{ pkgs , lanzabooteModule }: let inherit (pkgs) lib; mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, testScript }: pkgs.nixosTest { inherit name testScript; nodes.machine = { lib, ... }: { imports = [ lanzabooteModule machine ]; virtualisation = { useBootLoader = true; useEFIBoot = true; inherit useSecureBoot; }; boot.loader.efi = { canTouchEfiVariables = true; }; boot.lanzaboote = { enable = true; enrollKeys = lib.mkDefault true; pkiBundle = ./fixtures/uefi-keys; }; }; }; # Execute a boot test that has an intentionally broken secure boot # chain. This test is expected to fail with Secure Boot and should # succeed without. # # Takes a set `path` consisting of a `src` and a `dst` attribute. The file at # `src` is copied to `dst` inside th VM. Optionally append some random data # ("crap") to the end of the file at `dst`. This is useful to easily change # the hash of a file and produce a hash mismatch when booting the stub. mkHashMismatchTest = { name, path, appendCrap ? false, useSecureBoot ? true }: mkSecureBootTest { inherit name; inherit useSecureBoot; testScript = '' import json import os.path bootspec = None def convert_to_esp(store_file_path): store_dir = os.path.basename(os.path.dirname(store_file_path)) filename = os.path.basename(store_file_path) return f'/boot/EFI/nixos/{store_dir}-{filename}.efi' machine.start() bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1') assert bootspec is not None, "Unsupported bootspec version!" src_path = ${path.src} dst_path = ${path.dst} machine.succeed(f"cp -rf {src_path} {dst_path}") '' + lib.optionalString appendCrap '' machine.succeed(f"echo Foo >> {dst_path}") '' + '' machine.succeed("sync") machine.crash() machine.start() '' + (if useSecureBoot then '' machine.wait_for_console_text("Hash mismatch") '' else '' # Just check that the system came up. print(machine.succeed("bootctl", timeout=120)) ''); }; # The initrd is not directly signed. Its hash is embedded into # lanzaboote. To make integrity verification fail, we actually have # to modify the initrd. Appending crap to the end is a harmless way # that would make the kernel still accept it. mkModifiedInitrdTest = { name, useSecureBoot }: mkHashMismatchTest { inherit name useSecureBoot; path = { src = "bootspec.get('initrd')"; dst = "convert_to_esp(bootspec.get('initrd'))"; }; appendCrap = true; }; mkModifiedKernelTest = { name, useSecureBoot }: mkHashMismatchTest { inherit name useSecureBoot; path = { src = "bootspec.get('kernel')"; dst = "convert_to_esp(bootspec.get('kernel'))"; }; appendCrap = true; }; in { # TODO: user mode: OK # TODO: how to get in: {deployed, audited} mode ? basic = mkSecureBootTest { name = "lanzaboote"; testScript = '' machine.start() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; }; systemd-initrd = mkSecureBootTest { name = "lanzaboote-systemd-initrd"; machine = { ... }: { boot.initrd.systemd.enable = true; }; testScript = '' machine.start() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; }; # Test that a secret is appended to the initrd during installation. Smilar to # the initrd-secrets test in Nixpkgs: # https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/initrd-secrets.nix initrd-secrets = let secret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security"); in mkSecureBootTest { name = "lanzaboote-initrd-secrets"; machine = { ... }: { boot.initrd.secrets = { "/test" = secret; }; boot.initrd.postMountCommands = '' cp /test /mnt-root/secret-from-initramfs ''; }; testScript = '' machine.start() machine.wait_for_unit("multi-user.target") machine.succeed("cmp ${secret} /secret-from-initramfs") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; }; # Test that the secrets configured to be appended to the initrd get updated # when installing a new generation even if the initrd itself (i.e. its store # path) does not change. # # An unfortunate result of this NixOS feature is that updating the secrets # without creating a new initrd might break previous generations. Lanzaboote # has no control over that. # # This tests uses a specialisation to imitate a newer generation. This works # because `lzbt` installs the specialisation of a generation AFTER installing # the generation itself (thus making the specialisation "newer"). initrd-secrets-update = let originalSecret = (pkgs.writeText "oh-so-secure" "uhh-ooh-uhh-security"); newSecret = (pkgs.writeText "newly-secure" "so-much-better-now"); in mkSecureBootTest { name = "lanzaboote-initrd-secrets-update"; machine = { pkgs, lib, ... }: { boot.initrd.secrets = { "/test" = lib.mkDefault originalSecret; }; boot.initrd.postMountCommands = '' cp /test /mnt-root/secret-from-initramfs ''; specialisation.variant.configuration = { boot.initrd.secrets = { "/test" = newSecret; }; }; }; testScript = '' machine.start() machine.wait_for_unit("multi-user.target") # Assert that only two boot files exists (a single kernel and a single # initrd). If there are two initrds, the test would not be able to test # updating the secret of an already existing initrd. assert int(machine.succeed("ls -1 /boot/EFI/nixos | wc -l")) == 2 # It is expected that the initrd contains the new secret. machine.succeed("cmp ${newSecret} /secret-from-initramfs") ''; }; modified-initrd-doesnt-boot-with-secure-boot = mkModifiedInitrdTest { name = "modified-initrd-doesnt-boot-with-secure-boot"; useSecureBoot = true; }; modified-initrd-boots-without-secure-boot = mkModifiedInitrdTest { name = "modified-initrd-boots-without-secure-boot"; useSecureBoot = false; }; modified-kernel-doesnt-boot-with-secure-boot = mkModifiedKernelTest { name = "modified-kernel-doesnt-boot-with-secure-boot"; useSecureBoot = true; }; modified-kernel-boots-without-secure-boot = mkModifiedKernelTest { name = "modified-kernel-boots-without-secure-boot"; useSecureBoot = false; }; specialisation-works = mkSecureBootTest { name = "specialisation-still-boot-under-secureboot"; machine = { pkgs, ... }: { specialisation.variant.configuration = { environment.systemPackages = [ pkgs.efibootmgr ]; }; }; testScript = '' machine.start() print(machine.succeed("ls -lah /boot/EFI/Linux")) # TODO: make it more reliable to find this filename, i.e. read it from somewhere? machine.succeed("bootctl set-default nixos-generation-1-specialisation-variant.efi") machine.succeed("sync") machine.fail("efibootmgr") machine.crash() machine.start() print(machine.succeed("bootctl")) # Only the specialisation contains the efibootmgr binary. machine.succeed("efibootmgr") ''; }; systemd-boot-loader-config = mkSecureBootTest { name = "lanzaboote-systemd-boot-loader-config"; machine = { boot.loader.timeout = 0; boot.loader.systemd-boot.consoleMode = "auto"; }; testScript = '' machine.start() actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n") expected_loader_config = ["timeout 0", "console-mode auto"] assert all(cfg in actual_loader_config for cfg in expected_loader_config), \ f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'" ''; }; }