Commit Graph

279 Commits

Author SHA1 Message Date
nikstur 06b9cdc69e tool: move file_hash() to utils module 2023-02-24 00:04:00 +01:00
nikstur 3a3ad7c40d tool: write all generation artifacts at once
Previously, generations were installed one after another. Now all
artifacts (kernels, initrd etc.) are first collected and then installed.
This way the writes to the ESP are reduced as duplicate paths are
already removed in the collection phase.
2023-02-24 00:04:00 +01:00
nikstur 5af69f0d63
Merge pull request #111 from nix-community/uefi-update
Update Dependencies of Stub
2023-02-21 01:23:58 +01:00
Julian Stecklina 3a9cd26c5e stub: update uefi dependency to 0.19.1 2023-02-21 00:50:34 +01:00
Julian Stecklina 697d0d1baa stub: drop unused ed25519-compact dependency 2023-02-21 00:35:00 +01:00
Julian Stecklina 6924e6ea09
Merge pull request #107 from nix-community/random-names-for-tmpfiles
tool: use random names for secure tempfiles
2023-02-21 00:27:50 +01:00
Julian Stecklina 750629c860
Merge pull request #105 from nix-community/quickstart
Add a More Complete Flakes Fragment for Quickstart
2023-02-21 00:24:06 +01:00
Julian Stecklina 6e72e2fed2 doc: add a more complete flakes fragment for quickstart 2023-02-21 00:22:34 +01:00
nikstur df6b1b07f7 tool: use random names for secure tempfiles
Using random names for tempfiles makes handling them easier. It reduces
the amount of noise in the code because no custom name needs to be
provided for each tempfile. The names were not really useful in any
case.

It also does not burden the developer with ensuring uniqueness of names.
This is relevant when files for multiple generations need to be stored
in the same directory (e.g. because they need to be accessed after
handling one generation).

Out of an abundance of caution, 32 random alphanumeric characters are
chosen for each filename. The tempfile crate, in comparison, only
chooses 8. 32 characters should be enough to avoid collisions, even
if the PRNG is not of cryptographic quality.
2023-02-21 00:13:40 +01:00
Julian Stecklina ceed92460f
Merge pull request #108 from nix-community/make-test-functions-reusable
tool: make some utility test functions reusable
2023-02-20 23:23:21 +01:00
nikstur 4d2e67f799 tool: make some utility test functions reusable
Make them reusable by moving them to the common module.
2023-02-20 01:05:01 +01:00
nikstur a75e2b4c95
Merge pull request #101 from nix-community/improve-generation-name
tool: improve sd-boot generation display name
2023-02-10 17:45:05 +01:00
nikstur a8d9ea128d tool: improve sd-boot generation display name
Leverage the bootspec `label` field in its intended way. The VERSION_ID
of the os-release in the stub now only contains the generation number
and the build time. This makes a correct PRETTY_NAME entirely dependent
on correct information in the bootspec `label` field.
2023-02-10 12:25:59 +01:00
Julian Stecklina 01f8fd418a
Merge pull request #100 from nix-community/fix-build-time
tool: read build time from symlink
2023-02-09 22:42:44 +01:00
Julian Stecklina 522687b044
Merge pull request #102 from ercao/hotfix
nixos/lanzaboote: use `config.systemd.package`
2023-02-09 22:37:11 +01:00
ercao d1516ffdfd
nixos/lanzaboote: use `config.systemd.package`
Signed-off-by: ercao <vip@ercao.cn>
2023-02-09 22:24:54 +08:00
nikstur 06f921ead0 tool: read build time from symlink
Read the build time from generation symlinks in /nix/var/nix/profiles
instead of from the underlying derivation. The derivation build time
will always be a UNIX epoch of 0 because of the `nix-build` sandbox,
which is useless for identifying when a generation was created.
2023-02-09 00:29:12 +01:00
Julian Stecklina 5f5b04a6f5
Merge pull request #97 from SuperSandro2000/patch-1
Fix mixed tabs and spaces
2023-02-08 10:19:01 +01:00
Sandro ad9b9ec5b5
Fix mixed tabs and spaces 2023-02-07 23:31:58 +01:00
Julian Stecklina cb315d543c
Merge pull request #93 from nix-community/quick-start-updates
Update Sharp Edges in Quickstart Docs
2023-02-03 11:34:23 +01:00
Julian Stecklina cc2af0a081 docs: update sharp edges after Linux kernel signing changes 2023-02-03 11:29:28 +01:00
Julian Stecklina 37ccc5d578
Merge pull request #91 from nix-community/58-escape-hatch
Ignore Integrity Checks without Secure Boot
2023-02-02 22:35:35 +01:00
Julian Stecklina abd5af1250
Merge pull request #90 from nix-community/ci-fix
Fix CI Regression after Linux Loader Fix
2023-02-02 18:07:14 +01:00
Julian Stecklina 0963ba83dd tests: check whether disabled secure boot relaxes hash checks 2023-02-02 18:05:09 +01:00
Julian Stecklina 8b00b748f2 stub: add fall back for hash mismatches when Secure Boot is off 2023-02-02 18:03:54 +01:00
Julian Stecklina 8d2ebbc6a7 stub: move linux booting into its own function 2023-02-02 18:03:54 +01:00
Julian Stecklina f3ede28eac ci: fix regression after Linux loader change
Now that we don't sign the kernel anymore, we need to manually
invalidate its checksum.
2023-02-02 17:57:34 +01:00
Julian Stecklina 788e1d9fb6
Merge pull request #89 from nix-community/quick-start-updates
Add Security Disclaimer in Quickstart Docs
2023-02-02 14:37:32 +01:00
Julian Stecklina e41c02c66b docs: add short security guidelines 2023-02-02 14:21:58 +01:00
Julian Stecklina eb3b4703fd
Merge pull request #75 from alois31/unsigned-kernel
Prevent loading of untrusted initrds
2023-02-02 14:08:08 +01:00
Alois Wohlschlager 081714cab9
Pass the built-in cmdline to the kernel
Do not pass our own cmdline on to the kernel. It may have been set by a
malicious boot loader specification entry, and could instruct the
kernel to load an arbitrary unprotected initrd (or perform some other
fun stuff). Instead, always pass the command line built into the UKI,
which is properly authenticated.
2023-01-31 18:32:13 +01:00
Alois Wohlschlager 3885f114a8
Do not sign the kernel
Malicious boot loader specification entries could be used to make a
signed kernel load arbitrary unprotected initrds. Since we do not want
this, do not sign the kernel. This way, the only things allowed to boot
are our UKI stubs, which do verify the initrd.
2023-01-31 18:25:27 +01:00
Alois Wohlschlager 7387c6708d
Load the kernel image ourselves
When loading something with UEFI LoadImage, signature validation is
performed. However, we verify the kernel by its hash already, and don't
want to sign it. Hence, we have to load it on our own.
2023-01-31 18:25:14 +01:00
nikstur 60e28106e9
Merge pull request #86 from dasJ/fix/osrelease-parser
Make the os-release parser more precise
2023-01-30 15:57:12 +01:00
Janne Heß 96d52b215c
Make the os-release parser more precise
Closes #77
2023-01-30 11:46:48 +01:00
nikstur afe8bcc7be
Merge pull request #81 from nix-community/systemd-boot-loader-conf
tool: write systemd-boot loader.conf
2023-01-29 16:26:53 +01:00
nikstur ce3b2c27b5 tool: write systemd-boot loader.conf
To minimize the number of arguments passed to `lzbt`, the loader config
is assembled outside `lzbt` and passed as a single argument.

Instead of reimplementing `consoleMode` under the `lanzaboote`
namespace, `config.loader.systemd-boot.consoleMode` is reused as is.
2023-01-29 16:19:14 +01:00
nikstur 57b56e104c
Merge pull request #83 from nix-community/atomic-writes
tool: atomically write to ESP
2023-01-29 16:17:07 +01:00
nikstur 5f28ae75ea tool: atomically write to ESP
To minimize the potential for irrecoverable errors, only atomic writes
to the ESP are performed. This is implemented by first copying the file
to the destination with a `.tmp` suffix and then renaming it to the
final desintation. This is atomic because the rename operation is atomic
on POSIX platforms.

Specifically, this means that even if the system crashes during the
operation, the final desintation path will most likely be intact if it
exists at all. There are some nuances to this however. It **cannot** be
actually guaranteed that the operation was performed on the filesystem
level. However, this is the best we can do for now.

For reference:
- POSIX rename(2): https://pubs.opengroup.org/onlinepubs/9699919799/
- Rust fs::rename corresponds to rename(2) on Unix: https://doc.rust-lang.org/std/fs/fn.rename.html
- Rust fs::rename is implemented using libc's rename: https://github.com/rust-lang/rust/blob/master/library/std/src/sys/unix/fs.rs#L1397
- Renaming in libc is atomic: https://www.gnu.org/software/libc/manual/html_node/Renaming-Files.html
2023-01-29 15:31:38 +01:00
nikstur 41c7a14a80
Merge pull request #82 from nix-community/clean-up-nixos-tests
nix.tests: clean up
2023-01-29 00:10:27 +01:00
nikstur fd2e7f7a40 nix.tests: clean up
The test attributes and names are simplified and standardized. They now
roughly follow the same structure as the systemd-boot test in Nixpkgs.
Some comments are added and variable names changed to make it more clear
what they actually do.
2023-01-28 01:40:48 +01:00
nikstur 0ca25a9bf0
Merge pull request #78 from nix-community/robust-systemd-version-parsing
tool: make systemd version parsing robust
2023-01-26 21:46:03 +01:00
nikstur 247afb33a2 tool: make systemd version parsing robust
To make handling systemd versions more robust, they are parsed into a
u32 tuple instead of an f32. Additionally, some unit tests for correct
parsing and comparing of versions are added.
2023-01-26 21:30:44 +01:00
nikstur eb0ffc6b9c
Merge pull request #79 from nix-community/cleanup-test-fixtures
Cleanup test fixtures
2023-01-26 02:26:25 +01:00
nikstur efa2410292 treewide: move uefi-keys into test fixtures
To clean up the repository move the uefi keys (`pki/`) to
`nix/tests/fixtures/uefi-keys`.
2023-01-26 01:18:41 +01:00
nikstur 1970b95b68 tool: remove bootspec.json
This fixture is not necessary anymore as we have enough integration
tests.
2023-01-26 01:16:09 +01:00
nikstur 3469cefb5b
Merge pull request #76 from nix-community/smart-systemd-boot-install
tool: smarter systemd-boot install
2023-01-25 23:24:26 +01:00
nikstur cc169689f3 tool: smarter systemd-boot install
The process of installing systemd-boot is "smarter" because it now
considers a a few conditions instead of doing nothing if there is a file
at the deistination path. systemd-boot is now forcibly installed (i.e.
overwriting any file at the destination) if (1) there is no file at the
destination, OR (2) a newer version of systemd-boot is available, OR (3)
the signature of the file at the destination could not be verified.
2023-01-25 22:21:14 +01:00
nikstur a9bce14645
Merge pull request #74 from nix-community/refactor-esp-paths
tool: split esp paths
2023-01-25 00:32:07 +01:00
nikstur db75203e31 tool: split esp paths
To access paths on the ESP before or after installing generations, split
EspPaths into general EspPaths that only depend on the path to the ESP
and EspGenerationPaths which additionally depend on generation specific
information (e.g. version number and initrd filename).
2023-01-25 00:24:40 +01:00