Commit Graph

556 Commits

Author SHA1 Message Date
Julian Stecklina 8e0d422697 stub: remove nondeterminism in binary
The linker embeds a timestamp into our UEFI stub. objdump -p
reports:

Time/Date               Mon Nov 13 20:02:35 2023

With /Brepro we get the following instead:

Time/Date		d597e888	(This is a reproducible build file hash, not a timestamp)

Fixes #260
2023-11-14 10:31:54 +01:00
nikstur f8d2638436
Merge pull request #258 from nix-community/renovate/all
fix(deps): update all dependencies
2023-11-13 05:45:00 +00:00
renovate[bot] 752d2d4347
fix(deps): update all dependencies 2023-11-13 01:34:32 +00:00
Ryan Lahfa 81975f3bc4
Merge pull request #257 from nix-community/aarch64-ci
feat(flake): perform final fixups to the flake outputs
2023-11-10 14:23:16 +00:00
Raito Bezarius b7f3d60708 feat(flake): perform final fixups to the flake outputs
As flake-parts doesn't really support a concept of limited supported system (e.g. system for which
we don't have CI), we need to fix up the final outputs to move the unsupported checks to another place
where CI won't run them.
2023-11-10 15:15:48 +01:00
Julian Stecklina bc0fd4e1d9
Merge pull request #254 from nix-community/renovate/all
fix(deps): update rust crate serde_json to 1.0.108
2023-11-08 19:59:35 +01:00
Julian Stecklina 241cedde7e
Merge pull request #255 from nix-community/renovate/lock-file-maintenance
chore(deps): lock file maintenance
2023-11-08 13:46:30 +01:00
renovate[bot] ceb19c0732
chore(deps): lock file maintenance 2023-11-08 11:02:15 +00:00
renovate[bot] dd729cdaeb
fix(deps): update rust crate serde_json to 1.0.108 2023-11-06 00:54:20 +00:00
nikstur 781303ad7c
Merge pull request #250 from nix-community/vm-timeouts
tests: add 5 minutes default timeout
2023-10-30 13:45:22 +01:00
Raito Bezarius 1859491609 tests: add 5 minutes default timeout
By default, it is one hour but our CI cannot handle that many VM tests, so we switch to 5 minutes default timeouts.
2023-10-30 13:40:20 +01:00
Ryan Lahfa 8edc9ef771
Merge pull request #249 from nix-community/renovate/lock-file-maintenance 2023-10-30 12:07:13 +01:00
renovate[bot] 2ed4482133
chore(deps): lock file maintenance 2023-10-30 09:55:41 +00:00
nikstur 9c8d7c56b3
Merge pull request #245 from nix-community/lightweight-shell
Lightweight Shell
2023-10-30 10:31:55 +01:00
Julian Stecklina 29c48651c2
Merge pull request #248 from nix-community/systemd-boot
docs: clarify migration path for new installations
2023-10-30 09:27:32 +00:00
Julian Stecklina 3cb657f5c3 tool: silence resolver version warning
We are getting this warning:

warning: some crates are on edition 2021 which defaults to `resolver = "2"`, but virtual workspaces default to `resolver = "1"`
note: to keep the current resolver, specify `workspace.resolver = "1"` in the workspace root's manifest
note: to use the edition 2021 resolver, specify `workspace.resolver = "2"` in the workspace root's manifest

Silence by opting into the new behavior.
2023-10-30 10:24:49 +01:00
Julian Stecklina 87d2087a7a tool: drop unused dependencies via machete 2023-10-30 10:22:41 +01:00
Julian Stecklina 1e5145a0fa nix: trim down shell environment 2023-10-30 10:20:44 +01:00
Jörg Thalheim 2ee75d5d91 docs: clarify migration path for new installations 2023-10-30 10:14:55 +01:00
Julian Stecklina f01c3666ea
Merge pull request #247 from nix-community/renovate/lock-file-maintenance
chore(deps): lock file maintenance
2023-10-30 00:24:35 +00:00
renovate[bot] e94d982208
chore(deps): lock file maintenance 2023-10-30 00:14:36 +00:00
Julian Stecklina 1e974f66b1
Merge pull request #246 from nix-community/renovate/all
fix(deps): update all dependencies
2023-10-30 00:11:29 +00:00
renovate[bot] 03c2f52ee9
fix(deps): update all dependencies 2023-10-30 00:00:50 +00:00
Julian Stecklina a5e89456fc
Merge pull request #244 from phip1611/improvements
linux_loader: improve code quality + bug fix
2023-10-29 12:33:49 +00:00
Philipp Schuster b7f68a50e6 linux_loader: improve code quality
`Option<&T>` has the same ABI layout as `*const T`, so we have some room for
improvement where we get more Rust convenience. Further, a bug is fixed where
INVALID_PARAMETER wasn't returned when the BUFFER_SIZE pointer is NULL.

See UEFI 2.10 13.2.2. EFI_LOAD_FILE2_PROTOCOL.LoadFile() for reference.
2023-10-24 13:23:30 +02:00
Julian Stecklina bb380e1948
Merge pull request #243 from nix-community/renovate/lock-file-maintenance
chore(deps): lock file maintenance
2023-10-23 22:34:16 +00:00
Julian Stecklina 56386ae1c3 fixtures: add snakeoil dbx pem
sbctl 0.12 wants to have the forbidden signatures or fails to enroll
keys.
2023-10-24 00:23:48 +02:00
renovate[bot] e0511f43e7
chore(deps): lock file maintenance 2023-10-23 00:26:27 +00:00
nikstur 4366cd1b4c
Merge pull request #242 from nix-community/generation-name
Consistently Display Generations in systemd-boot
2023-10-21 19:23:18 +02:00
Julian Stecklina ec05d707f3 tool: always include version in PRETTY_NAME
... to give a consistent user experience in systemd-boot.

Fixes #220.
2023-10-20 11:55:53 +02:00
Julian Stecklina 3da3049bef tool: remove unhelpful wrappers and lightly refactor 2023-10-20 11:29:00 +02:00
Julian Stecklina 0c38cbfa6a
Merge pull request #216 from nix-community/renovate/lock-file-maintenance
chore(deps): lock file maintenance
2023-10-19 20:59:26 +00:00
renovate[bot] 853c81eef2
chore(deps): lock file maintenance 2023-10-19 20:29:32 +00:00
Julian Stecklina 56bf9b942c
Merge pull request #241 from nix-community/pin-edk2-202305
Pin EDK2 202305
2023-10-19 20:24:53 +00:00
Julian Stecklina 65003165c8 tests: downgrade from edk2 202308 to 202305 2023-10-19 21:14:45 +02:00
Julian Stecklina 0c7ca2b180 nix: remove unused follows 2023-10-19 19:23:59 +02:00
Julian Stecklina adc7420ece flake.lock: Update
Flake lock file updates:

• Updated input 'crane':
    'github:ipetkov/crane/8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e' (2023-07-07)
  → 'github:ipetkov/crane/bc5fa8cd53ef32b9b827f24b993c42a8c4dd913b' (2023-10-19)
• Removed input 'crane/flake-compat'
• Removed input 'crane/flake-utils'
• Removed input 'crane/rust-overlay'
• Updated input 'flake-compat':
    'github:edolstra/flake-compat/35bb57c0c8d8b62bbfd284272c928ceb64ddbde9' (2023-01-17)
  → 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/8e8d955c22df93dbe24f19ea04f47a74adbdc5ec' (2023-07-04)
  → 'github:hercules-ci/flake-parts/c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4' (2023-10-03)
• Updated input 'flake-utils':
    'github:numtide/flake-utils/919d646de7be200f3bf08cb76ae1f09402b6f9b4' (2023-07-11)
  → 'github:numtide/flake-utils/ff7b65b44d01cf9ba6a71320833626af21126384' (2023-09-12)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/248a83fffc10b627da67fa6b25d2c13fc7542628' (2023-09-28)
  → 'github:NixOS/nixpkgs/6be2c349a30fcb489a3153dd331e9df387ab6449' (2023-10-19)
• Updated input 'pre-commit-hooks-nix':
    'github:cachix/pre-commit-hooks.nix/eb433bff05b285258be76513add6f6c57b441775' (2023-07-18)
  → 'github:cachix/pre-commit-hooks.nix/42e1b6095ef80a51f79595d9951eb38e91c4e6ca' (2023-10-09)
• Updated input 'rust-overlay':
    'github:oxalica/rust-overlay/7c4f46f0b3597e3c4663285e6794194e55574879' (2023-09-14)
  → 'github:oxalica/rust-overlay/d5977a020c216526144dbf08ab0825b6c1121593' (2023-10-19)
2023-10-19 18:21:36 +02:00
Julian Stecklina 778e21733b
Merge pull request #196 from nix-community/renovate/all
fix(deps): update all dependencies
2023-10-16 09:03:22 +00:00
Julian Stecklina bb5b2de545 stub: pin goblin (again)
... because of #237. Now renovate should ignore this.
2023-10-16 10:53:56 +02:00
Julian Stecklina ace18ed4bd renovate: ignore goblin updates
... because of #237.
2023-10-16 10:51:59 +02:00
Julian Stecklina 0df60a2b2e
Merge pull request #232 from alois31/insecure-boot
stub: improve handling of insecure boot
2023-10-16 08:29:25 +00:00
Julian Stecklina 01b62a1c21
Merge branch 'master' into insecure-boot 2023-10-16 10:28:28 +02:00
renovate[bot] eabbae0e0c
fix(deps): update all dependencies 2023-10-16 01:54:44 +00:00
Julian Stecklina 82530e530b
Merge pull request #238 from nix-community/goblin-update
stub: pin to current goblin version
2023-10-15 14:47:19 +00:00
Alois Wohlschlager b02a7e2a7f
stub: use command line from loader in insecure mode
When booting without Secure Boot active, it is not necessary to defend
against a malicious command line being passed from the loader. So just
use it in this case, to facilitaty some debugging and recovery use
cases.

Fixes: https://github.com/nix-community/lanzaboote/issues/226
2023-10-15 16:04:30 +02:00
Alois Wohlschlager db39223a7c
stub: make handling of insecure boot more explicit
When Secure Boot is not available (unsupported or disabled), Lanzaboote
will attempt to boot kernels and initrds even when they fail the hash
verification. Previously, this would happen by falling back to use
LoadImage on the kernel, which fails if Secure Boot is available, as the
kernel is not signed.
The SecureBoot variable offers a more explicit way of checking whether
Secure Boot is available. If the firmware supports Secure Boot, it
initializes this variable to 1 if it is enabled, and to 0 if it is
disabled. Applications are not supposed to modify this variable, and in
particular, since only trusted applications are loaded when Secure Boot
is active, we can assume it is never changed to 0 or deleted if Secure
Boot is active.
Hence, we can be sure of Secure Boot being inactive if this variable is
absent or set to 0, and thus treat all hash verification errors as
non-fatal and proceed to boot arbitrary kernels and initrds (a warning
is still logged in this case). In all other cases, we treat all hash
verification failures as fatal security violations, as it must be done
in the case where Secure Boot is active (it is expected that this does
not lead to any false positives in practice, unless there are bigger
problems anyway).
2023-10-15 15:58:01 +02:00
Julian Stecklina c56ad52b18 stub: pin to current goblin version
goblin 0.7.1 introduces certification support for PE files. This seems to be broken, because we get:

Parsing PE failed Malformed entity: Unable to extract certificate. Probably cert_size:1599360838 is malformed!

from goblin when trying to parse our PE file in memory.

See #237 for context.
2023-10-15 15:40:57 +02:00
nikstur 62ffd894f0
Merge pull request #236 from Ma27/includeallmodules
Fix build with `documentation.nixos.includeAllModules = true;`
2023-10-14 18:46:52 +02:00
Maximilian Bosch 16c6776763
Fix build with `documentation.nixos.includeAllModules = true;`
This includes the options of all modules used in the evaluation, not
just the ones from `<nixpkgs/nixos>` in the local manual.

Right now this breaks with

    error: attribute 'loader' missing

    at /nix/store/wf59fvxch3l5s7x0pnpfv7b26q6y010x-source/nix/modules/lanzaboote.nix:26:17:

        25|     configurationLimit = mkOption {
        26|       default = config.boot.loader.systemd-boot.configurationLimit;
          |                 ^
        27|       example = 120;

I'm not sure what's up with `config.boot.loader` (had the exact same
issue with `disko`), but using `defaultText` is the common workaround
for that.
2023-10-13 22:35:58 +02:00
nikstur c865873ff5
Merge pull request #235 from nix-community/uefi-update
stub: update to latest uefi crates
2023-10-12 21:36:01 +02:00