Commit Graph

639 Commits

Author SHA1 Message Date
nikstur ed1676e544
Merge pull request #109 from nix-community/correctly-update-initrd-secrets
tool: correctly update initrd secrets
2023-02-24 01:18:57 +01:00
nikstur f4f8c41005 tests: add initrd-secrets-update
Add a test for updating the secrets on an existing initrd.
2023-02-24 01:16:52 +01:00
nikstur 75a19cd818 tool: correctly sort generation links
To correctly overwrite existing initrd with newer secrets (from newer
generations), the links need to be sorted from oldest generation to
newest.
2023-02-24 00:32:14 +01:00
nikstur 3f0669607d
Merge pull request #110 from nix-community/ensure-signed-generations
tool: ensure correct up to date files in the ESP
2023-02-24 00:12:02 +01:00
nikstur 1d21d7bdd8 tool: add install tests
Add a few integration tests for installing files, e.g. overwriting
signed and unsigned files.
2023-02-24 00:04:00 +01:00
nikstur 362205c2ec tool: check file hashes before copying
To minimize writes to the ESP but still find necessary changes, compare
the hashes of the files on the ESP with the "expected" hashes. Only copy
and overwrite already existing files if the hashes don't match. This
ensures a working-as-expected state on the ESP as opposed to previously
where already existing files were just ignored.
2023-02-24 00:04:00 +01:00
nikstur 06b9cdc69e tool: move file_hash() to utils module 2023-02-24 00:04:00 +01:00
nikstur 3a3ad7c40d tool: write all generation artifacts at once
Previously, generations were installed one after another. Now all
artifacts (kernels, initrd etc.) are first collected and then installed.
This way the writes to the ESP are reduced as duplicate paths are
already removed in the collection phase.
2023-02-24 00:04:00 +01:00
Janne Heß 048df99975
Properly handle fwupd update capsules
Closes #85
2023-02-23 11:38:27 +01:00
Janne Heß de4c62a1bd stub: lanzatool -> lzbt 2023-02-23 09:32:28 +01:00
Julian Stecklina 90755b789f stub: use logger instead of printing manually 2023-02-21 01:32:29 +01:00
Julian Stecklina 7bde42f4a8 stub: enable logger in uefi-services 2023-02-21 01:32:29 +01:00
nikstur 5af69f0d63
Merge pull request #111 from nix-community/uefi-update
Update Dependencies of Stub
2023-02-21 01:23:58 +01:00
Julian Stecklina 3a9cd26c5e stub: update uefi dependency to 0.19.1 2023-02-21 00:50:34 +01:00
Julian Stecklina 697d0d1baa stub: drop unused ed25519-compact dependency 2023-02-21 00:35:00 +01:00
Julian Stecklina 6924e6ea09
Merge pull request #107 from nix-community/random-names-for-tmpfiles
tool: use random names for secure tempfiles
2023-02-21 00:27:50 +01:00
Julian Stecklina 750629c860
Merge pull request #105 from nix-community/quickstart
Add a More Complete Flakes Fragment for Quickstart
2023-02-21 00:24:06 +01:00
Julian Stecklina 6e72e2fed2 doc: add a more complete flakes fragment for quickstart 2023-02-21 00:22:34 +01:00
nikstur df6b1b07f7 tool: use random names for secure tempfiles
Using random names for tempfiles makes handling them easier. It reduces
the amount of noise in the code because no custom name needs to be
provided for each tempfile. The names were not really useful in any
case.

It also does not burden the developer with ensuring uniqueness of names.
This is relevant when files for multiple generations need to be stored
in the same directory (e.g. because they need to be accessed after
handling one generation).

Out of an abundance of caution, 32 random alphanumeric characters are
chosen for each filename. The tempfile crate, in comparison, only
chooses 8. 32 characters should be enough to avoid collisions, even
if the PRNG is not of cryptographic quality.
2023-02-21 00:13:40 +01:00
Julian Stecklina ceed92460f
Merge pull request #108 from nix-community/make-test-functions-reusable
tool: make some utility test functions reusable
2023-02-20 23:23:21 +01:00
nikstur 4d2e67f799 tool: make some utility test functions reusable
Make them reusable by moving them to the common module.
2023-02-20 01:05:01 +01:00
nikstur a75e2b4c95
Merge pull request #101 from nix-community/improve-generation-name
tool: improve sd-boot generation display name
2023-02-10 17:45:05 +01:00
nikstur a8d9ea128d tool: improve sd-boot generation display name
Leverage the bootspec `label` field in its intended way. The VERSION_ID
of the os-release in the stub now only contains the generation number
and the build time. This makes a correct PRETTY_NAME entirely dependent
on correct information in the bootspec `label` field.
2023-02-10 12:25:59 +01:00
Julian Stecklina 01f8fd418a
Merge pull request #100 from nix-community/fix-build-time
tool: read build time from symlink
2023-02-09 22:42:44 +01:00
Julian Stecklina 522687b044
Merge pull request #102 from ercao/hotfix
nixos/lanzaboote: use `config.systemd.package`
2023-02-09 22:37:11 +01:00
ercao d1516ffdfd
nixos/lanzaboote: use `config.systemd.package`
Signed-off-by: ercao <vip@ercao.cn>
2023-02-09 22:24:54 +08:00
nikstur 06f921ead0 tool: read build time from symlink
Read the build time from generation symlinks in /nix/var/nix/profiles
instead of from the underlying derivation. The derivation build time
will always be a UNIX epoch of 0 because of the `nix-build` sandbox,
which is useless for identifying when a generation was created.
2023-02-09 00:29:12 +01:00
Julian Stecklina 5f5b04a6f5
Merge pull request #97 from SuperSandro2000/patch-1
Fix mixed tabs and spaces
2023-02-08 10:19:01 +01:00
Sandro ad9b9ec5b5
Fix mixed tabs and spaces 2023-02-07 23:31:58 +01:00
Julian Stecklina cb315d543c
Merge pull request #93 from nix-community/quick-start-updates
Update Sharp Edges in Quickstart Docs
2023-02-03 11:34:23 +01:00
Julian Stecklina cc2af0a081 docs: update sharp edges after Linux kernel signing changes 2023-02-03 11:29:28 +01:00
Julian Stecklina 37ccc5d578
Merge pull request #91 from nix-community/58-escape-hatch
Ignore Integrity Checks without Secure Boot
2023-02-02 22:35:35 +01:00
Julian Stecklina abd5af1250
Merge pull request #90 from nix-community/ci-fix
Fix CI Regression after Linux Loader Fix
2023-02-02 18:07:14 +01:00
Julian Stecklina 0963ba83dd tests: check whether disabled secure boot relaxes hash checks 2023-02-02 18:05:09 +01:00
Julian Stecklina 8b00b748f2 stub: add fall back for hash mismatches when Secure Boot is off 2023-02-02 18:03:54 +01:00
Julian Stecklina 8d2ebbc6a7 stub: move linux booting into its own function 2023-02-02 18:03:54 +01:00
Julian Stecklina f3ede28eac ci: fix regression after Linux loader change
Now that we don't sign the kernel anymore, we need to manually
invalidate its checksum.
2023-02-02 17:57:34 +01:00
Julian Stecklina 788e1d9fb6
Merge pull request #89 from nix-community/quick-start-updates
Add Security Disclaimer in Quickstart Docs
2023-02-02 14:37:32 +01:00
Julian Stecklina e41c02c66b docs: add short security guidelines 2023-02-02 14:21:58 +01:00
Julian Stecklina eb3b4703fd
Merge pull request #75 from alois31/unsigned-kernel
Prevent loading of untrusted initrds
2023-02-02 14:08:08 +01:00
Alois Wohlschlager 081714cab9
Pass the built-in cmdline to the kernel
Do not pass our own cmdline on to the kernel. It may have been set by a
malicious boot loader specification entry, and could instruct the
kernel to load an arbitrary unprotected initrd (or perform some other
fun stuff). Instead, always pass the command line built into the UKI,
which is properly authenticated.
2023-01-31 18:32:13 +01:00
Alois Wohlschlager 3885f114a8
Do not sign the kernel
Malicious boot loader specification entries could be used to make a
signed kernel load arbitrary unprotected initrds. Since we do not want
this, do not sign the kernel. This way, the only things allowed to boot
are our UKI stubs, which do verify the initrd.
2023-01-31 18:25:27 +01:00
Alois Wohlschlager 7387c6708d
Load the kernel image ourselves
When loading something with UEFI LoadImage, signature validation is
performed. However, we verify the kernel by its hash already, and don't
want to sign it. Hence, we have to load it on our own.
2023-01-31 18:25:14 +01:00
nikstur 60e28106e9
Merge pull request #86 from dasJ/fix/osrelease-parser
Make the os-release parser more precise
2023-01-30 15:57:12 +01:00
Janne Heß 96d52b215c
Make the os-release parser more precise
Closes #77
2023-01-30 11:46:48 +01:00
nikstur afe8bcc7be
Merge pull request #81 from nix-community/systemd-boot-loader-conf
tool: write systemd-boot loader.conf
2023-01-29 16:26:53 +01:00
nikstur ce3b2c27b5 tool: write systemd-boot loader.conf
To minimize the number of arguments passed to `lzbt`, the loader config
is assembled outside `lzbt` and passed as a single argument.

Instead of reimplementing `consoleMode` under the `lanzaboote`
namespace, `config.loader.systemd-boot.consoleMode` is reused as is.
2023-01-29 16:19:14 +01:00
nikstur 57b56e104c
Merge pull request #83 from nix-community/atomic-writes
tool: atomically write to ESP
2023-01-29 16:17:07 +01:00
nikstur 5f28ae75ea tool: atomically write to ESP
To minimize the potential for irrecoverable errors, only atomic writes
to the ESP are performed. This is implemented by first copying the file
to the destination with a `.tmp` suffix and then renaming it to the
final desintation. This is atomic because the rename operation is atomic
on POSIX platforms.

Specifically, this means that even if the system crashes during the
operation, the final desintation path will most likely be intact if it
exists at all. There are some nuances to this however. It **cannot** be
actually guaranteed that the operation was performed on the filesystem
level. However, this is the best we can do for now.

For reference:
- POSIX rename(2): https://pubs.opengroup.org/onlinepubs/9699919799/
- Rust fs::rename corresponds to rename(2) on Unix: https://doc.rust-lang.org/std/fs/fn.rename.html
- Rust fs::rename is implemented using libc's rename: https://github.com/rust-lang/rust/blob/master/library/std/src/sys/unix/fs.rs#L1397
- Renaming in libc is atomic: https://www.gnu.org/software/libc/manual/html_node/Renaming-Files.html
2023-01-29 15:31:38 +01:00
nikstur 41c7a14a80
Merge pull request #82 from nix-community/clean-up-nixos-tests
nix.tests: clean up
2023-01-29 00:10:27 +01:00