-
-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auto-enroll: use safe auto enrollment rather than YOLO enrollment #229
base: master
Are you sure you want to change the base?
Conversation
Depends on QMP API being upstreamed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The approach looks good to me!
dd82f71
to
56f0a64
Compare
Note to myself: finish merging the stuff inside of nixpkgs for the QMP. |
I remeber that you explained to me in person why this is needed, but I think I forgot. Wouldn't this solution be just as bad/good as our current solution? |
56f0a64
to
596bf9b
Compare
596bf9b
to
996d722
Compare
996d722
to
41383fa
Compare
ffs:
it doesn't enroll on aarch64. |
41383fa
to
280392c
Compare
and now I assume that events for aarch64 VMs are fried... |
This uses the systemd semantics for automatic enrollment at boot time. For now, it is very simple, in the future, we can better use this option to push the proper auth files with names or have Type #1 entries for enrollment. :)
280392c
to
c6e4ea5
Compare
OK, I was holding my own code wrong. |
Ah yes,
|
@@ -147,7 +162,32 @@ let | |||
}; | |||
boot.lanzaboote = { | |||
enable = true; | |||
enrollKeys = lib.mkDefault true; | |||
# Under aarch64, various things goes wrong... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: You could elaborate here a bit, so people know why this wrinkle exists and when it may go away.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me!
@RaitoBezarius It looks like the tests need some love. Feel free to merge after fixing them.
This uses the systemd semantics for automatic enrollment at boot time.
For now, it is very simple, in the future, we can better use this option to push the proper auth files with names or have Type #1 entries for enrollment. :)
This PR relies on unreleased commits in nixpkgs for the testing framework to detect properly for EFI resets as for some reason this makes the whole thing hangs otherwise…In other news, your wish has been granted @blitz !