raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

Enabling lanzaboote on initial installation #397

New issue
Open
opened 2024-10-13 23:04:30 +00:00 by Ten0 · 9 comments
Ten0 commented 2024-10-13 23:04:30 +00:00 (Migrated from github.com)
Copy link

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.

Readme specifies:
f5a3a7dff4/docs/QUICK_START.md (L33-L35)

I'd like to be able to apply a configuration with lanzaboote enabled as I run nixos-install, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.

Could you please expand on the limitations that prevent from running sbctl create-keys prior to installation, then applying the initial configuration with lanzaboote enabled right away?
Thanks!

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage. Readme specifies: https://github.com/nix-community/lanzaboote/blob/f5a3a7dff44d131807fc1a89fbd8576cd870334a/docs/QUICK_START.md?plain=1#L33-L35 I'd like to be able to apply a configuration with lanzaboote enabled as I run `nixos-install`, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation. Could you please expand on the limitations that prevent from running `sbctl create-keys` prior to installation, then applying the initial configuration with lanzaboote enabled right away? Thanks!
👍 11
arthsmn commented 2024-10-18 22:21:50 +00:00 (Migrated from github.com)
Copy link

You can create your own ISO with your keys in it and a signed kernel. Then, you would only need to import the keys into the machine and copy the keys from the ISO to the installation.

You can create your own ISO with your keys in it and a signed kernel. Then, you would only need to import the keys into the machine and copy the keys from the ISO to the installation.
Ten0 commented 2024-10-19 00:32:14 +00:00 (Migrated from github.com)
Copy link

Hey, thanks for your answer.
I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise).
Thanks!

Hey, thanks for your answer. I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial `nixos-install` wouldn't work, and I was wondering why creating keys in `/mnt/etc/secureboot` prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise). Thanks!
arthsmn commented 2024-10-19 01:00:54 +00:00 (Migrated from github.com)
Copy link

Hey, thanks for your answer.
I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise).
Thanks!

I think this is a misunderstanding of the guide, as I'm pretty sure I installed lanzaboote directly. As the module just replaces systemd-boot, in theory if it has everything in place it should work.

> Hey, thanks for your answer. > I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial `nixos-install` wouldn't work, and I was wondering why creating keys in `/mnt/etc/secureboot` prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise). > Thanks! I think this is a misunderstanding of the guide, as I'm pretty sure I installed lanzaboote directly. As the module just replaces systemd-boot, in theory if it has everything in place it should work.
RaitoBezarius commented 2024-10-19 08:46:22 +00:00 (Migrated from github.com)
Copy link

Hi there, sbctl create-keys is frowned upon in activation because this is a side effect that creates private keys and private key creation in an activation script is a bit icky.

Nonetheless, as long as you copied the keys from another location, you can immediately use lanzaboote on the first nixos-install. Lanzaboote will not enforce Secure Boot if Secure Boot is disabled, as soon as you enroll the keys, Secure Boot will be enabled and your bootables will be signed according to the right keys, so it should work out fine in the end.

The guide is a bit conservative to avoid bad experiences, but it could indeed benefit from some clarification.

Hi there, `sbctl create-keys` is frowned upon in activation because this is a side effect that creates private keys and private key creation in an activation script is a bit icky. Nonetheless, as long as you copied the keys from another location, you can immediately use lanzaboote on the first nixos-install. Lanzaboote will not enforce Secure Boot if Secure Boot is disabled, as soon as you enroll the keys, Secure Boot will be enabled and your bootables will be signed according to the right keys, so it should work out fine in the end. The guide is a bit conservative to avoid bad experiences, but it could indeed benefit from some clarification.
👍 2
kuflierl commented 2024-11-30 19:06:42 +00:00 (Migrated from github.com)
Copy link

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.

Readme specifies:

f5a3a7dff4/docs/QUICK_START.md (L33-L35)

I'd like to be able to apply a configuration with lanzaboote enabled as I run nixos-install, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.

Could you please expand on the limitations that prevent from running sbctl create-keys prior to installation, then applying the initial configuration with lanzaboote enabled right away? Thanks!

This is the whole point of #384. This subject is kinda controversial with the maintainers/developers of the repository as seen in the comments of the PR.

> Hello! I've been using this successfully for a few months, and I'd like to generalize its usage. > > Readme specifies: > > https://github.com/nix-community/lanzaboote/blob/f5a3a7dff44d131807fc1a89fbd8576cd870334a/docs/QUICK_START.md?plain=1#L33-L35 > > I'd like to be able to apply a configuration with lanzaboote enabled as I run `nixos-install`, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation. > > Could you please expand on the limitations that prevent from running `sbctl create-keys` prior to installation, then applying the initial configuration with lanzaboote enabled right away? Thanks! This is the whole point of #384. This subject is kinda controversial with the maintainers/developers of the repository as seen in the comments of the PR.
Ten0 commented 2024-12-01 19:07:45 +00:00 (Migrated from github.com)
Copy link

This is the whole point of https://github.com/nix-community/lanzaboote/pull/384

As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc.

So I don't mind that it doesn't run sbctl create-keys, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines.

At this point I'm rather reassured by https://github.com/nix-community/lanzaboote/issues/397#issuecomment-2423698765 but I haven't tested it yet.

> This is the whole point of https://github.com/nix-community/lanzaboote/pull/384 As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc. So I don't mind that it doesn't run `sbctl create-keys`, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines. At this point I'm rather reassured by https://github.com/nix-community/lanzaboote/issues/397#issuecomment-2423698765 but I haven't tested it yet.
kuflierl commented 2024-12-04 13:11:22 +00:00 (Migrated from github.com)
Copy link

This is the whole point of #384

As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc.

So I don't mind that it doesn't run sbctl create-keys, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines.

At this point I'm rather reassured by #397 (comment) but I haven't tested it yet.

I can assure you it works. I already did that.

> > This is the whole point of #384 > > As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc. > > So I don't mind that it doesn't run `sbctl create-keys`, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines. > > At this point I'm rather reassured by [#397 (comment)](https://github.com/nix-community/lanzaboote/issues/397#issuecomment-2423698765) but I haven't tested it yet. I can assure you it works. I already did that.
👍 1
Ten0 commented 2024-12-04 19:38:11 +00:00 (Migrated from github.com)
Copy link

Thanks! Then this issue only tracks documentation update that this works I guess.

Thanks! Then this issue only tracks documentation update that this works I guess.
qm3ster commented 2025-05-20 00:10:50 +00:00 (Migrated from github.com)
Copy link

I did sudo sbctl create-keys -e /mnt/var/lib/sbctl --disable-landlock
but sudo nixos-install -v --flake /mnt/etc/nixos#nook fails with:

evaluating file '<nix/derivation-internal.nix>'
installing the boot loader...
setting up /etc...
Installing Lanzaboote to "/boot"...
Failed to install generation 1: Get stub name: No such file or directory (os error 2)
Failed to install bootloader

which localizes the issue to this call: 2e425f3da6/rust/tool/systemd/src/install.rs (L267)

which sounds like <lanzaboote_binary> install --public_key <something that doesn't exist> was called.

Ok, so it turns out:

  1. I still had pkiBundle = "/etc/secureboot"; (should be "/var/lib/sbctl" by new standard)
  2. For that you need to call create-keys -e /mnt/var/lib/sbctl/keys (note the /keys on the end) as per 2e425f3da6/nix/modules/lanzaboote.nix (L44-L56)

Hope this helps someone.

Funnily enough after everything worked out I didn't get a boot entry added to the EFI flash so I can't actually try booting yet, but I have to go to bed now.

I did `sudo sbctl create-keys -e /mnt/var/lib/sbctl --disable-landlock` but `sudo nixos-install -v --flake /mnt/etc/nixos#nook` fails with: ```sh evaluating file '<nix/derivation-internal.nix>' installing the boot loader... setting up /etc... Installing Lanzaboote to "/boot"... Failed to install generation 1: Get stub name: No such file or directory (os error 2) Failed to install bootloader ``` which localizes the issue to this call: https://github.com/nix-community/lanzaboote/blob/2e425f3da6ce7f5b34fa6eaf7a2a7f78dbabcc85/rust/tool/systemd/src/install.rs#L267 which sounds like `<lanzaboote_binary> install --public_key <something that doesn't exist>` was called. Ok, so it turns out: 1. I still had `pkiBundle = "/etc/secureboot";` (should be `"/var/lib/sbctl"` by new standard) 2. For that you need to call `create-keys -e /mnt/var/lib/sbctl/keys` (note the `/keys` on the end) as per https://github.com/nix-community/lanzaboote/blob/2e425f3da6ce7f5b34fa6eaf7a2a7f78dbabcc85/nix/modules/lanzaboote.nix#L44-L56 Hope this helps someone. Funnily enough after everything worked out I didn't get a boot entry added to the EFI flash so I can't actually try booting yet, but I have to go to bed now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
test
qm3ster/patch-1
blitz/npins
enroll-keys
github-actions
systemd-sb-enroll
fix-ci
bump-edk2
global-credentials
signing-client
in-memory-assembling
cpio-packing
uboot
netboot
experiment-sd-addons
insecure-boot
refactor-building
tpm2-pcr-sections
bootsplash
sd-stub-dtb
bzimage-load
configuration-limit-test
boot-file-integrity-investigation
crane-uefi
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#397
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?