Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auto-enroll: use safe auto enrollment rather than YOLO enrollment #229

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

RaitoBezarius
Copy link
Member

@RaitoBezarius RaitoBezarius commented Sep 29, 2023

This uses the systemd semantics for automatic enrollment at boot time.

For now, it is very simple, in the future, we can better use this option to push the proper auth files with names or have Type #1 entries for enrollment. :)

This PR relies on unreleased commits in nixpkgs for the testing framework to detect properly for EFI resets as for some reason this makes the whole thing hangs otherwise…

In other news, your wish has been granted @blitz !

@RaitoBezarius RaitoBezarius added this to the Release 0.4.0 milestone Sep 30, 2023
@RaitoBezarius
Copy link
Member Author

Depends on QMP API being upstreamed.

@RaitoBezarius RaitoBezarius marked this pull request as draft September 30, 2023 15:04
Copy link
Member

@blitz blitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The approach looks good to me!

@RaitoBezarius RaitoBezarius force-pushed the systemd-sb-enroll branch 2 times, most recently from dd82f71 to 56f0a64 Compare October 30, 2023 12:47
@RaitoBezarius RaitoBezarius marked this pull request as ready for review January 5, 2024 04:05
@RaitoBezarius RaitoBezarius marked this pull request as draft January 5, 2024 04:05
@RaitoBezarius
Copy link
Member Author

Note to myself: finish merging the stuff inside of nixpkgs for the QMP.

@nikstur
Copy link
Member

nikstur commented Jan 21, 2024

Depends on QMP API being upstreamed.

I remeber that you explained to me in person why this is needed, but I think I forgot. Wouldn't this solution be just as bad/good as our current solution?

nix/modules/lanzaboote.nix Outdated Show resolved Hide resolved
@RaitoBezarius RaitoBezarius marked this pull request as ready for review February 11, 2024 15:39
@RaitoBezarius
Copy link
Member Author

PTAL @nikstur @blitz.

@RaitoBezarius
Copy link
Member Author

ffs:

vm-test-run-lanzaboote> machine # NixOS Uakari 24.05pre-git (Linux 6.1.76) (Generation 1, 2024-02-11) Reboot Into Firmware Interface Enroll Secure Boot keys: auto Boot in 5 s. ------------------------------------------------------------------------------- Boot in 4 s. ------------------------------------------------------------------------------- Boot in 3 s. ------------------------------------------------------------------------------- Boot in 2 s. ------------------------------------------------------------------------------- Boot in 1 s. -------------------------------------------------------------------------------[ WARN]: stub/src/common.rs@077: Secure Boot is not active!vm-test-run-lanzaboote> machine # EFI stub: Booting Linux Kernel...vm-test-run-lanzaboote> machine # EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundaryvm-test-run-lanzaboote> machine # EFI stub: Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path

it doesn't enroll on aarch64.

@RaitoBezarius
Copy link
Member Author

and now I assume that events for aarch64 VMs are fried...

This uses the systemd semantics for automatic enrollment at boot time.

For now, it is very simple, in the future, we can better use this option to push
the proper auth files with names or have Type #1 entries for enrollment. :)
@RaitoBezarius
Copy link
Member Author

OK, I was holding my own code wrong.

@RaitoBezarius
Copy link
Member Author

Ah yes,

  • "without Secure Boot" does not provoke any key enrollment.
  • export UEFI variables are failing for interesting reasons.

@@ -147,7 +162,32 @@ let
};
boot.lanzaboote = {
enable = true;
enrollKeys = lib.mkDefault true;
# Under aarch64, various things goes wrong...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: You could elaborate here a bit, so people know why this wrinkle exists and when it may go away.

Copy link
Member

@blitz blitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@RaitoBezarius It looks like the tests need some love. Feel free to merge after fixing them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants