From ea664944e4f6bba9c07082c96e01b53bbcaccfac Mon Sep 17 00:00:00 2001 From: Artemis Tosini Date: Sat, 26 Aug 2023 22:45:32 +0000 Subject: [PATCH] Use lanzaboote for secure boot on rainbowdash --- flake.lock | 251 +++++++++++++++++++++++++++-- flake.nix | 6 +- sets/secureBoot.nix | 11 ++ system/rainbowdash/default.nix | 14 +- system/rainbowdash/secure-boot.nix | 13 -- 5 files changed, 261 insertions(+), 34 deletions(-) create mode 100644 sets/secureBoot.nix delete mode 100644 system/rainbowdash/secure-boot.nix diff --git a/flake.lock b/flake.lock index fb0fe9b..3945129 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,115 @@ { "nodes": { + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1681177078, + "narHash": "sha256-ZNIjBDou2GOabcpctiQykEQVkI8BDwk7TyvlWlI4myE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0c9f468ff00576577d83f5019a66c557ede5acf6", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -21,13 +131,40 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682802423, + "narHash": "sha256-Fb5TeRTdvUlo/5Yi2d+FC8a6KoRLk2h1VE0/peMhWPs=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "64b903ca87d18cef2752c19c098af275c6e51d63", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.3.0", + "repo": "lanzaboote", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1691871742, - "narHash": "sha256-6yDNjfbAMpwzWL4y75fxs6beXHRANfYX8BNSPjYehck=", + "lastModified": 1692952286, + "narHash": "sha256-TsrtPv3+Q1KR0avZxpiJH+b6fX/R/hEQVHbjl1ebotY=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "430a56dd16fe583a812b2df44dca002acab2f4f6", + "rev": "817e297fc3352fadc15f2c5306909aa9192d7d97", "type": "github" }, "original": { @@ -38,11 +175,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1692134936, - "narHash": "sha256-Z68O969cioC6I3k/AFBxsuEwpJwt4l9fzwuAMUhCCs0=", + "lastModified": 1692986144, + "narHash": "sha256-M4VFpy7Av9j+33HF5nIGm0k2+DXXW4qSSKdidIKg5jY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bfd953b2c6de4f550f75461bcc5768b6f966be10", + "rev": "74e5bdc5478ebbe7ba5849f0d765f92757bb9dbf", "type": "github" }, "original": { @@ -52,13 +189,29 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1692174805, - "narHash": "sha256-xmNPFDi/AUMIxwgOH/IVom55Dks34u1g7sFKKebxUm0=", + "lastModified": 1693003285, + "narHash": "sha256-5nm4yrEHKupjn62MibENtfqlP6pWcRTuSKrMiH9bLkc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "caac0eb6bdcad0b32cb2522e03e4002c8975c62e", + "rev": "5690c4271f2998c304a45c91a0aeb8fb69feaea7", "type": "github" }, "original": { @@ -68,13 +221,44 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1681413034, + "narHash": "sha256-/t7OjNQcNkeWeSq/CFLYVBfm+IEnkjoSm9iKvArnUUI=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "d3de8f69ca88fb6f8b09e5b598be5ac98d28ede5", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "private": { "locked": { - "lastModified": 1688700418, - "narHash": "sha256-IoC3cAf11rJ9cwtM/y2gWXnCUwIIP4rcQRsMtdr7d/c=", + "lastModified": 1692761801, + "narHash": "sha256-+mYwFUA7H5FG1uAst2CBuj+FFKQ7+u9N4KbBerFvVsA=", "ref": "unified", - "rev": "a347e1d1fe0190b56c0268396fb719652bf4e839", - "revCount": 31, + "rev": "2e75302ff38830fdebecaa24ee0debebb9fab3d8", + "revCount": 32, "type": "git", "url": "ssh://git@github.com/artemist/nixos-config-private" }, @@ -87,6 +271,7 @@ "root": { "inputs": { "home-manager": "home-manager", + "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", @@ -95,6 +280,31 @@ "wip-pinebook-pro": "wip-pinebook-pro" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "rustybar": { "inputs": { "nixpkgs": [ @@ -116,6 +326,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "locked": { "lastModified": 1637014545, diff --git a/flake.nix b/flake.nix index cdf427a..7cc367f 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,10 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixos-hardware.url = "github:nixos/nixos-hardware"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.3.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; home-manager = { url = "github:nix-community/home-manager/release-23.05"; @@ -22,7 +26,7 @@ }; }; - outputs = { self, nixpkgs, home-manager, rustybar, private, wip-pinebook-pro, nixpkgs-unstable, ... } @ inputs: + outputs = { self, nixpkgs, home-manager, rustybar, private, wip-pinebook-pro, nixpkgs-unstable, lanzaboote, ... } @ inputs: let makeSystem = conf: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate conf rec { diff --git a/sets/secureBoot.nix b/sets/secureBoot.nix new file mode 100644 index 0000000..e681b9a --- /dev/null +++ b/sets/secureBoot.nix @@ -0,0 +1,11 @@ +{ pkgs, inputs, ... }: + +{ + imports = [ inputs.lanzaboote.nixosModules.lanzaboote ]; + boot.loader.systemd-boot.enable = false; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; +} diff --git a/system/rainbowdash/default.nix b/system/rainbowdash/default.nix index 3f8a26d..993cf41 100644 --- a/system/rainbowdash/default.nix +++ b/system/rainbowdash/default.nix @@ -3,17 +3,17 @@ { imports = [ ./boot-config.nix - ./secure-boot.nix ./hardware-configuration.nix - ../../sets/buildMachines.nix - ../../sets/hardware.nix - ../../sets/hacking.nix - ../../sets/laptop.nix - ../../sets/ime.nix ../../sets/1password.nix + ../../sets/buildMachines.nix + ../../sets/hacking.nix + ../../sets/hardware.nix + ../../sets/ime.nix + ../../sets/krb5.nix + ../../sets/laptop.nix + ../../sets/secureBoot.nix ../../sets/virtualization.nix ../../sets/workstation.nix - ../../sets/krb5.nix inputs.nixos-hardware.nixosModules.common-cpu-intel inputs.nixos-hardware.nixosModules.common-pc-laptop inputs.nixos-hardware.nixosModules.common-pc-laptop-acpi_call diff --git a/system/rainbowdash/secure-boot.nix b/system/rainbowdash/secure-boot.nix deleted file mode 100644 index e668974..0000000 --- a/system/rainbowdash/secure-boot.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ ../../externals/systemd-boot-secure ]; - boot = { - loader.systemd-boot-secure = { - enable = true; - signed = true; - signing-key = "/root/secure-boot/db.key"; - signing-certificate = "/root/secure-boot/db.crt"; - }; - }; -}