Lanzatool doesn't sign kernel #56

New issue

Closed

opened 2023-01-08 23:40:53 +00:00 by blitz · 1 comment

blitz commented 2023-01-08 23:40:53 +00:00 (Migrated from github.com)

Copy link

I've just switched to boot.lanzaboote.enable = true; and noticed that the Linux kernel and systemd-boot did not get signed:

$ sudo nixos-rebuild -L boot --flake . --builders ""
building the system configuration...
trace: warning: RFC-0125 is not merged yet, this is a feature preview of bootspec.
        The schema is not definitive and features are not guaranteed to be stable until RFC-0125 is merged.
        See:
        - https://github.com/NixOS/nixpkgs/pull/172237 to track merge status in nixpkgs.
        - https://github.com/NixOS/rfcs/pull/125 to track RFC status.

Installing generation 353
Appending secrets to initrd...
/boot/EFI/BOOT/BOOTX64.EFI already exists, skipping...
/boot/EFI/systemd/systemd-bootx64.efi already exists, skipping...
/boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi already exists, skipping...
/boot/EFI/nixos/lzxjx9ykfzhv5c2r4v36v2w7b69yrpc1-initrd-linux-6.1.3-initrd.efi already exists, skipping...
Signing and installing /boot/EFI/Linux/nixos-generation-353.efi...
Successfully installed lanzaboote to '/boot'
Installing generation 352
Appending secrets to initrd...
/boot/EFI/BOOT/BOOTX64.EFI already exists, skipping...
/boot/EFI/systemd/systemd-bootx64.efi already exists, skipping...
/boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi already exists, skipping...
/boot/EFI/nixos/lzxjx9ykfzhv5c2r4v36v2w7b69yrpc1-initrd-linux-6.1.3-initrd.efi already exists, skipping...
Signing and installing /boot/EFI/Linux/nixos-generation-352.efi...
Successfully installed lanzaboote to '/boot'
'/boot/EFI/nixos/.extra-files' not in use anymore. Removing...
'/boot/EFI/Linux/nixos-generation-351.efi' not in use anymore. Removing...

$ sudo sbctl verify
Verifying file database and EFI images in /boot...
✗ /boot/EFI/BOOT/BOOTX64.EFI is not signed
✓ /boot/EFI/Linux/nixos-generation-352.efi is signed
✓ /boot/EFI/Linux/nixos-generation-353.efi is signed
✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed
✗ /boot/EFI/systemd/systemd-bootx64.efi is not signed

I've just switched to `boot.lanzaboote.enable = true;` and noticed that the Linux kernel and systemd-boot did not get signed: ```console $ sudo nixos-rebuild -L boot --flake . --builders "" building the system configuration... trace: warning: RFC-0125 is not merged yet, this is a feature preview of bootspec. The schema is not definitive and features are not guaranteed to be stable until RFC-0125 is merged. See: - https://github.com/NixOS/nixpkgs/pull/172237 to track merge status in nixpkgs. - https://github.com/NixOS/rfcs/pull/125 to track RFC status. Installing generation 353 Appending secrets to initrd... /boot/EFI/BOOT/BOOTX64.EFI already exists, skipping... /boot/EFI/systemd/systemd-bootx64.efi already exists, skipping... /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi already exists, skipping... /boot/EFI/nixos/lzxjx9ykfzhv5c2r4v36v2w7b69yrpc1-initrd-linux-6.1.3-initrd.efi already exists, skipping... Signing and installing /boot/EFI/Linux/nixos-generation-353.efi... Successfully installed lanzaboote to '/boot' Installing generation 352 Appending secrets to initrd... /boot/EFI/BOOT/BOOTX64.EFI already exists, skipping... /boot/EFI/systemd/systemd-bootx64.efi already exists, skipping... /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi already exists, skipping... /boot/EFI/nixos/lzxjx9ykfzhv5c2r4v36v2w7b69yrpc1-initrd-linux-6.1.3-initrd.efi already exists, skipping... Signing and installing /boot/EFI/Linux/nixos-generation-352.efi... Successfully installed lanzaboote to '/boot' '/boot/EFI/nixos/.extra-files' not in use anymore. Removing... '/boot/EFI/Linux/nixos-generation-351.efi' not in use anymore. Removing... $ sudo sbctl verify Verifying file database and EFI images in /boot... ✗ /boot/EFI/BOOT/BOOTX64.EFI is not signed ✓ /boot/EFI/Linux/nixos-generation-352.efi is signed ✓ /boot/EFI/Linux/nixos-generation-353.efi is signed ✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed ✗ /boot/EFI/systemd/systemd-bootx64.efi is not signed ```

blitz commented 2023-01-11 09:00:18 +00:00 (Migrated from github.com)

Copy link

Closing as a duplicate of #39.

Closing as a duplicate of #39.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

test

qm3ster/patch-1

blitz/npins

enroll-keys

github-actions

systemd-sb-enroll

fix-ci

bump-edk2

global-credentials

signing-client

in-memory-assembling

cpio-packing

uboot

netboot

experiment-sd-addons

insecure-boot

refactor-building

tpm2-pcr-sections

bootsplash

sd-stub-dtb

bzimage-load

configuration-limit-test

boot-file-integrity-investigation

crane-uefi

v0.4.2

v0.4.1

v0.4.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

bug

Something isn't working

  

dependency

Issues related to our dependencies

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

review-next

  

security

  

stub

  

tool

  

wontfix

This will not be worked on

No labels

bug

dependency

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

review-next

security

stub

tool

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#56

No description provided.