raito/lanzaboote
0
0
Fork 0
Code Issues 45 Pull requests 6 Projects Releases 6 Packages Wiki Activity Actions

Xen support #387

Open
CertainLach wants to merge 8 commits from CertainLach/feat/xen into master
pull from: CertainLach/feat/xen
merge into: raito:master
Conversation 30 Commits 8 Files changed 5 +206 -25
CertainLach commented 2024-08-25 02:45:07 +00:00 (Migrated from github.com)
Copy link

https://github.com/NixOS/nixpkgs/pull/324911 implements Xen hypervisor support in NixOS, this PR implements Xen support in lanzaboote when used together with mentioned PR.

  • It is impossible to have xen enabled for specialization, only primary system can have it, due to https://github.com/DeterminateSystems/bootspec/issues/147

  • Current implementation produces very large EFI binaries (>160M, prepare your /boot partitions), because Xen can't verify linux image by itself, and it needs to be included in Xen unified kernel image (https://xenbits.xenproject.org/docs/unstable/misc/efi.html), which only supports unpacked (vmlinux) kernels (as far as I can see, using any other format (vmlinuz/bzImage) results in "Not an ELF binary" error).

    • Looks like bzImage not working was caused by alignment issues, with 4K section alignment it just works, and EFI binary was shrunk to 40M
    • Maybe it is possible to create a stub linux kernel, which will load the real kernel from directory? xen.efi is still big, but I don't see a way to implement proper file separation for it. Unless... How hard is to assemble and execute unified xen image in-memory during the boot?

  • Because there is no path to vmlinux image present in boot.json, extra configuration is required:
    boot.bootspec.extensions."org.xenproject.bootspec.v1".vmlinux = "${config.system.build.kernel.dev}/vmlinux";

    • bzImage now just works.

  • Created xen boot entries are located lower than entries obtained from plain nixos UKI images, because I haven't figured how to provide systemd-boot with sort key.

    • Entry order is now correct

  • Garbage collection doesn't work for /boot/loader/entries (I'm not sure how it is supposed to work).

    • Fixed.

Cc: @SigmaSquadron

https://github.com/NixOS/nixpkgs/pull/324911 implements Xen hypervisor support in NixOS, this PR implements Xen support in lanzaboote when used together with mentioned PR. - [ ] It is impossible to have xen enabled for specialization, only primary system can have it, due to https://github.com/DeterminateSystems/bootspec/issues/147 - [x] Current implementation produces very large EFI binaries (>160M, prepare your /boot partitions), because Xen can't verify linux image by itself, and it needs to be included in Xen unified kernel image (https://xenbits.xenproject.org/docs/unstable/misc/efi.html), which only supports unpacked (vmlinux) kernels (as far as I can see, using any other format (vmlinuz/bzImage) results in "Not an ELF binary" error). - Looks like bzImage not working was caused by alignment issues, with 4K section alignment it just works, and EFI binary was shrunk to 40M - Maybe it is possible to create a stub linux kernel, which will load the real kernel from directory? xen.efi is still big, but I don't see a way to implement proper file separation for it. Unless... How hard is to assemble and execute unified xen image in-memory during the boot? - [x] Because there is no path to vmlinux image present in boot.json, extra configuration is required: boot.bootspec.extensions."org.xenproject.bootspec.v1".vmlinux = "${config.system.build.kernel.dev}/vmlinux"; - bzImage now just works. - [x] Created xen boot entries are located lower than entries obtained from plain nixos UKI images, because I haven't figured how to provide systemd-boot with sort key. - Entry order is now correct - [x] Garbage collection doesn't work for /boot/loader/entries (I'm not sure how it is supposed to work). - Fixed. Cc: @SigmaSquadron
👍 1
SigmaSquadron commented 2024-08-25 13:12:10 +00:00 (Migrated from github.com)
Copy link

This is wonderful; thank you!

Created xen boot entries are located lower than entries obtained from plain nixos UKI images, because I haven't figured how to provide systemd-boot with sort key.

I'm using the same sort_key in the systemd-boot builder. Due to the (with Xen Hypervisor) in parenthesis right next to the normal title, systemd-boot bumps it higher up in the list.

It is also impossible to have xen enabled for specialization, only primary system can have it, due to https://github.com/DeterminateSystems/bootspec/issues/147

I asked Ryan Lahfa in the Bootspec room when I was figuring out the stuff needed for the systemd-boot builder, and they mentioned that you can look into the boot.json for each specialisation, and while it looks like a normal boot.json, it doesn't have the specialisation extension, and the top-level arguments are specific to that specialisation. I imagined booting Xen in specialisations would also work, as if the specialisation is meant to be a Xen dom0, the specialisation-specific boot.json would have Xen entries.

This is wonderful; thank you! > Created xen boot entries are located lower than entries obtained from plain nixos UKI images, because I haven't figured how to provide systemd-boot with sort key. I'm using the same `sort_key` in the [systemd-boot builder](https://github.com/NixOS/nixpkgs/blob/4b7761bf83b112ec866ea7e482ab32b5a3ffaf45/nixos/modules/virtualisation/xen-dom0.nix#L145-L149). Due to the `(with Xen Hypervisor)` in parenthesis right next to the normal title, systemd-boot bumps it higher up in the list. > It is also impossible to have xen enabled for specialization, only primary system can have it, due to https://github.com/DeterminateSystems/bootspec/issues/147 I asked Ryan Lahfa in the Bootspec room when I was figuring out the stuff needed for the systemd-boot builder, and they mentioned that you can look into the `boot.json` for each specialisation, and while it looks like a normal `boot.json`, it doesn't have the specialisation extension, and the top-level arguments are specific to that specialisation. I imagined booting Xen in specialisations would also work, as if the specialisation is meant to be a Xen dom0, the specialisation-specific `boot.json` would have Xen entries.
CertainLach commented 2024-08-25 13:20:15 +00:00 (Migrated from github.com)
Copy link

I'm using the same sort_key in the systemd-boot builder. Due to the (with Xen Hypervisor) in parenthesis right next to the normal title, systemd-boot bumps it higher up in the list.

I don't have "with Xen Hypervisor" here, sort-key was not enough, I have added version & renamed entry file name (== entry id) to make it sort correctly.

My primary system has xen enabled, and I have specialization with noxen tag, and it now orders entries exactly as with plain UKI images.

> I'm using the same sort_key in the [systemd-boot builder](https://github.com/NixOS/nixpkgs/blob/4b7761bf83b112ec866ea7e482ab32b5a3ffaf45/nixos/modules/virtualisation/xen-dom0.nix#L145-L149). Due to the (with Xen Hypervisor) in parenthesis right next to the normal title, systemd-boot bumps it higher up in the list. I don't have "with Xen Hypervisor" here, sort-key was not enough, I have added version & renamed entry file name (== entry id) to make it sort correctly. My primary system has xen enabled, and I have specialization with noxen tag, and it now orders entries exactly as with plain UKI images.
CertainLach commented 2024-08-25 13:23:16 +00:00 (Migrated from github.com)
Copy link

I asked Ryan Lahfa in the Bootspec room when I was figuring out the stuff needed for the systemd-boot builder, and they mentioned that you can look into the boot.json for each specialisation

Lanzaboote uses top-level boot.json, where specializations are described using "org.nixos.specialisation.v1" key.

It is possible to look directly in specialization directories (/run/current-system/specialisation/X/boot.json), but it looks wrong, toplevel definition (/run/current-system/boot.json) should work too.

> I asked Ryan Lahfa in the Bootspec room when I was figuring out the stuff needed for the systemd-boot builder, and they mentioned that you can look into the boot.json for each specialisation Lanzaboote uses top-level boot.json, where specializations are described using "org.nixos.specialisation.v1" key. It is possible to look directly in specialization directories (/run/current-system/specialisation/X/boot.json), but it looks wrong, toplevel definition (/run/current-system/boot.json) should work too.
👍 1
CertainLach commented 2024-08-25 13:28:47 +00:00 (Migrated from github.com)
Copy link

For reference, current bootctl list output, where primary system has xen enabled, and noxen specialization has xen disabled. The ordering in bootctl list matches one in bootloader.

         type: Boot Loader Specification Type #1 (.conf)
        title: NixOS Vicuna 24.11.20240825.dirty (Linux 6.6.47) (Generation 250, 2024-08-25) (default) (selected)
           id: nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi.conf
       source: /boot//loader/entries/nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi.conf
     sort-key: lanza
      version: Generation 250, 2024-08-25
          efi: /boot//EFI/Linux/nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi

         type: Boot Loader Specification Type #2 (.efi)
        title: NixOS Vicuna noxen-24.11.20240825.dirty (Linux 6.6.47) (Generation 250-noxen, 2024-08-25)
           id: nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi
       source: /boot//EFI/Linux/nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi
     sort-key: lanza
      version: Generation 250-noxen, 2024-08-25
        linux: /boot//EFI/Linux/nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi
      options: init=/nix/store/9a6z9lg6n7c8zhx8z4ycqf0sjni70wq3-nixos-system-ema-noxen-24.11.20240825.dirty/init mitigations=off nohz_full=1-15 msr.allow_writes=on root=fstab loglevel=4 nohibernate kvm-intel.vmentry_l1d_flush=never

         type: Boot Loader Specification Type #1 (.conf)
        title: NixOS Vicuna 24.11.20240825.dirty (Linux 6.6.47) (Generation 249, 2024-08-25)
           id: nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi.conf
       source: /boot//loader/entries/nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi.conf
     sort-key: lanza
      version: Generation 249, 2024-08-25
          efi: /boot//EFI/Linux/nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi

         type: Boot Loader Specification Type #2 (.efi)
        title: NixOS Vicuna noxen-24.11.20240825.dirty (Linux 6.6.47) (Generation 249-noxen, 2024-08-25)
           id: nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi
       source: /boot//EFI/Linux/nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi
     sort-key: lanza
      version: Generation 249-noxen, 2024-08-25
        linux: /boot//EFI/Linux/nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi
      options: init=/nix/store/cv7nvw9a3wfzrpml3hvi5ys01gcria9j-nixos-system-ema-noxen-24.11.20240825.dirty/init mitigations=off nohz_full=1-15 msr.allow_writes=on root=fstab loglevel=4 nohibernate kvm-intel.vmentry_l1d_flush=never
For reference, current `bootctl list` output, where primary system has xen enabled, and noxen specialization has xen disabled. The ordering in bootctl list matches one in bootloader. <details> ``` type: Boot Loader Specification Type #1 (.conf) title: NixOS Vicuna 24.11.20240825.dirty (Linux 6.6.47) (Generation 250, 2024-08-25) (default) (selected) id: nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi.conf source: /boot//loader/entries/nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi.conf sort-key: lanza version: Generation 250, 2024-08-25 efi: /boot//EFI/Linux/nixos-generation-250-ic4qfdwopgpyk4vifr3lub4png6dgnydgwqxsi6pt5yosoczhdmq.efi type: Boot Loader Specification Type #2 (.efi) title: NixOS Vicuna noxen-24.11.20240825.dirty (Linux 6.6.47) (Generation 250-noxen, 2024-08-25) id: nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi source: /boot//EFI/Linux/nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi sort-key: lanza version: Generation 250-noxen, 2024-08-25 linux: /boot//EFI/Linux/nixos-generation-250-specialisation-noxen-zmqh6yrzuiqnotjuh7dyn26vml6thymb2fdiz3dqoctwymr3d3jq.efi options: init=/nix/store/9a6z9lg6n7c8zhx8z4ycqf0sjni70wq3-nixos-system-ema-noxen-24.11.20240825.dirty/init mitigations=off nohz_full=1-15 msr.allow_writes=on root=fstab loglevel=4 nohibernate kvm-intel.vmentry_l1d_flush=never type: Boot Loader Specification Type #1 (.conf) title: NixOS Vicuna 24.11.20240825.dirty (Linux 6.6.47) (Generation 249, 2024-08-25) id: nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi.conf source: /boot//loader/entries/nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi.conf sort-key: lanza version: Generation 249, 2024-08-25 efi: /boot//EFI/Linux/nixos-generation-249-3g3znwubcnp4qfv7pdel2ji574jrhmpzsz5i3huruvbi4cia3u5a.efi type: Boot Loader Specification Type #2 (.efi) title: NixOS Vicuna noxen-24.11.20240825.dirty (Linux 6.6.47) (Generation 249-noxen, 2024-08-25) id: nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi source: /boot//EFI/Linux/nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi sort-key: lanza version: Generation 249-noxen, 2024-08-25 linux: /boot//EFI/Linux/nixos-generation-249-specialisation-noxen-w4g5yjkq7n4r5ylsbtk4urnbm7eku5aureihcisoajzwjwoh4akq.efi options: init=/nix/store/cv7nvw9a3wfzrpml3hvi5ys01gcria9j-nixos-system-ema-noxen-24.11.20240825.dirty/init mitigations=off nohz_full=1-15 msr.allow_writes=on root=fstab loglevel=4 nohibernate kvm-intel.vmentry_l1d_flush=never ``` </details>
CertainLach commented 2024-08-29 19:50:08 +00:00 (Migrated from github.com)
Copy link

Marking as ready for review, as I don't plan to change too much implementation-wise here.
I have experimented with adding hash validation to xen.efi, making it possible to not embed bzImage/ramdisk inside of UXI, but this is far from being done, and will go to upstream xen first, right now it will consume 40MB of /boot storage per generation.

Only toplevel system having xen sucks, but I believe it may need to be resolved in some more generic way, maybe it would be better to have xen installed the same way as memtest/netboot.xyz, instead of intercepting nixos entry generation, and then the solution will be the same as for #273?
I also want to hear bootspec people feedback on https://github.com/DeterminateSystems/bootspec/issues/147, and my proposed solution (Comment in the same issue).

Anyway, opening this PR for feedback on those topics, hoping some better solution might arise for those issues.

Marking as ready for review, as I don't plan to change too much implementation-wise here. I have experimented with adding hash validation to xen.efi, making it possible to not embed bzImage/ramdisk inside of UXI, but this is far from being done, and will go to upstream xen first, right now it will consume 40MB of /boot storage per generation. Only toplevel system having xen sucks, but I believe it may need to be resolved in some more generic way, maybe it would be better to have xen installed the same way as memtest/netboot.xyz, instead of intercepting nixos entry generation, and then the solution will be the same as for #273? I also want to hear bootspec people feedback on https://github.com/DeterminateSystems/bootspec/issues/147, and my proposed solution (Comment in the same issue). Anyway, opening this PR for feedback on those topics, hoping some better solution might arise for those issues.
SigmaSquadron commented 2024-08-29 20:04:00 +00:00 (Migrated from github.com)
Copy link

I believe it may need to be resolved in some more generic way, maybe it would be better to have xen installed the same way as memtest/netboot.xyz, instead of intercepting nixos entry generation, and then the solution will be the same as for #273?

That was the original idea before the UKI shenanigans in https://github.com/NixOS/nixpkgs/pull/324911. This isn't an ideal solution, as it's expected that end users be able to roll back to a previous generation while keeping their Xen domains running.

> I believe it may need to be resolved in some more generic way, maybe it would be better to have xen installed the same way as memtest/netboot.xyz, instead of intercepting nixos entry generation, and then the solution will be the same as for #273? That was the original idea before the UKI shenanigans in https://github.com/NixOS/nixpkgs/pull/324911. This isn't an ideal solution, as it's expected that end users be able to roll back to a previous generation while keeping their Xen domains running.
CertainLach commented 2024-08-29 20:06:47 +00:00 (Migrated from github.com)
Copy link

That was the original idea before the UKI shenanigans in https://github.com/NixOS/nixpkgs/pull/324911. This isn't an ideal solution, as it's expected that end users be able to roll back to a previous generation while keeping their Xen domains running.

No, I didn't meant it like that, I meant some generic way of producing per-entry /boot/loader/entries/X files with corresponding signed EFIs in lanzaboote. Currently, only xen generations can produce Boot Loader Specification Type #1 (.conf) files in lanzaboote.

netboot.xyz/memtest don't need to be per-entry, but the solution might be generic enough to enable both.
I.e configurationLimit for non-nixos entries might allow to have 20 generations of nixos, having 5 generations of xen to reduce space consumption, and then 1 generation of memtest? Idk.

> That was the original idea before the UKI shenanigans in https://github.com/NixOS/nixpkgs/pull/324911. This isn't an ideal solution, as it's expected that end users be able to roll back to a previous generation while keeping their Xen domains running. No, I didn't meant it like that, I meant some generic way of producing per-entry `/boot/loader/entries/X` files with corresponding signed EFIs in lanzaboote. Currently, only xen generations can produce Boot Loader Specification Type #1 (.conf) files in lanzaboote. netboot.xyz/memtest don't need to be per-entry, but the solution might be generic enough to enable both. I.e `configurationLimit` for non-nixos entries might allow to have 20 generations of nixos, having 5 generations of xen to reduce space consumption, and then 1 generation of memtest? Idk.
👍 1
CertainLach commented 2024-08-29 20:30:02 +00:00 (Migrated from github.com)
Copy link

How it may look in bootspec:

// Defined in top-level boot.json, no-op if defined on specialization level.
"org.nix-community.lanzaboote.extra-entries": {
  // Enabling xen in nixos will make two bootloader entries - one with xen bootloader, one without for troubleshooting.
  // I don't think it will be good to make it easy to have user locked in xen with no recovery options.
  xen1: {
    // generator kind describes how to populate efi sections, various kinds will be defined in lanzaboote
    // by code, I don't think it makes sense to make that fully declarative.
    generator: {
      kind: "xen",
      // Null for top-level
      specialization: null,
    },
    efi: "/nix/store/blah-blah-1/xen.efi"
  },
  // Instead of assigning xen config to specialization, xen bootloader entry will specify specialization which it
  // should use.
  xen2: {
    generator: {
      kind: "xen",
      specialization: "specialization-name",
    },
    efi: "/nix/store/blah-blah-2/xen.efi"
  },
  memtest: {
    efi: "/nix/store/blah-blah-3/memtest.efi"
  }
}

boot.lanzaboote.configurationLimit = 20;
boot.lanzaboote.extraEntries.xen1 = {
  configurationLimit = 5;
  efi = "${pkgs.xen}/xen.efi";
  generator = {
    kind = "xen";
    specialization = "specialization-name";
  };
};
# Or, for compatibility with configuration implemented currently in nixos (pseudocode)
boot.lanzaboote.extraEntries = prefixAttrs "xen-" (filterMapAttrs config.specialisation
  (spec: spec.configuration.boot.xen.enable)
  (spec: {
    efi = "${spec.configuration.boot.xen.package}/xen.efi";
  })
);
boot.lanzaboote.extraEntries.memtest = {
  configurationLimit = 1;
  efi = "${pkgs.memtest}/memtest.efi";
};
How it may look in bootspec: ```jsonnet // Defined in top-level boot.json, no-op if defined on specialization level. "org.nix-community.lanzaboote.extra-entries": { // Enabling xen in nixos will make two bootloader entries - one with xen bootloader, one without for troubleshooting. // I don't think it will be good to make it easy to have user locked in xen with no recovery options. xen1: { // generator kind describes how to populate efi sections, various kinds will be defined in lanzaboote // by code, I don't think it makes sense to make that fully declarative. generator: { kind: "xen", // Null for top-level specialization: null, }, efi: "/nix/store/blah-blah-1/xen.efi" }, // Instead of assigning xen config to specialization, xen bootloader entry will specify specialization which it // should use. xen2: { generator: { kind: "xen", specialization: "specialization-name", }, efi: "/nix/store/blah-blah-2/xen.efi" }, memtest: { efi: "/nix/store/blah-blah-3/memtest.efi" } } ``` ```nix boot.lanzaboote.configurationLimit = 20; boot.lanzaboote.extraEntries.xen1 = { configurationLimit = 5; efi = "${pkgs.xen}/xen.efi"; generator = { kind = "xen"; specialization = "specialization-name"; }; }; # Or, for compatibility with configuration implemented currently in nixos (pseudocode) boot.lanzaboote.extraEntries = prefixAttrs "xen-" (filterMapAttrs config.specialisation (spec: spec.configuration.boot.xen.enable) (spec: { efi = "${spec.configuration.boot.xen.package}/xen.efi"; }) ); boot.lanzaboote.extraEntries.memtest = { configurationLimit = 1; efi = "${pkgs.memtest}/memtest.efi"; }; ```
gador commented 2024-10-20 19:01:36 +00:00 (Migrated from github.com)
Copy link

@CertainLach thanks for your work here! Is this a working example you posted? What would be needed to give this PR a test run with an existing lanzaboote config?

@CertainLach thanks for your work here! Is this a working example you posted? What would be needed to give this PR a test run with an existing `lanzaboote` config?
CertainLach commented 2024-10-23 17:28:13 +00:00 (Migrated from github.com)
Copy link

@gador The thing I posted is for the better, future implementation of the same functionality.
Xen itself will just work if you use lanzaboote built from this PR, no changes to NixOS config are required.

@gador The thing I posted is for the better, future implementation of the same functionality. Xen itself will just work if you use lanzaboote built from this PR, no changes to NixOS config are required.
gador commented 2024-10-23 18:07:12 +00:00 (Migrated from github.com)
Copy link

Awesome, thanks, Ill give it a try 👍

Awesome, thanks, Ill give it a try :+1:
CertainLach commented 2024-11-11 00:38:08 +00:00 (Migrated from github.com)
Copy link

Rebased & matched behavior with nixpkgs implementation - it is now produces two boot entries per generation if xen is enabled.

Rebased & matched behavior with nixpkgs implementation - it is now produces two boot entries per generation if xen is enabled.
❤️ 1
CertainLach commented 2024-11-11 08:55:03 +00:00 (Migrated from github.com)
Copy link

CI failures seem to be unrelated, looking at the other PRs.
I also don't see a way to add test for this PR's changes, as it won't be possible to boot xen system in CI.

CI failures seem to be unrelated, looking at the other PRs. I also don't see a way to add test for this PR's changes, as it won't be possible to boot xen system in CI.
gador commented 2024-11-12 13:50:57 +00:00 (Migrated from github.com)
Copy link

I finally had time to try and boot into this PR.
I still get the exact same error described by me here https://github.com/NixOS/nixpkgs/issues/350051

I have lanzaboote flake input pointed to github:CertainLach/lanzaboote/feat/xen"; and virtualisation.xen.enable = true; and it still gives me the same error messages.

I also now got
systemd-logind[2455]: Parsed PE file '/boot/EFI/Linux/xen-generation-395-4jk5grj5thec6zlqt5jfhpplmes6lsb5tdwyevfyx37hqfqgehcq.efi' is not a UKI. which is new.

Hope this helps. Let me know if I can/should do more debugging

I finally had time to try and boot into this PR. I still get the exact same error described by me here https://github.com/NixOS/nixpkgs/issues/350051 I have lanzaboote flake input pointed to `github:CertainLach/lanzaboote/feat/xen";` and `virtualisation.xen.enable = true;` and it still gives me the same error messages. I also now got `systemd-logind[2455]: Parsed PE file '/boot/EFI/Linux/xen-generation-395-4jk5grj5thec6zlqt5jfhpplmes6lsb5tdwyevfyx37hqfqgehcq.efi' is not a UKI.` which is new. Hope this helps. Let me know if I can/should do more debugging
CertainLach commented 2024-11-12 13:53:54 +00:00 (Migrated from github.com)
Copy link

I also now got
systemd-logind[2455]: Parsed PE file '/boot/EFI/Linux/xen-generation-395-4jk5grj5thec6zlqt5jfhpplmes6lsb5tdwyevfyx37hqfqgehcq.efi' is not a UKI. which is new.

This is normal, as generated image is not a kernel image (K in UKI), instead it is booted from .conf entry in /boot/entries

Do you see new (With xen hypervisor) entry appearing in bootloader menu?

> I also now got systemd-logind[2455]: Parsed PE file '/boot/EFI/Linux/xen-generation-395-4jk5grj5thec6zlqt5jfhpplmes6lsb5tdwyevfyx37hqfqgehcq.efi' is not a UKI. which is new. This is normal, as generated image is not a kernel image (K in UKI), instead it is booted from .conf entry in /boot/entries Do you see new (With xen hypervisor) entry appearing in bootloader menu?
gador commented 2024-11-12 14:13:20 +00:00 (Migrated from github.com)
Copy link

You got it. I didn't select the new generation on boot. I have xen enabled now, thanks!

Do you know how to set it as default? Usually, the new generations always get selected by default, but this time, it didn't?

Also, maybe unrelated, I got a kernel bug, which I've never had before:

Nov 12 15:04:59 framework kernel: cros_ec_lpcs cros_ec_lpcs.0: bad packet checksum e7
Nov 12 15:05:06 framework kernel: list_del corruption. next->prev should be ffffea000c18fb08, but was ffffea000c580188. (next=ffffea000c580208)
Nov 12 15:05:06 framework kernel: ------------[ cut here ]------------
Nov 12 15:05:06 framework kernel: kernel BUG at lib/list_debug.c:65!
You got it. I didn't select the new generation on boot. I have xen enabled now, thanks! Do you know how to set it as default? Usually, the new generations always get selected by default, but this time, it didn't? Also, maybe unrelated, I got a kernel bug, which I've never had before: ``` Nov 12 15:04:59 framework kernel: cros_ec_lpcs cros_ec_lpcs.0: bad packet checksum e7 Nov 12 15:05:06 framework kernel: list_del corruption. next->prev should be ffffea000c18fb08, but was ffffea000c580188. (next=ffffea000c580208) Nov 12 15:05:06 framework kernel: ------------[ cut here ]------------ Nov 12 15:05:06 framework kernel: kernel BUG at lib/list_debug.c:65! ```
CertainLach commented 2024-11-12 15:27:35 +00:00 (Migrated from github.com)
Copy link

Do you know how to set it as default? Usually, the new generations always get selected by default, but this time, it didn't?

(With xen support) entry should be on top, it isn't for you?

> Do you know how to set it as default? Usually, the new generations always get selected by default, but this time, it didn't? (With xen support) entry should be on top, it isn't for you?
gador commented 2024-11-12 15:30:39 +00:00 (Migrated from github.com)
Copy link

It is. It just isn't chosen as default (The second entry is selected by default)

It is. It just isn't chosen as default (The second entry is selected by default)
CertainLach commented 2024-11-16 02:35:44 +00:00 (Migrated from github.com)
Copy link

After rebase, noticed that GC does no longer work, fixed that.

Latest commit might also change the ordering issue, though I haven't encountered that, probably due to customized loader.conf

After rebase, noticed that GC does no longer work, fixed that. Latest commit might also change the ordering issue, though I haven't encountered that, probably due to customized loader.conf
gador commented 2024-11-20 15:54:08 +00:00 (Migrated from github.com)
Copy link

Tried after your change: Now, no new entry is generated and also the old ones do not get removed

Tried after your change: Now, no new entry is generated and also the old ones do not get removed
CertainLach commented 2024-11-20 16:27:17 +00:00 (Migrated from github.com)
Copy link

Entries generated using the old version need to be removed manually,

rm /boot/loader/entries/xen-* /boot/efi/Linux/xen-*

As for entries not generating - can you try to change your nixos configuration a little, it is possible it doesn't think that is is the new system generation for some reason.

Entries generated using the old version need to be removed manually, rm /boot/loader/entries/xen-* /boot/efi/Linux/xen-* As for entries not generating - can you try to change your nixos configuration a little, it is possible it doesn't think that is is the new system generation for some reason.
gador commented 2024-11-20 16:47:49 +00:00 (Migrated from github.com)
Copy link

Removing the entries manually did work, thanks.
I did change my config (.e.g I added the suggested kernel lines from https://github.com/NixOS/nixpkgs/issues/350051#issuecomment-2471604666 ) and a new generation is created and selected by default, but nothing with xen only the normal entry.

tree /boot
/boot
├── EFI
│   ├── BOOT
│   │   └── BOOTX64.EFI
│   ├── Linux
│   │   ├── nixos-generation-398-sdkuoi3d6zicbjwluebgrxmfye6igjqlbtm7asju2lkyy7fl5cla.efi
│   │   ├── nixos-generation-399-u2sh6yrm6ktufejqk7npbdwvnjgdrrwmlhac6pldqdndsctxrgma.efi
│   │   └── nixos-generation-400-pbgxqz6jxzch6ritom3run4dipbas4fk3ucctvjqewvm4z7raazq.efi
│   ├── nixos
│   │   ├── initrd-6.6.60-7as2p44fk6ei7v2kguhgmfoi7ika6a5cehwr35uez4ntf2xuspca.efi
│   │   ├── initrd-6.6.60-amvb5kbxg4orhupuosvpyd7wvd7lyig4vwogytc4wccycqqbjwba.efi
│   │   └── kernel-6.6.60-be6ao25tnwttdfers5y5vmp7irgpmv2pdn4ssvgxrfnyn6qcxtha.efi
│   └── systemd
│       └── systemd-bootx64.efi
└── loader
    ├── entries
    ├── entries.srel
    ├── loader.conf
    └── random-seed

And commands like xl don't work, just as I get errors during boot like Failed to insert module 'xenfs': No such device

Removing the entries manually did work, thanks. I did change my config (.e.g I added the suggested kernel lines from https://github.com/NixOS/nixpkgs/issues/350051#issuecomment-2471604666 ) and a new generation is created and selected by default, but nothing with `xen` only the normal entry. ``` tree /boot /boot ├── EFI │   ├── BOOT │   │   └── BOOTX64.EFI │   ├── Linux │   │   ├── nixos-generation-398-sdkuoi3d6zicbjwluebgrxmfye6igjqlbtm7asju2lkyy7fl5cla.efi │   │   ├── nixos-generation-399-u2sh6yrm6ktufejqk7npbdwvnjgdrrwmlhac6pldqdndsctxrgma.efi │   │   └── nixos-generation-400-pbgxqz6jxzch6ritom3run4dipbas4fk3ucctvjqewvm4z7raazq.efi │   ├── nixos │   │   ├── initrd-6.6.60-7as2p44fk6ei7v2kguhgmfoi7ika6a5cehwr35uez4ntf2xuspca.efi │   │   ├── initrd-6.6.60-amvb5kbxg4orhupuosvpyd7wvd7lyig4vwogytc4wccycqqbjwba.efi │   │   └── kernel-6.6.60-be6ao25tnwttdfers5y5vmp7irgpmv2pdn4ssvgxrfnyn6qcxtha.efi │   └── systemd │   └── systemd-bootx64.efi └── loader ├── entries ├── entries.srel ├── loader.conf └── random-seed ``` And commands like `xl` don't work, just as I get errors during boot like `Failed to insert module 'xenfs': No such device`
CertainLach commented 2024-11-20 17:43:09 +00:00 (Migrated from github.com)
Copy link

Huh, are you sure you install correct lanzaboote?

inputs.lanzaboote.url = "github:CertainLach/lanzaboote/feat/xen";

Do you have xen extension in your /run/current-system/boot.json?

Huh, are you sure you install correct lanzaboote? inputs.lanzaboote.url = "github:CertainLach/lanzaboote/feat/xen"; Do you have xen extension in your /run/current-system/boot.json?
gador commented 2024-11-20 18:12:06 +00:00 (Migrated from github.com)
Copy link

arrg. Im dump. When I switched back to the original branch I commented your input and forgot to uncomment :-/
So, now I have the new xen generations and it didn't freeze up until now, so fingers crossed

arrg. Im dump. When I switched back to the original branch I commented your input and forgot to uncomment :-/ So, now I have the new xen generations and it didn't freeze up until now, so fingers crossed
gador commented 2025-02-05 16:33:49 +00:00 (Migrated from github.com)
Copy link

can we rebase this branch to 0.4.2 to work with current systemd? (or better yet, merge it) ;-)

can we rebase this branch to `0.4.2` to work with current systemd? (or better yet, merge it) ;-)
CertainLach commented 2025-02-05 22:07:09 +00:00 (Migrated from github.com)
Copy link

Rebased to latest lanzaboote master.

As for merging...

@blitz @RaitoBezarius sorry for pinging, but this is really unfortunate that Xen in NixOS doesn't work with lanzaboote, and this PR is required for that. I have failed to get anyone's attention in the matrix room, and I still want some feedback about my implementation and/or just to have this PR merged.

Rebased to latest lanzaboote master. As for merging... @blitz @RaitoBezarius sorry for pinging, but this is really unfortunate that Xen in NixOS doesn't work with lanzaboote, and this PR is required for that. I have failed to get anyone's attention in the matrix room, and I still want some feedback about my implementation and/or just to have this PR merged.
RaitoBezarius (Migrated from github.com) requested changes 2025-02-05 22:13:44 +00:00
RaitoBezarius (Migrated from github.com) left a comment
Copy link

For general architecture guidance, we do not accept system-specific code in the systemd (and shared crate when possible, e.g. bootspec extensions).

To make progress on this PR, I'd like you to do the following things:

(1) Move the Xen specific code into a xen/src subcrate in rust/tool, even if you need to copy or move "more" code from systemd/src into the shared/src crate when it makes more sense.
(2) Add a README in that Xen crate to explain that "Lanzaboote Xen backend" is maintained by your team and is not officially supported (beyond the fact that it's available here in this codebase as a matter of convenience).

The idea is the following, the lanzaboote maintainers officially maintain most of the codebase but we recognize that some folks want to support different backends out there:

  • GRUB (in a PR)
  • U-Boot (that I wanted to support for embedded systems, dropped the prototype for complicated reasons)
  • VBE: Verified Boot For Embedded Systems
    etc.

Xen is yet one another special backend to me here. Feel free to ping me over Matrix for sync discussions if needed, my bandwidth is not great these days alas.

For general architecture guidance, we do not accept system-specific code in the systemd (and shared crate when possible, e.g. bootspec extensions). To make progress on this PR, I'd like you to do the following things: (1) Move the Xen specific code into a `xen/src` subcrate in `rust/tool`, even if you need to copy or move "more" code from `systemd/src` into the `shared/src` crate when it makes more sense. (2) Add a README in that Xen crate to explain that "Lanzaboote Xen backend" is maintained by your team and is not officially supported (beyond the fact that it's available here in this codebase as a matter of convenience). The idea is the following, the lanzaboote maintainers officially maintain most of the codebase but we recognize that some folks want to support different backends out there: - GRUB (in a PR) - U-Boot (that I wanted to support for embedded systems, dropped the prototype for complicated reasons) - VBE: Verified Boot For Embedded Systems etc. Xen is yet one another special backend to me here. Feel free to ping me over Matrix for sync discussions if needed, my bandwidth is not great these days alas.
CertainLach commented 2025-02-05 23:59:06 +00:00 (Migrated from github.com)
Copy link

This is not a backend, it can be treated as another nixos boot configuration, xen replaces standard nixos linux kernel here.
In NixOS, you enable Xen (virtualisation.xen.enable), and nixpkgs's systemd-boot can just boot into it without any additional configuration. However, with lanzaboote, this doesn't work, as lanzaboote boots normal linux kernel instead.

Its implementation can be moved into another crate, but systemd-boot backend will have it as a dependency, I don't see how it is possible to decouple them.

This is not a backend, it can be treated as another nixos boot configuration, xen replaces standard nixos linux kernel here. In NixOS, you enable Xen (virtualisation.xen.enable), and nixpkgs's systemd-boot can just boot into it without any additional configuration. However, with lanzaboote, this doesn't work, as lanzaboote boots normal linux kernel instead. Its implementation can be moved into another crate, but systemd-boot backend will have it as a dependency, I don't see how it is possible to decouple them.
RaitoBezarius commented 2025-02-06 00:11:06 +00:00 (Migrated from github.com)
Copy link

This is not a backend, it can be treated as another nixos boot configuration, xen replaces standard nixos linux kernel here. In NixOS, you enable Xen (virtualisation.xen.enable), and nixpkgs's systemd-boot can just boot into it without any additional configuration. However, with lanzaboote, this doesn't work, as lanzaboote boots normal linux kernel instead.

Its implementation can be moved into another crate, but systemd-boot backend will have it as a dependency, I don't see how it is possible to decouple them.

If Xen was simply a different kernel, the modifications to the shared crate should directly go into NixOS and lanzaboote should not be aware of Xen as a different kernel. But from what I gather of this PR, it's more complicated than that.

On the top of that, lzbt-systemd is modified to support bespoke entries that seems also required in Xen case which are not necessary with standard partial kernel images.

We would like to keep lzbt-systemd standard and close to the concept of unified kernel images. If Xen cannot accommodate for this, it cannot mix in the lzbt-systemd backend. It can be a lzbt-systemd-xen backend FWIW.

It's fine if code gets copied at some point, but the idea here is to get the responsibilities & scope right for the different "backend" however you want to call it.

If you enable Xen + systemd-boot, you can easily turn on the lzbt-systemd-xen implementation in the upstream NixOS modules or anything. That's fine as well.

> This is not a backend, it can be treated as another nixos boot configuration, xen replaces standard nixos linux kernel here. In NixOS, you enable Xen (virtualisation.xen.enable), and nixpkgs's systemd-boot can just boot into it without any additional configuration. However, with lanzaboote, this doesn't work, as lanzaboote boots normal linux kernel instead. > > Its implementation can be moved into another crate, but systemd-boot backend will have it as a dependency, I don't see how it is possible to decouple them. If Xen was simply a different kernel, the modifications to the shared crate should directly go into NixOS and lanzaboote should not be aware of Xen as a different kernel. But from what I gather of this PR, it's more complicated than that. On the top of that, lzbt-systemd is modified to support bespoke entries that seems also required in Xen case which are not necessary with standard partial kernel images. We would like to keep lzbt-systemd standard and close to the concept of unified kernel images. If Xen cannot accommodate for this, it cannot mix in the lzbt-systemd backend. It can be a lzbt-systemd-xen backend FWIW. It's fine if code gets copied at some point, but the idea here is to get the responsibilities & scope right for the different "backend" however you want to call it. If you enable Xen + systemd-boot, you can easily turn on the lzbt-systemd-xen implementation in the upstream NixOS modules or anything. That's fine as well.
CertainLach commented 2025-02-08 23:08:15 +00:00 (Migrated from github.com)
Copy link

If Xen was simply a different kernel, the modifications to the shared crate should directly go into NixOS and lanzaboote should not be aware of Xen as a different kernel. But from what I gather of this PR, it's more complicated than that.

Linux: kernel + boot params get packed into UKI, UKI gets found by systemd-boot and then booted

Xen: kernel + boot params + xen efi + initrd get packed into UXKI (Unified Xen Kernel Image, https://xenbits.xenproject.org/docs/unstable/misc/efi.html), resulting in efi image, which can be booted by systemd, but won't be detected automatically as this is not a UKI, thus a dedicated type #1 entry file is required.

The problem is, enabling Xen should not disable NixOS entries generation.

I've got an idea, lzbt-systemd-xen should only generate Xen-dependent files, and then delegate rest of the work to the lzbt-systemd.
There still will be changes to the shared partition of the tool code, but they can be then feature-gated for xen.

The only problem remains is the garbage collector. lzbt-systemd still needs to be taught to garbage-collect /boot/loader/entries, even if that directory is not populated by it right now (Until lanzaboote supports managing memtest and other plain efi binaries).
Is that ok from you?

Still, it would be much cleaner to just add this code to lzbt-systemd, but I understand that Xen might be too niche, and not everyone wants to deal with code supporting it.

> If Xen was simply a different kernel, the modifications to the shared crate should directly go into NixOS and lanzaboote should not be aware of Xen as a different kernel. But from what I gather of this PR, it's more complicated than that. Linux: kernel + boot params get packed into UKI, UKI gets found by systemd-boot and then booted Xen: kernel + boot params + xen efi + initrd get packed into UXKI (Unified Xen Kernel Image, https://xenbits.xenproject.org/docs/unstable/misc/efi.html), resulting in efi image, which can be booted by systemd, but won't be detected automatically as this is not a UKI, thus a dedicated type #1 entry file is required. The problem is, enabling Xen should not disable NixOS entries generation. I've got an idea, lzbt-systemd-xen should only generate Xen-dependent files, and then delegate rest of the work to the lzbt-systemd. There still will be changes to the shared partition of the tool code, but they can be then feature-gated for xen. The only problem remains is the garbage collector. lzbt-systemd still needs to be taught to garbage-collect /boot/loader/entries, even if that directory is not populated by it right now (Until lanzaboote supports managing memtest and other plain efi binaries). Is that ok from you? Still, it would be much cleaner to just add this code to lzbt-systemd, but I understand that Xen might be too niche, and not everyone wants to deal with code supporting it.
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin CertainLach/feat/xen:CertainLach/feat/xen
git switch CertainLach/feat/xen

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff CertainLach/feat/xen
git switch CertainLach/feat/xen
git rebase master
git switch master
git merge --ff-only CertainLach/feat/xen
git switch CertainLach/feat/xen
git rebase master
git switch master
git merge --no-ff CertainLach/feat/xen
git switch master
git merge --squash CertainLach/feat/xen
git switch master
git merge --ff-only CertainLach/feat/xen
git switch master
git merge CertainLach/feat/xen
git push origin master
Sign in to join this conversation.
Reviewers
No reviewers
RaitoBezarius
Labels
Clear labels   
bug

Something isn't working

  
dependency

Issues related to our dependencies

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
question

Further information is requested

  
review-next

   
security

   
stub

   
tool

   
wontfix

This will not be worked on

No labels
bug
dependency
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
review-next
security
stub
tool
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: raito/lanzaboote#387
No description provided.
Delete branch "CertainLach/feat/xen"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?