raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

auto-enroll: use safe auto enrollment rather than YOLO enrollment #229

Closed
RaitoBezarius wants to merge 1 commit from systemd-sb-enroll into master
pull from: systemd-sb-enroll
merge into: raito:master
Conversation 13 Commits 1 Files changed 2 +69 -25
RaitoBezarius commented 2023-09-29 03:04:16 +00:00 (Migrated from github.com)
Copy link

This uses the systemd semantics for automatic enrollment at boot time.

For now, it is very simple, in the future, we can better use this option to push the proper auth files with names or have Type #1 entries for enrollment. :)

This PR relies on unreleased commits in nixpkgs for the testing framework to detect properly for EFI resets as for some reason this makes the whole thing hangs otherwise…

In other news, your wish has been granted @blitz !

This uses the systemd semantics for automatic enrollment at boot time. For now, it is very simple, in the future, we can better use this option to push the proper auth files with names or have Type #1 entries for enrollment. :) ~~This PR relies on unreleased commits in nixpkgs for the testing framework to detect properly for EFI resets as for some reason this makes the whole thing hangs otherwise…~~ In other news, your wish has been granted @blitz !
👍 9
RaitoBezarius commented 2023-09-30 15:04:36 +00:00 (Migrated from github.com)
Copy link

Depends on QMP API being upstreamed.

Depends on QMP API being upstreamed.
blitz (Migrated from github.com) approved these changes 2023-10-19 16:05:46 +00:00
blitz (Migrated from github.com) left a comment
Copy link

The approach looks good to me!

The approach looks good to me!
RaitoBezarius commented 2024-01-05 04:05:52 +00:00 (Migrated from github.com)
Copy link

Note to myself: finish merging the stuff inside of nixpkgs for the QMP.

Note to myself: finish merging the stuff inside of nixpkgs for the QMP.
👍 1
nikstur commented 2024-01-21 12:33:55 +00:00 (Migrated from github.com)
Copy link

Depends on QMP API being upstreamed.

I remeber that you explained to me in person why this is needed, but I think I forgot. Wouldn't this solution be just as bad/good as our current solution?

> Depends on QMP API being upstreamed. I remeber that you explained to me in person why this is needed, but I think I forgot. Wouldn't this solution be just as bad/good as our current solution?
nikstur (Migrated from github.com) reviewed 2024-01-22 12:41:15 +00:00
nix/modules/lanzaboote.nix
nikstur (Migrated from github.com) commented 2024-01-22 12:41:14 +00:00
Copy link

How do you set secure-boot-enroll this to force? Is this an efi variable?

How do you set `secure-boot-enroll` this to force? Is this an efi variable?
RaitoBezarius (Migrated from github.com) reviewed 2024-02-11 15:39:38 +00:00
nix/modules/lanzaboote.nix
RaitoBezarius (Migrated from github.com) commented 2024-02-11 15:39:38 +00:00
Copy link

Documented, it's in the configuration file.

Documented, it's in the configuration file.
RaitoBezarius commented 2024-02-11 15:40:45 +00:00 (Migrated from github.com)
Copy link

PTAL @nikstur @blitz.

PTAL @nikstur @blitz.
RaitoBezarius commented 2024-02-11 16:25:59 +00:00 (Migrated from github.com)
Copy link

ffs:

vm-test-run-lanzaboote> machine # NixOS Uakari 24.05pre-git (Linux 6.1.76) (Generation 1, 2024-02-11) Reboot Into Firmware Interface Enroll Secure Boot keys: auto Boot in 5 s. ------------------------------------------------------------------------------- Boot in 4 s. ------------------------------------------------------------------------------- Boot in 3 s. ------------------------------------------------------------------------------- Boot in 2 s. ------------------------------------------------------------------------------- Boot in 1 s. -------------------------------------------------------------------------------[ WARN]: stub/src/common.rs@077: Secure Boot is not active!vm-test-run-lanzaboote> machine # EFI stub: Booting Linux Kernel...vm-test-run-lanzaboote> machine # EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundaryvm-test-run-lanzaboote> machine # EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path

it doesn't enroll on aarch64.

ffs: ``` vm-test-run-lanzaboote> machine # NixOS Uakari 24.05pre-git (Linux 6.1.76) (Generation 1, 2024-02-11) Reboot Into Firmware Interface Enroll Secure Boot keys: auto Boot in 5 s. ------------------------------------------------------------------------------- Boot in 4 s. ------------------------------------------------------------------------------- Boot in 3 s. ------------------------------------------------------------------------------- Boot in 2 s. ------------------------------------------------------------------------------- Boot in 1 s. -------------------------------------------------------------------------------[ WARN]: stub/src/common.rs@077: Secure Boot is not active!vm-test-run-lanzaboote> machine # EFI stub: Booting Linux Kernel...vm-test-run-lanzaboote> machine # EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundaryvm-test-run-lanzaboote> machine # EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path ``` it doesn't enroll on aarch64.
RaitoBezarius commented 2024-02-11 16:54:05 +00:00 (Migrated from github.com)
Copy link

and now I assume that events for aarch64 VMs are fried...

and now I assume that events for aarch64 VMs are fried...
RaitoBezarius commented 2024-02-11 20:30:36 +00:00 (Migrated from github.com)
Copy link

OK, I was holding my own code wrong.

OK, I was holding my own code wrong.
RaitoBezarius commented 2024-02-12 13:19:35 +00:00 (Migrated from github.com)
Copy link

Ah yes,

  • "without Secure Boot" does not provoke any key enrollment.
  • export UEFI variables are failing for interesting reasons.
Ah yes, - "without Secure Boot" does not provoke any key enrollment. - export UEFI variables are failing for interesting reasons.
blitz (Migrated from github.com) reviewed 2024-03-19 08:39:44 +00:00
nix/tests/lanzaboote.nix
blitz (Migrated from github.com) commented 2024-03-19 08:39:44 +00:00
Copy link

nit: You could elaborate here a bit, so people know why this wrinkle exists and when it may go away.

nit: You could elaborate here a bit, so people know why this wrinkle exists and when it may go away.
blitz (Migrated from github.com) approved these changes 2024-03-19 08:40:33 +00:00
blitz (Migrated from github.com) left a comment
Copy link

Looks good to me!

@RaitoBezarius It looks like the tests need some love. Feel free to merge after fixing them.

Looks good to me! @RaitoBezarius It looks like the tests need some love. Feel free to merge after fixing them.

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
blitz
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Release 0.4.0
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#229
No description provided.
Delete branch "systemd-sb-enroll"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?