
2023-03-21 15:49:55 +01:00
Mia Kanashi ea5e2ba437 nixos-module: add settings key for the loader.conf
This commit adds settings key for configuring systemd-boot to the lanzaboot
nixos module. The are couple of the default values that are set from the usual
nixos boot.loader.systemd-boot options, they are merged with the user defined
configuration.

This commit modifies default loader.conf to boot into the latest nixos
generation by default, for when you have other operating systems installed.

Primary reason behind this PR is to allow extensible loader configuration.

Co-authored-by: Raito Bezarius <masterancpp@gmail.com>
2023-03-21 15:48:56 +01:00
Lily Foster 658d753d1c
Properly handle fwupd update capsules
Co-Authored-By: Janne Heß <janne@hess.ooo>
2023-03-20 07:46:24 -04:00
Julian Stecklina 754656d500
Revert "Properly handle fwupd update capsules" 2023-02-25 23:27:39 +01:00
Julian Stecklina 9daa941320
Merge pull request #113 from dasJ/feat/fwupd
Properly handle fwupd update capsules
2023-02-25 23:01:12 +01:00
nikstur ab4e90c331 tests: correctly test appending secret to initrd
The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
2023-02-25 21:41:38 +01:00
nikstur f4f8c41005 tests: add initrd-secrets-update
Add a test for updating the secrets on an existing initrd.
2023-02-24 01:16:52 +01:00
Janne Heß 048df99975
Properly handle fwupd update capsules
Closes #85
2023-02-23 11:38:27 +01:00
ercao d1516ffdfd
nixos/lanzaboote: use `config.systemd.package`
Signed-off-by: ercao <vip@ercao.cn>
2023-02-09 22:24:54 +08:00
Julian Stecklina 0963ba83dd tests: check whether disabled secure boot relaxes hash checks 2023-02-02 18:05:09 +01:00
Julian Stecklina f3ede28eac ci: fix regression after Linux loader change
Now that we don't sign the kernel anymore, we need to manually
invalidate its checksum.
2023-02-02 17:57:34 +01:00
nikstur ce3b2c27b5 tool: write systemd-boot loader.conf
To minimize the number of arguments passed to `lzbt`, the loader config
is assembled outside `lzbt` and passed as a single argument.

Instead of reimplementing `consoleMode` under the `lanzaboote`
namespace, `config.loader.systemd-boot.consoleMode` is reused as is.
2023-01-29 16:19:14 +01:00
nikstur fd2e7f7a40 nix.tests: clean up
The test attributes and names are simplified and standardized. They now
roughly follow the same structure as the systemd-boot test in Nixpkgs.
Some comments are added and variable names changed to make it more clear
what they actually do.
2023-01-28 01:40:48 +01:00
nikstur efa2410292 treewide: move uefi-keys into test fixtures
To clean up the repository move the uefi keys (`pki/`) to
`nix/tests/fixtures/uefi-keys`.
2023-01-26 01:18:41 +01:00
nikstur cc169689f3 tool: smarter systemd-boot install
The process of installing systemd-boot is "smarter" because it now
considers a a few conditions instead of doing nothing if there is a file
at the deistination path. systemd-boot is now forcibly installed (i.e.
overwriting any file at the destination) if (1) there is no file at the
destination, OR (2) a newer version of systemd-boot is available, OR (3)
the signature of the file at the destination could not be verified.
2023-01-25 22:21:14 +01:00
Julian Stecklina dd499f6642 treewide: fix typos 2023-01-21 10:27:34 +01:00
nikstur 5bb33f3389 treewide: simplify subproject names
Lanzatool is renamed to 'tool' and lanzaboote is renamed to 'stub'.
The name of the lanzatool binary is now 'lzbt' standing for
LanZaBooteTool.
2023-01-17 21:31:14 +01:00
nikstur 4f44cb70a2 lanzatool: generate custom os-release 2023-01-06 21:27:51 +01:00
nikstur eca0ea67fe lanzabooteModule: implement configuration limit 2023-01-02 00:05:21 +01:00
nikstur 7d5ac15cbb nix.tests: move from flake 2022-12-25 18:49:28 +01:00
nikstur 912c9b27a6 nix: move package and module into subdir 2022-12-25 18:38:41 +01:00
nikstur eb9b1bbbe3 treewide: format with nixpkgs-fmt 2022-12-25 18:38:39 +01:00
Raito Bezarius e3f6029643 nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-25 18:05:07 +01:00
Julian Stecklina 30be791826
Merge pull request #24 from nix-community/remove-auto-entroll
Remove auto entroll leftovers
2022-12-11 14:48:27 +00:00
nikstur 36c0a13c4c lanzaboote module: remove --pki-bundle option 2022-12-10 18:11:23 +01:00
Jörg Thalheim c9f9f1c52a nixos/lanzaboote: pkiBundle is not actual optional
the installHook needs it.
2022-12-08 21:26:17 +01:00
Julian Stecklina 28bb93c5f3 nix: switch everything to crane and drop naersk 2022-11-28 14:01:35 +01:00
nikstur 0a96623461 lanzatool: bootspec from generation
The bootspec is now read from each generation so that more than one
entry can be generated when calling install
2022-11-26 22:27:44 +01:00
Ryan Lahfa 95f596f4dc lanzatool: add support for generations and correct naming of kernels a… (#12)
* lanzatool: add support for generations and correct naming of kerels and initrds

* test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests

* lanzatool: ryan is a B class engineer

Co-authored-by: nikstur@outlook.com
2022-11-26 03:14:21 +01:00
Raito Bezarius 9f65f75289 feature: support initrd secrets 2022-11-26 02:01:41 +01:00