Commit Graph

25 Commits

Author SHA1 Message Date
nikstur d470342af6 tests: remove custom OVMF overrides
The newest version of OVMF works now, so we don't need to fetch the old
version anymore.

Instead of doing custom overrides, we can also just use what the
upstream qemu-vm modules does.
2024-03-01 20:22:02 +01:00
Julian Stecklina 14afe7ce9b tests: check whether our UKIs are recognized 2024-02-10 20:52:22 +01:00
Jörg Thalheim d7d63e6b6c disable synthesis test on aarch64-linux 2024-01-15 18:39:26 +01:00
Jörg Thalheim 65330d8172 fix hardcoded efi arch in tests
Update nix/tests/lanzaboote.nix

Co-authored-by: nikstur <nikstur@outlook.com>
2024-01-15 18:39:26 +01:00
Raito Bezarius 1859491609 tests: add 5 minutes default timeout
By default, it is one hour but our CI cannot handle that many VM tests, so we switch to 5 minutes default timeouts.
2023-10-30 13:40:20 +01:00
Julian Stecklina 56386ae1c3 fixtures: add snakeoil dbx pem
sbctl 0.12 wants to have the forbidden signatures or fails to enroll
keys.
2023-10-24 00:23:48 +02:00
Julian Stecklina 65003165c8 tests: downgrade from edk2 202308 to 202305 2023-10-19 21:14:45 +02:00
Alois Wohlschlager db39223a7c
stub: make handling of insecure boot more explicit
When Secure Boot is not available (unsupported or disabled), Lanzaboote
will attempt to boot kernels and initrds even when they fail the hash
verification. Previously, this would happen by falling back to use
LoadImage on the kernel, which fails if Secure Boot is available, as the
kernel is not signed.
The SecureBoot variable offers a more explicit way of checking whether
Secure Boot is available. If the firmware supports Secure Boot, it
initializes this variable to 1 if it is enabled, and to 0 if it is
disabled. Applications are not supposed to modify this variable, and in
particular, since only trusted applications are loaded when Secure Boot
is active, we can assume it is never changed to 0 or deleted if Secure
Boot is active.
Hence, we can be sure of Secure Boot being inactive if this variable is
absent or set to 0, and thus treat all hash verification errors as
non-fatal and proceed to boot arbitrary kernels and initrds (a warning
is still logged in this case). In all other cases, we treat all hash
verification failures as fatal security violations, as it must be done
in the case where Secure Boot is active (it is expected that this does
not lead to any false positives in practice, unless there are bigger
problems anyway).
2023-10-15 15:58:01 +02:00
Alois Wohlschlager ca070a9eec
tool: make stubs input-addressed
The stubs on the ESP are now input-addressed, where the inputs are the
system toplevel and the public key used for signature. This way, it is
guaranteed that any stub at a given path will boot the desired system,
even in the presence of one of the two edge-cases where it was not
previously guaranteed:
* The latest generation was deleted at one point, and its generation
  number was reused by a different system configuration. This is
  detected because the toplevel will change.
* The secure boot signing key was rotated, so old stubs would not boot
  at all any more. This is detected because the public key will change.

Avoiding these two cases will allow to skip reinstallation of stubs that
are already in place at the correct path.
2023-10-03 22:08:10 +02:00
Alois Wohlschlager 240914d763
tool: make kernels and initrds content-addressed
Kernels and initrds on the ESP are now content-addressed. By definition,
it is impossible for two different kernels or initrds to ever end up at
the same place, even in the presence of changing initrd secrets or other
unreproducibility.

The basic advantage of this is that installing the kernel or initrd for
a generation can never break another generation. In turn, this enables
the following two improvements:
* All generations can be installed independently. In particular, the
  installation can be performed in one pass, one generation at a time.
  As a result, the code is significantly simplified, and memory usage
  (due to the temporary files) does not grow with the number of
  generations any more.
* Generations that already have their files in place on the ESP do not
  need to be reinstalled. This will be taken advantage of in a
  subsequent commit.
2023-10-03 22:08:03 +02:00
nikstur 7ecafb2947 stub: add fat variant
A compile time feature is introduced that allows to build "fat" stubs
that can be used to build "fat" UKIs. "fat" here means that the actual
kernel and initrd are embedded in the PE binary, not only the file path
and hash. This brings us one step closer to feature partiy with
systemd-stub and thus one step closer to replacing it fully. Such a
"fat" or "real" UKI is also interesting for image-based deployments of
NixOS.
2023-05-24 22:09:28 +02:00
Raito Bezarius f603e0c134 tests: support TPM2 + SecureBoot tests
Test that our measurements exposes a TPM PCR index in the userspace
through efivarfs.
2023-05-18 19:06:32 +02:00
Raito Bezarius 9dd9116b1e stub: export boot loader interface efivars 2023-05-05 20:11:55 +02:00
Raito Bezarius 4ef6957f88 feat: enable synthesis support
Bootspec has a mechanism called synthesis where you can synthesize
bootspecs if they are not present based on the generation link only.

This is useful for "vanilla bootspec" which does not contain any
extensions, as this is what we do right now.

If we need extensions, we can also implement our synthesis mechanism on
the top of it.

Enabling synthesis gives us the superpower to support non-bootspec
users. :-)
2023-04-29 22:55:39 +02:00
Raito Bezarius 9fe979d2d6 tests: adopt bootspec v1 format 2023-04-29 15:21:38 +02:00
nikstur a886416d69 treewide: remove nixpkgs-test 2023-04-24 22:25:57 +02:00
Mia Kanashi ea5e2ba437 nixos-module: add settings key for the loader.conf
This commit adds settings key for configuring systemd-boot to the lanzaboot
nixos module. The are couple of the default values that are set from the usual
nixos boot.loader.systemd-boot options, they are merged with the user defined
configuration.

This commit modifies default loader.conf to boot into the latest nixos
generation by default, for when you have other operating systems installed.

Primary reason behind this PR is to allow extensible loader configuration.

Co-authored-by: Raito Bezarius <masterancpp@gmail.com>
2023-03-21 15:48:56 +01:00
nikstur ab4e90c331 tests: correctly test appending secret to initrd
The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
2023-02-25 21:41:38 +01:00
nikstur f4f8c41005 tests: add initrd-secrets-update
Add a test for updating the secrets on an existing initrd.
2023-02-24 01:16:52 +01:00
Julian Stecklina 0963ba83dd tests: check whether disabled secure boot relaxes hash checks 2023-02-02 18:05:09 +01:00
Julian Stecklina f3ede28eac ci: fix regression after Linux loader change
Now that we don't sign the kernel anymore, we need to manually
invalidate its checksum.
2023-02-02 17:57:34 +01:00
nikstur ce3b2c27b5 tool: write systemd-boot loader.conf
To minimize the number of arguments passed to `lzbt`, the loader config
is assembled outside `lzbt` and passed as a single argument.

Instead of reimplementing `consoleMode` under the `lanzaboote`
namespace, `config.loader.systemd-boot.consoleMode` is reused as is.
2023-01-29 16:19:14 +01:00
nikstur fd2e7f7a40 nix.tests: clean up
The test attributes and names are simplified and standardized. They now
roughly follow the same structure as the systemd-boot test in Nixpkgs.
Some comments are added and variable names changed to make it more clear
what they actually do.
2023-01-28 01:40:48 +01:00
nikstur efa2410292 treewide: move uefi-keys into test fixtures
To clean up the repository move the uefi keys (`pki/`) to
`nix/tests/fixtures/uefi-keys`.
2023-01-26 01:18:41 +01:00
nikstur 7d5ac15cbb nix.tests: move from flake 2022-12-25 18:49:28 +01:00