From f4f287acd1af28051780735239579ab09d337a1e Mon Sep 17 00:00:00 2001 From: Gerg-L Date: Mon, 17 Jun 2024 22:16:31 -0400 Subject: [PATCH] working lanzaboote secure boot with uefi shell --- flake.lock | 232 +++++++++++++++++++++++++++++++++++-- flake.nix | 6 + hosts/gerg-desktop/zfs.nix | 50 ++++++-- 3 files changed, 268 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index 3fa4859..58acd56 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,26 @@ { "nodes": { + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718474113, + "narHash": "sha256-UKrfy/46YF2TRnxTtKCYzqf2f5ZPRRWwKCCJb7O5X8U=", + "owner": "ipetkov", + "repo": "crane", + "rev": "0095fd8ea00ae0a9e6014f39c375e40c2fbd3386", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -43,11 +64,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1673956053, - "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -59,11 +80,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "type": "github" }, "original": { @@ -88,7 +109,44 @@ "type": "github" } }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nix", @@ -110,6 +168,24 @@ } }, "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "locked": { "lastModified": 1667395993, "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", @@ -124,6 +200,54 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "unstable" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1718626451, + "narHash": "sha256-KEM9FwTX4XvWzn/wKcbhS/xI7z3oU89XBfG8WnlHE88=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "93dd69a5b683deb8ab7d6dbb91771a2487745e8c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "libgit2": { "flake": false, "locked": { @@ -175,8 +299,8 @@ }, "nix": { "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", + "flake-compat": "flake-compat_2", + "flake-parts": "flake-parts_2", "libgit2": "libgit2", "nixpkgs": [ "stable" @@ -272,6 +396,22 @@ } }, "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { "locked": { "lastModified": 1718478900, "narHash": "sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs=", @@ -289,7 +429,7 @@ }, "nvim-flake": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "neovim-src": "neovim-src", "nixpkgs": [ "unstable" @@ -314,7 +454,7 @@ "flake-compat": [ "nix" ], - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "gitignore": [ "nix" ], @@ -341,10 +481,38 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "disko": "disko", "fetch-rs": "fetch-rs", + "lanzaboote": "lanzaboote", "master": "master", "nix": "nix", "nix-index-database": "nix-index-database", @@ -357,12 +525,37 @@ "unstable": "unstable" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718504420, + "narHash": "sha256-F2HT/abCfr0CDpkvXwYCscJyD66XDTLMVfdrIMRp2ck=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "0043c3f92304823cc2c0a4354b0feaa61dfb4cd9", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "unstable" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { "lastModified": 1718506969, @@ -380,7 +573,7 @@ }, "spicetify-nix": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "nixpkgs": [ "unstable" ] @@ -435,6 +628,21 @@ "type": "github" } }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "unstable": { "locked": { "lastModified": 1718318537, diff --git a/flake.nix b/flake.nix index 5dfc50e..d80516c 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,12 @@ repo = "nix-index-database"; inputs.nixpkgs.follows = "unstable"; }; + lanzaboote = { + type = "github"; + owner = "nix-community"; + repo = "lanzaboote"; + inputs.nixpkgs.follows = "unstable"; + }; #my own packages spicetify-nix = { type = "github"; diff --git a/hosts/gerg-desktop/zfs.nix b/hosts/gerg-desktop/zfs.nix index f8b437c..ad39159 100644 --- a/hosts/gerg-desktop/zfs.nix +++ b/hosts/gerg-desktop/zfs.nix @@ -2,11 +2,51 @@ config, lib, pkgs, + lanzaboote, }: +let + windowsConf = '' + title Windows + efi /shellx64.efi + options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi + + ''; +in { + imports = [ lanzaboote.nixosModules.lanzaboote ]; + + environment.systemPackages = [ pkgs.sbctl ]; + + boot.lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + configurationLimit = 10; + package = lib.mkForce ( + pkgs.writeShellApplication { + name = "lzbt"; + runtimeInputs = [ + lanzaboote.packages.tool + pkgs.coreutils + pkgs.sbctl + ]; + text = '' + set -o pipefail + lzbt "$@" + MP='${config.boot.loader.efi.efiSysMountPoint}' + cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi" + mkdir -p "$MP/loader/entries" + sbctl sign -s "$MP/shellx64.efi" + cat << EOF > "$MP/loader/entries/windows.conf" + ${windowsConf} + EOF + ''; + } + ); + }; #link some stuff systemd.tmpfiles.rules = [ + "L+ /etc/secureboot - - - - /persist/secureboot" "L+ /etc/ssh/ssh_host_ed25519_key - - - - /persist/ssh/ssh_host_ed25519_key" "L+ /etc/ssh/ssh_host_ed25519_key.pub - - - - /persist/ssh/ssh_host_ed25519_key.pub" "L /etc/nixos/flake.nix - - - - /home/gerg/Projects/nixos/flake.nix" @@ -86,15 +126,9 @@ }; loader = { systemd-boot = { - enable = lib.mkForce true; + enable = lib.mkForce false; extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi; - - extraEntries."windows.conf" = '' - title Windows - efi /shellx64.efi - options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi - ''; - + extraEntries."windows.conf" = windowsConf; }; grub.enable = lib.mkForce false; timeout = lib.mkForce 5;