From f4a837b4f1ce160d43edaf853e70a659dc6882e3 Mon Sep 17 00:00:00 2001 From: Sam Lehman Date: Wed, 24 Jul 2024 16:59:38 -0400 Subject: [PATCH] fix: more secure boot changes --- nixos/hosts/fw/profiles.nix | 9 +- nixos/hosts/wyse/default.nix | 1 - nixos/profiles/boot/default.nix | 60 ++++++++---- nixos/profiles/boot/disko.nix | 6 -- nixos/profiles/boot/entries/usb-boot.nix | 11 +-- nixos/profiles/boot/hibernation.nix | 81 +++++----------- nixos/profiles/boot/plymouth.nix | 63 ++++++------- nixos/profiles/boot/print-config-install.nix | 9 -- nixos/profiles/boot/quiet.nix | 35 +++++++ nixos/profiles/boot/secureboot.nix | 94 ------------------- nixos/profiles/boot/systemd-boot.nix | 44 +++++---- nixos/profiles/boot/systemd-debug.nix | 32 +++---- nixos/profiles/boot/systemd-emergency.nix | 32 +++---- nixos/profiles/boot/systemd-initrd.nix | 28 ++++-- nixos/profiles/boot/unl0kr.nix | 22 ----- nixos/profiles/hardware/tpm2.nix | 14 +-- nixos/profiles/modules/lanzaboote.nix | 98 ++++++++++++++++---- 17 files changed, 287 insertions(+), 352 deletions(-) delete mode 100644 nixos/profiles/boot/disko.nix delete mode 100644 nixos/profiles/boot/print-config-install.nix create mode 100644 nixos/profiles/boot/quiet.nix delete mode 100644 nixos/profiles/boot/secureboot.nix delete mode 100644 nixos/profiles/boot/unl0kr.nix diff --git a/nixos/hosts/fw/profiles.nix b/nixos/hosts/fw/profiles.nix index b5c94637..a0ac2155 100644 --- a/nixos/hosts/fw/profiles.nix +++ b/nixos/hosts/fw/profiles.nix @@ -1,14 +1,7 @@ -{ - config, - lib, - pkgs, - inputs, - ... -}: { +{ config, lib, pkgs, inputs, ... }: { imports = [ ../../profiles ../../profiles/boot - # ../../profiles/boot/secureboot.nix ../../profiles/desktop ../../profiles/desktop/de/gnome ../../profiles/hardware/display diff --git a/nixos/hosts/wyse/default.nix b/nixos/hosts/wyse/default.nix index 145049d1..06d5d71d 100644 --- a/nixos/hosts/wyse/default.nix +++ b/nixos/hosts/wyse/default.nix @@ -27,7 +27,6 @@ ../../profiles ../../profiles/boot - #../../profiles/boot/unl0kr.nix ../../profiles/desktop ../../profiles/desktop/de/gnome ../../profiles/hardware/display diff --git a/nixos/profiles/boot/default.nix b/nixos/profiles/boot/default.nix index ae412f73..ca08b82e 100644 --- a/nixos/profiles/boot/default.nix +++ b/nixos/profiles/boot/default.nix @@ -1,46 +1,64 @@ { config, lib, pkgs, user, ... }: +# +# https://wiki.archlinux.org/index.php/Disk_encryption +# https://nixos.wiki/wiki/Full_Disk_Encryption +# https://nixos.org/wiki/Encrypted_Root_on_NixOS +# https://nixos.wiki/wiki/Remote_disk_unlocking +# let - inherit (lib) mkDefault; + inherit (lib) mkDefault mkIf; + opts = { + disk-unlock-password-entry = true; + disk-unlock-usb-key = false; + }; in { imports = [ - ./plymouth.nix + ./plymouth.nix # imports ./quiet.nix ./systemd-boot.nix ./systemd-initrd.nix - #./disko.nix - #./extra-bootloader-entries.nix - #./hibernation.nix - #./iscsi-initiator.nix - #./nvme.nix - #./print-config-install.nix - #./secureboot.nix #./systemd-debug.nix #./systemd-emergency.nix #./systemd-repart.nix - #./unl0kr.nix - #./entries # # ./entries/{efi-shell,fwupd,memtest86,netbootxyz,restart-bootloader,usb-boot}.nix - #./filesystem-support # ./filesystem-support/{bcachefs,btrfs,f2fs,lvm2,mdadm,ntfs,xfs,zfs}.nix + #./entries # ./entries/{efi-shell,fwupd,memtest86,netbootxyz,restart-bootloader,usb-boot}.nix + #./fs # ./fs/{bcachefs,btrfs,lvm2,mdadm,ntfs,zfs}.nix + #./fs # ./fs/{f2fs,ntfs,xfs}.nix + #./fs/layouts # ./fs/layouts/xbootldr.nix + #./hw # ./hw/{nvme,tpm2}.nix + #./network # ./network/{iscsi-initiator,netboot,pixieboot}.nix #./efivars.nix - #./tpm.nix - #./xbootldr.nix + #./hibernation.nix ]; boot = { bootspec = { # Write bootspec docs for each build. - enable = mkDefault true; + enable = true; #mkDefault true; # Validate bootspec documents upon each build. # - Note: introduces build-time Golang dep Cuelang. # - Warn: Make certain bootspec docs are correct. - enableValidation = mkDefault true; + enableValidation = true; #mkDefault true; # extensions = {}; }; + initrd = { + # --- Graphical Disk Unlock w/ Touch Keyboard --- + # https://github.com/droidian/unl0kr + # TODO: Enable when: + # - no keyboard OR touchscreen (mobile devices) + # - disk encrypted + # TODO: Write configuration file. + # TODO: Create NixOS module for config options. + # TODO: Move config to profiles/mobile? + unl0kr.enable = opts.disk-unlock-password-entry; + kernelModules = mkIf opts.disk-unlock-usb-key ["usb_storage"]; + }; + loader = { # Second until default bootloader entry boots. # - `null` = wait indefinitely @@ -49,11 +67,19 @@ in efi = { # Where to mount the EFI system partition - efiSysMountPoint = mkDefault "/boot"; #"/boot/efi"; + # TODO: Follow Discoverable Partitions Spec: + # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/ + # - TODO: `XBOOTLDR` / `ESP` splitting? + # - TODO: Rewrite to `/efi`, `/boot`, or `/boot/efi`? + # NOTE: Set to "/boot/efi" in `nixos/hosts/fw/configuration.nix` + # Default: "/boot" + efiSysMountPoint = mkDefault "/boot"; #"/boot/efi"; # Whether install process allowed to modify EFI boot variables canTouchEfiVariables = mkDefault true; }; }; }; + + environment.systemPackages = mkIf config.boot.bootspec.enable [pkgs.bootspec]; } diff --git a/nixos/profiles/boot/disko.nix b/nixos/profiles/boot/disko.nix deleted file mode 100644 index bad0a349..00000000 --- a/nixos/profiles/boot/disko.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ inputs, config, lib, pkgs, ... }: -{ - imports = [ - ]; - -} diff --git a/nixos/profiles/boot/entries/usb-boot.nix b/nixos/profiles/boot/entries/usb-boot.nix index f7666943..92a6ad8d 100644 --- a/nixos/profiles/boot/entries/usb-boot.nix +++ b/nixos/profiles/boot/entries/usb-boot.nix @@ -1,20 +1,15 @@ -{ config, ... }: -{ - imports = [ ]; - +{ config, ... }: { # TODO: Enable networking, disks in initrd / UEFI? - + # TODO: Add EFI binary paths for all extraEntries. boot.loader.systemd-boot = { extraEntries = { - # TODO: Add EFI binary paths for all extraEntries. "usb-boot" = '' title Boot from USB drive efi ''; }; - extraFiles = { - #"efi//.efi" = "${pkgs.}/.efi"; + #"efi//.efi" = "${pkgs.}/.efi"; #"efi/reboot-bootloader/no-plymouth.efi" = "${pkgs.systemd-boot}/systemd-boot.efi"; # TODO: Get real path }; }; diff --git a/nixos/profiles/boot/hibernation.nix b/nixos/profiles/boot/hibernation.nix index 3a9146ac..cb0d950d 100644 --- a/nixos/profiles/boot/hibernation.nix +++ b/nixos/profiles/boot/hibernation.nix @@ -1,9 +1,5 @@ -{ inputs -, config -, lib -, pkgs -, ... -}: +{ inputs, config, lib, pkgs, ... }: +# # TODO: Possible to work with machines that are Kubernetes nodes? # TODO: Setup Full Disk Encryption (FDE) before enabling swap & hibernation. # TODO: Encrypt keyfiles with agenix or sops-nix, then add to repo. @@ -12,16 +8,13 @@ # - [ ] Mount other keyfiles at proper location on disk. # TODO: Configure hardware-configuration & disk partitions with Disko. # -# # See: # # - https://nixos.wiki/wiki/Laptop # - https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/ # { - imports = [ - #./swap.nix - ]; + # imports = [ ./swap.nix ]; # Device for manual resume attempt during boot. # This should be used primarily if you want to resume from file. @@ -65,51 +58,28 @@ # - the path of the swap device or file (device) or # - the label of the swap device (label, see mkswap -L). # Using a label is recommended. - swapDevices = { - - primary-swap = { - - # --- Swap device parameters --- - device = "/dev/nvme0n1p2"; # Path of the device or swap file. - discardPolicy = null; # null | once | pages | both - label = "swap"; # Label of the device. Can be used instead of device. - options = [ "defaults" ]; # Options used to mount the swap. - priority = 10; # Priority of the swap device b/w [0, 32767] where higher number => higher priority. null lets kernel choose priority, which will show up as negative value. - size = 2048; # Swap size in Megabytes. # TODO: Set to RAM size * 1.5 - - # --- Swap Encryption --- - encrypted = { - enable = true; # The block device is backed by an encrypted one, adds this device as a initrd luks entry. - blkDev = "/dev/nvme0n1p2"; # Location of the backing encrypted device. - # Path to a keyfile used to unlock the backing encrypted device. - # At the time this keyfile is accessed, - # the neededForBoot filesystems (see fileSystems..neededForBoot) will have been mounted under /mnt-root, - # so the keyfile path should usually start with “/mnt-root/”. - keyFile = "/mnt-root/root/.swapkey"; - - # Label of the unlocked encrypted device. Set fileSystems..device to /dev/mapper/