Commit Graph

288 Commits

Author SHA1 Message Date
renovate[bot] eabbae0e0c
fix(deps): update all dependencies 2023-10-16 01:54:44 +00:00
Alois Wohlschlager b02a7e2a7f
stub: use command line from loader in insecure mode
When booting without Secure Boot active, it is not necessary to defend
against a malicious command line being passed from the loader. So just
use it in this case, to facilitaty some debugging and recovery use
cases.

Fixes: https://github.com/nix-community/lanzaboote/issues/226
2023-10-15 16:04:30 +02:00
Alois Wohlschlager db39223a7c
stub: make handling of insecure boot more explicit
When Secure Boot is not available (unsupported or disabled), Lanzaboote
will attempt to boot kernels and initrds even when they fail the hash
verification. Previously, this would happen by falling back to use
LoadImage on the kernel, which fails if Secure Boot is available, as the
kernel is not signed.
The SecureBoot variable offers a more explicit way of checking whether
Secure Boot is available. If the firmware supports Secure Boot, it
initializes this variable to 1 if it is enabled, and to 0 if it is
disabled. Applications are not supposed to modify this variable, and in
particular, since only trusted applications are loaded when Secure Boot
is active, we can assume it is never changed to 0 or deleted if Secure
Boot is active.
Hence, we can be sure of Secure Boot being inactive if this variable is
absent or set to 0, and thus treat all hash verification errors as
non-fatal and proceed to boot arbitrary kernels and initrds (a warning
is still logged in this case). In all other cases, we treat all hash
verification failures as fatal security violations, as it must be done
in the case where Secure Boot is active (it is expected that this does
not lead to any false positives in practice, unless there are bigger
problems anyway).
2023-10-15 15:58:01 +02:00
Julian Stecklina c56ad52b18 stub: pin to current goblin version
goblin 0.7.1 introduces certification support for PE files. This seems to be broken, because we get:

Parsing PE failed Malformed entity: Unable to extract certificate. Probably cert_size:1599360838 is malformed!

from goblin when trying to parse our PE file in memory.

See #237 for context.
2023-10-15 15:40:57 +02:00
Julian Stecklina 17cadf6598 stub: update to latest uefi crates 2023-10-12 12:12:34 +02:00
Alois Wohlschlager 90a1adac54
tool: fix atomic write
Atomic write works by first writing a temporary file, then syncing that
temporary file to ensure it is fully on disk before the program can
continue, and in the last step renaming the temporary file to the
target. The middle step was missing, which is likely to lead to a
truncated target file being present after power loss. Add this step.

Furthermore, even with this fix, atomicity is not fully guaranteed,
because FAT32 can become corrupted after power loss due to its design
shortcomings. Even though we cannot really do anything about this case,
adjust the comment to at least acknowledge the situation.
2023-10-04 07:29:35 +02:00
Alois Wohlschlager 4fd37670e2
tool: stop most overwriting in the ESP
Since most files (stubs, kernels and initrds) on the ESP are properly
input-addressed or content-addressed now, there is no point in
overwriting them any more. Hence we detect what generations are already
properly installed, and don't reinstall them any more.

This approach leads to two distinct improvements:
* Rollbacks are more reliable, because initrd secrets and stubs do not
  change any more for existing generations (with the necessary exception
  of stubs in case of signature key rotation). In particular, the risk
  of a newer stub breaking (for example, because of bad interactions
  with certain firmware) old and previously working generations is
  avoided.
* Kernels and initrds that are not going to be (re)installed anyway are
  not read and hashed any more. This significantly reduces the I/O and
  CPU time required for the installation process, particularly when
  there is a large number of generations.

The following drawbacks are noted:
* The first time installation is performed after these changes, most of
  the ESP is re-written at a different path; as a result, the disk usage
  increases to roughly the double until the GC is performed.
* If multiple generations share a bare initrd, but have different
  secrets scripts, the final initrds will now be separated, leading to
  increased disk usage. However, this situation should be rare, and the
  previous behavior was arguably incorrect anyway.
* If the files on the ESP are corrupted, running the installation again
  will not overwrite them with the correct versions. Since the files are
  written atomically, this situation should not happen except in case of
  file system corruption, and it is questionable whether overwriting
  really fixes the problem in this case.
2023-10-04 07:29:21 +02:00
Alois Wohlschlager ca070a9eec
tool: make stubs input-addressed
The stubs on the ESP are now input-addressed, where the inputs are the
system toplevel and the public key used for signature. This way, it is
guaranteed that any stub at a given path will boot the desired system,
even in the presence of one of the two edge-cases where it was not
previously guaranteed:
* The latest generation was deleted at one point, and its generation
  number was reused by a different system configuration. This is
  detected because the toplevel will change.
* The secure boot signing key was rotated, so old stubs would not boot
  at all any more. This is detected because the public key will change.

Avoiding these two cases will allow to skip reinstallation of stubs that
are already in place at the correct path.
2023-10-03 22:08:10 +02:00
Alois Wohlschlager 240914d763
tool: make kernels and initrds content-addressed
Kernels and initrds on the ESP are now content-addressed. By definition,
it is impossible for two different kernels or initrds to ever end up at
the same place, even in the presence of changing initrd secrets or other
unreproducibility.

The basic advantage of this is that installing the kernel or initrd for
a generation can never break another generation. In turn, this enables
the following two improvements:
* All generations can be installed independently. In particular, the
  installation can be performed in one pass, one generation at a time.
  As a result, the code is significantly simplified, and memory usage
  (due to the temporary files) does not grow with the number of
  generations any more.
* Generations that already have their files in place on the ESP do not
  need to be reinstalled. This will be taken advantage of in a
  subsequent commit.
2023-10-03 22:08:03 +02:00
nikstur 0b5ce324d7 tool: clean up a few minor details 2023-09-14 16:35:53 +02:00
nikstur 3bf55f92b8 test: clean up a few minor details 2023-09-14 16:35:53 +02:00
Raito Bezarius 1330292008 tool/systemd: make clippy happy I guess 2023-09-14 16:35:53 +02:00
Raito Bezarius 0107754d62 tool(architecture): make it generic
Architecture is now a generic structure that can be specialized
via an "external" trait for generating the paths you care about
depending on your target bootloader.
2023-09-14 16:35:53 +02:00
Raito Bezarius 609c11f26d tool(systemd-boot): install it once instead of checking for each generation
systemd-boot is now installed once for many generations rather than multiple times.

This means it is not really possible to manage different system in the same "machine", which is a very
obscure usecase, theoretically possible, but not yet encountered.
2023-09-14 16:35:53 +02:00
Raito Bezarius e5c1d74e3f tool: introduce --target-system to choose target architecture
We will hard fail in case of encountering different architectures in bootspec.
This should still be compatible with cross-compiling systems in the future.
2023-09-14 16:35:53 +02:00
Raito Bezarius acc4c2e0a1 tool(tests): use library to use the "target architecture" properly in tests 2023-09-14 16:35:53 +02:00
Raito Bezarius 9af0e56527 tool(esp): add systemd stub filenames mapping for systems 2023-09-14 16:35:53 +02:00
Raito Bezarius 7acb1b218a tool: implement general architecture support - for aarch64, x86 for now 2023-09-14 16:35:53 +02:00
Raito Bezarius 18771d30f4 lanzaboote: add aarch64-unknown-efi target 2023-09-14 16:35:53 +02:00
nikstur 3dab5531b1 stub: remove TPM 1 support
TPM 1 will not be supported by newer systemd versions and is not widely
available anyways.
2023-09-14 15:04:53 +02:00
nikstur ff442cd032 tool: introduce some more whitespace 2023-09-14 12:38:40 +02:00
nikstur 143a000f36 tool: separates use statements correctly with whitespace 2023-09-14 12:36:02 +02:00
nikstur baf2f5f6bb tool: use workspace values in Cargo.toml 2023-09-14 12:35:42 +02:00
nikstur efd8c50214 tool: remove superfluous lock file 2023-09-14 12:29:54 +02:00
Raito Bezarius eba963b6f1 tool/shared: make clippy happy
- implements a trivial Default for Roots
- implements a FromStr for OsRelease
2023-09-14 11:55:09 +02:00
Raito Bezarius fd188a0e32 tool/shared: make constraints less concrete and drop lockfile
In a library, a lockfile is not really needed per se
and we should avoid creating duplicate dependencies
as much as possible.
2023-09-14 11:55:09 +02:00
Raito Bezarius 923567d08a systemd-tool: make integration test pass 2023-09-14 11:55:09 +02:00
Raito Bezarius 8029449cba tool: split systemd into a new crate and make tool into a lib-only crate
This is necessary to make integration testing specific to the backend.
2023-09-14 11:55:09 +02:00
Raito Bezarius efe7b40f5c lzbt: abstraction for multiple backends
This generates `lzbt-systemd` binary instead of `lzbt`
which is using a special systemd-specific entrypoint.

This is part of the effort to enable multiple backends.
2023-09-14 11:55:09 +02:00
Ryan Lahfa 3dc8778c32
Merge pull request #215 from nix-community/linux-bootloader-crate
stub: split up into a linux-bootloader crate
2023-09-13 16:43:16 +00:00
nikstur 83f4376929 uefi: move uefi code to separate workspace 2023-09-13 17:46:05 +02:00
Raito Bezarius 51d9c1dff8 stub: split up into a linux-bootloader crate
We introduce `linux-bootloader` a crate made to build Rust-based Linux-oriented bootloaders.

It follows systemd/UAPI group and semantics as much as possible, e.g. BLS/loader capabilities/stub capabilities.
2023-09-13 17:43:35 +02:00
tilpner 3895c94eb5
tool: only sync ESP filesystem 2023-08-17 21:23:33 +02:00
nikstur e7246c6bce
Merge pull request #212 from nix-community/update-flake-inputs
flake.lock: Update
2023-07-20 23:42:57 +02:00
nikstur ec210ff40d stub: fix typo 2023-07-20 22:49:45 +02:00
renovate[bot] 9cceec4008 fix(deps): update all dependencies 2023-07-20 01:27:43 +02:00
Raito Bezarius 63bbfe35d8 feat(stub): throw compile error in case of enabling fat and thin features
This is more helpful than a weird compilation error on borrow checking rules!
2023-06-10 18:06:50 +02:00
renovate[bot] 3cae2f1c63
fix(deps): update all dependencies 2023-06-05 02:00:30 +00:00
Raito Bezarius 88aeb61d85 stub: upgrade to uefi-rs 0.22.0
This upgrade is necessary to avoid borking boot on bad UEFI implementations.
2023-06-02 13:16:44 +02:00
nikstur da24357977
Merge pull request #182 from nix-community/fat-uki
stub: add fat variant
2023-06-01 22:43:53 +02:00
renovate[bot] f1d199d0b4
fix(deps): update rust crate log to 0.4.18 2023-05-29 01:38:08 +00:00
nikstur 7ecafb2947 stub: add fat variant
A compile time feature is introduced that allows to build "fat" stubs
that can be used to build "fat" UKIs. "fat" here means that the actual
kernel and initrd are embedded in the PE binary, not only the file path
and hash. This brings us one step closer to feature partiy with
systemd-stub and thus one step closer to replacing it fully. Such a
"fat" or "real" UKI is also interesting for image-based deployments of
NixOS.
2023-05-24 22:09:28 +02:00
nikstur 30ddfcd2ce tool: improve command error messages 2023-05-24 00:17:11 +02:00
renovate[bot] 5ecd73cdac
fix(deps): update all dependencies 2023-05-22 02:56:28 +00:00
Raito Bezarius c96299ea46 deps: update to uefi-rs 0.21.0
It simplifies our filesystem handling.
2023-05-20 23:05:15 +02:00
Raito Bezarius 77f1279406 tool(bootspec): remove boilerplate with newest bootspec 2023-05-20 19:41:31 +02:00
nikstur 7ed294c84d
Merge pull request #180 from nix-community/sync-packages-ver
chore: sync our crates version to latest tag
2023-05-19 00:36:31 +02:00
Raito Bezarius 606b9e8bab stub(tpm): Measure "UKI" (i.e. all unified sections in our stub) 2023-05-18 19:05:53 +02:00
Raito Bezarius ad28b4cd01 stub: bump crate to 0.3.0 2023-05-18 19:03:42 +02:00
Raito Bezarius 39cda9e457 tool: bump crate to 0.3.0 2023-05-18 19:03:37 +02:00
nikstur 65dbe44999 stub: format with rustfmt 2023-05-17 21:40:03 +02:00
nikstur e37bf51ed3 stub: format with rustfmt 2023-05-17 21:39:40 +02:00
renovate[bot] 7378e06257
fix(deps): update all dependencies 2023-05-08 01:30:03 +00:00
nikstur ae49611bd6
Merge pull request #166 from nix-community/sd-stub-efi-variables
feat: minimal poc for exporting UEFI variables à la sd-boot
2023-05-05 21:32:50 +02:00
Raito Bezarius a5372db91f hotfix(stub): rust_version -> rust-version in Cargo.toml 2023-05-05 20:11:55 +02:00
Raito Bezarius 9dd9116b1e stub: export boot loader interface efivars 2023-05-05 20:11:55 +02:00
renovate[bot] 008e7a65fd
fix(deps): update all dependencies 2023-05-01 02:39:28 +00:00
Raito Bezarius 4ef6957f88 feat: enable synthesis support
Bootspec has a mechanism called synthesis where you can synthesize
bootspecs if they are not present based on the generation link only.

This is useful for "vanilla bootspec" which does not contain any
extensions, as this is what we do right now.

If we need extensions, we can also implement our synthesis mechanism on
the top of it.

Enabling synthesis gives us the superpower to support non-bootspec
users. :-)
2023-04-29 22:55:39 +02:00
Raito Bezarius 9fe979d2d6 tests: adopt bootspec v1 format 2023-04-29 15:21:38 +02:00
Raito Bezarius 48ff4cb7c4 tool: adopt bootspec 0.1.0 2023-04-29 15:21:38 +02:00
nikstur 06edad2e83 tool: improve log message about malformed gens
Tells the user which generations are malformed and how to remove them.
2023-04-27 00:33:45 +02:00
nikstur 09e12eb559 tool: disable gc in the presence of malformed gens
Disable GC if there are any malformed gens to avoid catastrophic failure
when there are upstream changes to NixOS that are not handled in lzbt.
2023-04-24 22:03:14 +02:00
nikstur 1b27ddd753
Merge pull request #159 from nix-community/renovate/all
fix(deps): update rust crate clap to 4.2.4
2023-04-24 14:03:04 +02:00
Janne Heß c22352ca20
tool: Use mtime of the symlink rather than the target
When using the target, this will always result in a timestamp from 1970
because the symlink points to the store.
2023-04-24 11:57:34 +02:00
Janne Heß 979d25ee13
Revert "Merge pull request #139 from adtya/built_on_date"
This reverts commit d751d13b0a, reversing
changes made to 7c55847aaf.
2023-04-24 11:48:46 +02:00
renovate[bot] 2ecd951de1
fix(deps): update rust crate clap to 4.2.4 2023-04-24 01:08:24 +00:00
nikstur 8efc061e1d tool: add comment for log level of malformed gens
The message about malformed generatiosn should semantically be a
warning. However, since users might have hundres of old and thus
malformed generations and can do little about it, this should remain a
debug message. This way the user is not spammed with no-op warnings
while still enabling debugging.
2023-04-23 23:28:21 +02:00
nikstur 68d1928e3d Revert "tool: don't silently ignore generations"
This reverts commit 4f182704e0.
2023-04-23 23:27:32 +02:00
Julian Stecklina 4f182704e0 tool: don't silently ignore generations 2023-04-23 15:20:49 +02:00
Julian Stecklina be458e3385 tool: avoid creating unbootable system
lzbt currently happily nukes all boot entries, if it can't parse any
bootspecs. With the upcoming incompatible bootspec change, this might
be a problem that's worth avoiding. :)

I changed lzbt to fail hard in case, it can't generate any boot
items.
2023-04-23 15:17:32 +02:00
Julian Stecklina ddd22a8f67
Merge branch 'master' into icache 2023-04-21 18:34:33 +02:00
Alois Wohlschlager ae401e4b18
stub: implement icache coherence on i686 and AArch64
People reportedly want to compile the stub on i686 and AArch64
platforms for testing. Make compilation possible by providing proper
`make_instruction_cache_coherent` implementations on these platforms.
For x86 (just as x86_64), this is a no-op, because Intel made the
instruction cache coherent for compatibility with code that was written
before caches existed.
For AArch64, adapt the procedure from their manual to multiple
instructions.
2023-04-21 18:00:14 +02:00
renovate[bot] b25e1b77d2
chore(deps): update all dependencies 2023-04-17 01:25:18 +00:00
Alois Wohlschlager 81e25ee5c3
stub: clarify instruction cache coherence 2023-04-16 16:17:50 +02:00
Raito Bezarius 666b5e7169 stub: make it compatible with a stable Rust compiler (≥ 1.68.x) 2023-04-14 16:48:30 +02:00
renovate[bot] 51017c0f40
fix(deps): update all dependencies 2023-04-09 20:27:07 +00:00
Julian Stecklina 5d3fbf10a6
Merge pull request #142 from Myaats/master
tool: drop buggy condition for when to sign
2023-04-09 22:20:46 +02:00
Mats 223ab53d55 tool: drop buggy condition for when to sign 2023-03-30 23:53:24 +02:00
Adithya Nair 97874a2002
propagate error instead of unwrapping in tests 2023-03-22 11:19:12 +05:30
Adithya Nair 6a342a49a9
propagate error instead of unwrapping 2023-03-22 01:25:17 +05:30
Adithya Nair e033a2fcaf
replace mtime with birth time 2023-03-21 23:47:33 +05:30
renovate[bot] 9bbbae3168
fix(deps): update all dependencies 2023-03-20 09:25:02 +00:00
Julian Stecklina 5a03bb751d stub: update dependencies
Update nightly toolchain and UEFI dependencies. The latest crane
version comes with a bug where it fails to compile UEFI binaries.
2023-03-20 09:51:30 +01:00
renovate[bot] dfa6c3db1f
chore(deps): lock file maintenance 2023-03-20 01:57:17 +00:00
Julian Stecklina 7060389698 stub: add safety comment for PE parsing 2023-03-15 21:53:19 +01:00
Julian Stecklina 9c128e9ef6 stub: do not read loaded image again from ESP
... because this might not work, if we were not loaded from a file
system. It also removes the issue where we might not load the signed
image that was actually loaded.

Fixes #123
2023-03-15 00:36:50 +01:00
renovate[bot] eed59b4d16
fix(deps): update all dependencies 2023-03-13 00:45:02 +00:00
nikstur 721b584940 tool: fine tune a few log messages 2023-03-06 00:52:46 +01:00
nikstur c8522e02b4 Merge pull request #122 from nix-community/renovate/all
fix(deps): update all dependencies
2023-02-28 22:20:33 +01:00
renovate[bot] e321ad1626
fix(deps): update all dependencies 2023-02-27 02:01:48 +00:00
Julian Stecklina cbccd64c57 tool: make file installation deterministic
Due to the use of hash maps, the order of file installation was not
deterministic. I've changed the code the use BTreeMaps instead, which
makes this deterministic. While I was here, I tried to simplify the
code a bit.
2023-02-25 20:42:08 +01:00
Julian Stecklina a5e283ca44
Merge pull request #112 from nix-community/log
Minimalistic Logging Support
2023-02-25 11:20:01 +01:00
nikstur 32950b7708 tool: fix typos 2023-02-24 01:29:15 +01:00
nikstur 75a19cd818 tool: correctly sort generation links
To correctly overwrite existing initrd with newer secrets (from newer
generations), the links need to be sorted from oldest generation to
newest.
2023-02-24 00:32:14 +01:00
nikstur 1d21d7bdd8 tool: add install tests
Add a few integration tests for installing files, e.g. overwriting
signed and unsigned files.
2023-02-24 00:04:00 +01:00
nikstur 362205c2ec tool: check file hashes before copying
To minimize writes to the ESP but still find necessary changes, compare
the hashes of the files on the ESP with the "expected" hashes. Only copy
and overwrite already existing files if the hashes don't match. This
ensures a working-as-expected state on the ESP as opposed to previously
where already existing files were just ignored.
2023-02-24 00:04:00 +01:00
nikstur 06b9cdc69e tool: move file_hash() to utils module 2023-02-24 00:04:00 +01:00
nikstur 3a3ad7c40d tool: write all generation artifacts at once
Previously, generations were installed one after another. Now all
artifacts (kernels, initrd etc.) are first collected and then installed.
This way the writes to the ESP are reduced as duplicate paths are
already removed in the collection phase.
2023-02-24 00:04:00 +01:00
Janne Heß de4c62a1bd stub: lanzatool -> lzbt 2023-02-23 09:32:28 +01:00
Julian Stecklina 90755b789f stub: use logger instead of printing manually 2023-02-21 01:32:29 +01:00