Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur]

Overview

Lanzaboote: Secure Boot for NixOS

Chat on Matrix GitHub branch checks state made-with-rust GitHub

This repository contains tooling for UEFI Secure Boot on NixOS. The goal is to make Secure Boot available from nixpkgs for any platform that supports UEFI.

Quickstart

If you want to try this out, head over here for instructions.

🪛 Get Involved 🪛

There is still a bunch of work to do before this work can be upstreamed into nixpkgs. Please coordinate in the Matrix room or check the issues, if you want to take something up.

Overview

Secure Boot

The goal of UEFI Secure Boot is to allow only trusted operating systems to boot on a system. This can be used to defend against certain classes of attacks that compromise the boot flow of a system. For example, an attacker will have difficulty replacing the Linux kernel that boots a system when Secure Boot is active.

UEFI Secure Boot works by digitally signing all drivers, bootloaders, the Linux kernel and its initrd. This establishes a chain of trust where one trusted component only hands off control to the next part of the boot flow when the integrity of the chain is cryptographically validated.

Caveats

There are some additional steps that are required to make UEFI Secure Boot effective:

  • There must be a BIOS password or a similar restriction that prevents unauthorized changes to the Secure Boot policy.
  • The booted system must have some form of integrity protection.
  • The firmware must be kept up-to-date.

These steps will not be covered here.

Lanzatool

At the moment, boot loaders, kernels and initrds on NixOS are signed on the current system. These then need to be prepared as Unified Kernel Images (UKI) and placed on the EFI System Partition (ESP).

lanzatool is a Linux command line application that takes care of this flow. It takes a NixOS bootspec document, signs the relevant files, creates a UKI using lanzaboote (see below) and installs the UKI along with other required files to the ESP. lanzatool is also aware of multiple NixOS genertions and will sign all configurations that should be bootable.

Lanzaboote

When the Linux kernel and initrd are packed into a UKI, they need an UEFI application stub. This role is typically filled by systemd-stub.

The downside of systemd-stub is that it requires the kernel and initrd to be packed into the UKI, which makes it pretty large. As we need one UKI per NixOS configuration, systems with many configurations quickly run out of the limited disk space in the ESP.

lanzaboote is a UEFI stub that solves the same problem as systemd-stub, but allows kernel and initrd to be stored separately on the ESP. The chain of trust is maintained by validating the signature on the Linux kernel and embedding a cryptographic hash of the initrd into the signed UKI.

lanzaboote lives in rust/lanzaboote.

State of Upstreaming to Nixpkgs

Secure Boot is available as an Nixpkgs out-of-tree feature using the bootspec feature preview. It works with current nixpkgs-unstable.

Funding

Logo of NLnet Foundation     Logo of NGI Assure

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Applications are still open, you can apply today.

If your organization wants to support the project with extra funding in order to add support for more architectures, PKCS#11 workflows or integration, please contact one of the maintainers.

Comments
  • project: support upstream bootspec

    project: support upstream bootspec

    Depends on https://github.com/DeterminateSystems/bootspec/pull/68

    This removes our dependency on checking about bootspecs ourselves, etc.

    We can now take it easy and rely on DetSys's library.

    ~Some minor stuff I am not too certain of, c.f. Default trait for SecureBootExtension.~

    Also, it enable out-of-tree SecureBoot in unstable NixOS. :)

    opened by RaitoBezarius 9
  • Verify Kernel/Initrd Integrity using Blake3

    Verify Kernel/Initrd Integrity using Blake3

    We currently only embed file names. While we do check whether these files are then signed, an attacker can mix and match any signed kernel and initrd. To prevent this, we now also embed a Blake3 hash of kernel/initrd into lanzaboote.

    The upside of this is that the initrd does not have to wrapped into a PE file for signing anymore, because we guarantee its integrity using the signed hash from lanzaboote.

    The downside is that blake3 has doubled the size of the lanzaboote binary.

    Review commit-by-commit to have less clutter.

    opened by blitz 9
  • Move tests into separate file, add more structure to nix directory, and run nixpkgs-fmt & statix over everything

    Move tests into separate file, add more structure to nix directory, and run nixpkgs-fmt & statix over everything

    The flake was getting hard to work with because it's getting pretty long and was not formatted. I refactored the nix bits:

    • Formatted everything with nixpkgs-fmt
    • Applied suggestions from statix
    • Moved the module (lanzaboote.nix) and the package (uefi-run.nix) into corresponding subdirs in the nix directory
    • Moved the tests into a separate file in the nix subdirectory
    • Added nixpkgs-fmt and statix to devShell

    Review commit by commit

    opened by nikstur 4
  • Drop Naersk and Enable Clippy for lanzaboote

    Drop Naersk and Enable Clippy for lanzaboote

    This PR:

    • fixes Clippy issues in lanzaboote (where possible),
    • switches the build of all Rust components to Crane (Thanks to https://github.com/ipetkov/crane/pull/174 :tada:)
    • enables clippy for lanzaboote in nix flake check
    • drops the Naersk dependency

    This PR will have some trivial merge conflicts with #21. But as they are easy to resolve, we can merge these PRs in any order.

    opened by blitz 3
  • Lanzatool: respect configuration limit

    Lanzatool: respect configuration limit

    This PR enables setting a configuration limit for lanzatool via the --configuration-limit parameter.

    It includes

    • Unit tests for the garbage collector.
    • Some fixes that I made while debugging (incl. a unit test in esp.rs)
    • Infrastructure for integration testing of the lanzatool binary via assert_cmd and an initial test for the GC. Some minor changes needed to be made to the flake to support the new lanzatool integration tests.

    It is missing a NixOS integration test because it turns out these are really hard to implement with an out-of-tree module (and even nixpkgs does not contain any tests for the config limit).

    I recommend review commit-by-commit.

    opened by nikstur 2
  • Green Checkmark

    Green Checkmark

    This PR works towards the green checkmark in GNOME Device Security. For that we need to:

    • [ ] Placate fwupdtool security
      • [ ] Make thinklmi export a sane sysfs (see Linux patch)
        • The current patch is wrong. See discussion in: https://bugzilla.kernel.org/show_bug.cgi?id=216460
      • [ ] "Unsupported CPU" on AMD? https://github.com/fwupd/fwupd/issues/5284
    • [ ] Enable kernel lockdown
      • [x] Enable the kernel options
      • [ ] Enable lockdown on boot
    opened by blitz 2
  • Bootloader configuration deleted

    Bootloader configuration deleted

    As we can see in https://bin.hubrecht.ovh/?b376f2a3f8e744c3#8hdQHWaR7zvZCtYikanp1CdTL16z5jgD6UBV6b4SECW4 , when we run nixos-rebuild switch with lanzaboote activated, it deletes almost all directories in /boot/EFI/, but the directory/boot/EFI/loader` is used to store the configuration of the bootloader, so it is erased at each rebuild. This is very annoying as when we use systemd-boot there is no longer a timeout and we cannot choose which generation we want to boot on.

    bug 
    opened by Tom-Hubrecht 0
  • Update README

    Update README

    I've tried to remove everything that better belongs in the issue tracker. I've also removed stale information and links. While I was there I also tried to improve the overview information so people have an easier time getting started.

    opened by blitz 0
  • Avoid Path -> String Conversions

    Avoid Path -> String Conversions

    Lanzatool had a couple of avoidable Path to String conversions. These are problematic, because they can easily fail if a user has a messed up way of calling files. :)

    All of them happened in order to pass paths as command arguments. In this case, these conversions are avoidable, because Command takes OsString as well. And we can construct OsString from Path without the possibility of failing.

    opened by blitz 0
  • Move lanzatool to inputsFrom in devShell

    Move lanzatool to inputsFrom in devShell

    When lanzatool is in the packages attr of the devShell, any compliation error in lanzatool means direnv cannot load the environment anymore. Then LSP support in your editor and even cargo in your shell is missing.

    opened by nikstur 0
  • Switch to flake-parts

    Switch to flake-parts

    We could simplify our cross compilation story by using flake-parts instead of doing the flake on our own. This would also simplify adding other tools such as https://github.com/cachix/pre-commit-hooks.nix/ .

    enhancement good first issue 
    opened by blitz 0
  • Lanzatool skips already existing files even if they are not signed

    Lanzatool skips already existing files even if they are not signed

    If you remove a sig of a systemd-bootx64.efi, lanzatool will turn a blind eye and not sign it.

    Causing surprising behaviors such as security violation :-((((

    bug 
    opened by RaitoBezarius 3
  • nixos/lanzaboote: support unsigned generation policies

    nixos/lanzaboote: support unsigned generation policies

    This is open for comments, implementation will follow once I have a bit of time.

    So we discussed this during the sprint and never got around it properly.

    A NixOS user is going to go through these steps in his life:

    • disabled SecureBoot
    • enabled SecureBoot
    • disabled SecureBoot
    • enabled SecureBoot

    etc.

    NixOS has this neat feature about rollbacks, and SecureBoot interferes with it by breaking the unsigned generations.

    Note that a generation signed with the wrong key is considered as an unsigned generation here.

    To offer maximum flexibility, I want to offer three policies:

    • resign: ignore all risks and resign everything, this is particularly dangerous but fine on a development machine, testing machine and people who do not believe they are going to be targeted by Bad Actors™, of course, we do not advise this level of policy for normal operations.
    • resign-last-only: resign only the LAST (or current) generation. Assuming a rootkit infecting everything that looks like a kernel, initrd, etc., this will not fix the situation. But, if you build a new generation that you inspect and trust, this can alleviate the problem, then you can have an unsigned generation you can go back in case lanzaboote is broken. We recommend this policy for normal operations.
    • ignore: break all old generations (until SB is disabled), this is recommended for more serious operations, combined with appropriate way to trust your derivations at runtime.
    opened by RaitoBezarius 0
Owner
Nix community projects
A project incubator that works in parallel of the @NixOS org
Nix community projects
WIP GUI for NixOS documentation + configuration

nixos-druid Highly experimental GUI for NixOS. For now I expect to frequently make large changes and break stuff whenever I'm working on this. Screens

Sybrand Aarnoutse 6 Aug 23, 2022
An anyrun plugin that lets you search NixOS options.

anyrun-nixos-options An anyrun plugin that lets you search NixOS options. how 2 build? nix build ... or cargo build optionally :) Configuration This p

Michał 4 Aug 24, 2023
Microscopic fetch tool in Rust, for NixOS systems, with special emphasis on speed

Microfetch Stupidly simple, laughably fast fetch tool. Written in Rust for speed and ease of maintainability. Runs in a fraction of a millisecond and

raf 27 Oct 21, 2024
Binary Field Encodings (BFE) for Secure Scuttlebutt (SSB)

ssb-bfe-rs Binary Field Encodings (BFE) for Secure Scuttlebutt (SSB). Based on the JavaScript reference implementation: ssb-bfe (written according to

null 10 May 13, 2022
Build light & secure cross-platform applications with a web-based UI

Millennium Icon by XFaon. *Stats are from Tauri and may not be fully accurate. Millennium is a cross-platform webview framework written in Rust. With

pyke 20 Dec 29, 2022
A user-friendly TUI for secure file transfers, with arrow-key and VIM-style navigation

gsftp SFTP with an interactive text-based user interface (TUI). Transfer files through an encrypted connection with a visual interface, so you can see

Ben Jiron 3 Jul 7, 2022
(Pre-Release Software) Secure, Encrypted, P2P chat written atop Warp, IPFS, LibP2P, Dioxus and many more awesome projects and protocols.

Uplink Privacy First, Modular, P2P messaging client built atop Warp. Uplink is written in pure Rust with a UI in Dioxus (which is also written in Rust

Satellite 13 Jan 25, 2023
Cuprate, an upcoming experimental, modern & secure monero node. Written in Rust

Cuprate an upcoming experimental, modern & secure monero node. Written in Rust (there is nothing working at the moment, stay tuned if you want to see

Someone Else 16 Feb 20, 2023
COCONUT Secure VM Service Module

This is the source code repository for the COCONUT Secure VM Service Module (SVSM), a software which aims to provide secure services and device emulations to guest operating systems in confidential virtual machines (CVMs). It requires AMD Secure Encrypted Virtualization with Secure Nested Paging (AMD SEV-SNP), especially the VM Privilege Level (VMPL) feature.

null 15 Mar 28, 2023
A Modern And Secure CLI Tool For Managing Environment Variables

Envio is a command-line tool that simplifies the management of environment variables across multiple profiles. It allows users to easily switch between different configurations and apply them to their current environment

Humble Penguin 536 Apr 16, 2023
Simple Secure Static (HTTPS) File Server with embedded certificate

Secure Static File Server Static Files HTTPs server with self signed embedded certificate Installation Install using cargo: cargo install ssfs Or buil

0xor0ne 21 Apr 20, 2023
A secure CLI password generator written in rust.

Rust CLI Password Generator Overview This Project is a secure CLI password generator written in rust. This generates a secure password with three diff

pouyan shalbafan 12 Nov 9, 2023
A systemd-boot configuration and boot entry configuration parser library

A systemd-boot configuration and boot entry configuration parser library

Kaiyang Wu 2 May 22, 2022
Easy c̵̰͠r̵̛̠ö̴̪s̶̩̒s̵̭̀-t̶̲͝h̶̯̚r̵̺͐e̷̖̽ḁ̴̍d̶̖̔ ȓ̵͙ė̶͎ḟ̴͙e̸̖͛r̶̖͗ë̶̱́ṉ̵̒ĉ̷̥e̷͚̍ s̷̹͌h̷̲̉a̵̭͋r̷̫̊ḭ̵̊n̷̬͂g̵̦̃ f̶̻̊ơ̵̜ṟ̸̈́ R̵̞̋ù̵̺s̷̖̅ţ̸͗!̸̼͋

Rust S̵̓i̸̓n̵̉ I̴n̴f̶e̸r̵n̷a̴l mutability! Howdy, friendly Rust developer! Ever had a value get m̵̯̅ð̶͊v̴̮̾ê̴̼͘d away right under your nose just when

null 294 Dec 23, 2022
A kernel version manager for systemd-boot and AOSC OS

Your systemd-boot's best friend ever (Implemented in Rust) A kernel version manager for systemd-boot and AOSC OS Usage First initialize friend and sys

AOSC-Dev 20 Oct 9, 2022
A clean, custom-built modular kernel ready to boot on x86_64.

Lateral is a work-in-progress multitasking monolithic kernel + OS meant as a fun summer project. It has recently expanded into more than I could imagi

Carter Reeb 109 May 7, 2022
Boot tools: loader, image generator, etc as a library crate

ArcBoot v0 A uefi bootloader for riscv, arm and x86. Comes in the form of a single executable. the source code contains a single executable target and

Spectral Project 3 Oct 3, 2022
Summer Boot (web2&web3, the decentralized web framework)

Summer Boot The next generation decentralized web framework allows users to manage and share their own data. It will be a wide area and cross regional

Summer 111 Dec 1, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 30, 2022
ARM TrustZone-M example application in Rust, both secure world side and non-secure world side

ARM TrustZone-M example application in Rust, both secure world side and non-secure world side; projects are modified from generated result of cortex-m-quickstart.

null 44 Dec 4, 2022