From 7e815dd5d07e05d6b79cf31385ae5ab776625184 Mon Sep 17 00:00:00 2001 From: Grigory Shipunov Date: Sun, 23 Apr 2023 01:03:53 +0200 Subject: [PATCH] first stab at secure boot --- flake.lock | 263 +++++++++++++++++++++++++++++++--- flake.nix | 7 + hosts/toaster/default.nix | 1 + hosts/toaster/secure-boot.nix | 12 ++ 4 files changed, 263 insertions(+), 20 deletions(-) create mode 100644 hosts/toaster/secure-boot.nix diff --git a/flake.lock b/flake.lock index 45d184c..0d48605 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,38 @@ { "nodes": { + "crane": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "rust-overlay": [ + "lanzaboote", + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1680584903, + "narHash": "sha256-uraq+D3jcLzw/UVk0xMHcnfILfIMa0DLrtAEq2nNlxU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "65d3f6a3970cd46bef5eedfd458300f72c56b3c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -8,11 +41,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1682144464, - "narHash": "sha256-HlVJU4p1OED3HJNOoXrxR6qabKWMtGq0wbYhroumuVc=", + "lastModified": 1682230876, + "narHash": "sha256-vCnd1pZRQKCdNvivQBD7WzaOlU1GcN91OCAz1rnoe5M=", "owner": "nix-community", "repo": "fenix", - "rev": "6424d70f13761c203dada9de6ce417fc9f22712d", + "rev": "378f052d9f1cd90060ec4329f81782fee80490a4", "type": "github" }, "original": { @@ -21,6 +54,43 @@ "type": "github" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1680392223, + "narHash": "sha256-n3g7QFr85lDODKt250rkZj2IFS3i4/8HBU2yKHO3tqw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "dcc36e45d054d7bb554c9cdab69093debd91a0b5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -54,9 +124,73 @@ "type": "github" } }, + "flake-utils_3": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils_2", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-test": "nixpkgs-test", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1682256558, + "narHash": "sha256-H+O4yqeePiQcUGvmzXbeZB0fRX1ybAD+LVwP5w3CU/w=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "9bf192bb79e2fbee0b9f12cd314b36d194863059", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "lanzaboote", + "type": "github" + } + }, "microvm": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "nixpkgs": [ "nixpkgs" ] @@ -77,11 +211,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1681932375, - "narHash": "sha256-tSXbYmpnKSSWpzOrs27ie8X3I0yqKA6AuCzCYNtwbCU=", + "lastModified": 1682173319, + "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3d302c67ab8647327dba84fbdb443cdbf0e82744", + "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c", "type": "github" }, "original": { @@ -93,11 +227,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1681613598, - "narHash": "sha256-Ogkoma0ytYcDoMR2N7CZFABPo+i0NNo26dPngru9tPc=", + "lastModified": 1678872516, + "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1040ce5f652b586da95dfd80d48a745e107b9eac", + "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1682173319, + "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c", "type": "github" }, "original": { @@ -107,13 +257,29 @@ "type": "github" } }, + "nixpkgs-test": { + "locked": { + "lastModified": 1679009563, + "narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "qemu-boot-disk-using-make-disk-image", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { - "lastModified": 1681920287, - "narHash": "sha256-+/d6XQQfhhXVfqfLROJoqj3TuG38CAeoT6jO1g9r1k0=", + "lastModified": 1682181988, + "narHash": "sha256-CYWhlNi16cjGzMby9h57gpYE59quBcsHPXiFgX4Sw5k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "645bc49f34fa8eff95479f0345ff57e55b53437e", + "rev": "6c43a3495a11e261e5f41e5d7eda2d71dae1b2fe", "type": "github" }, "original": { @@ -123,10 +289,42 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1680981441, + "narHash": "sha256-Tqr2mCVssUVp1ZXXMpgYs9+ZonaWrZGPGltJz94FYi4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "2144d9ddcb550d6dce64a2b44facdc8c5ea2e28a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "fenix": "fenix", "flake-utils": "flake-utils", + "lanzaboote": "lanzaboote", "microvm": "microvm", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", @@ -137,11 +335,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1682101542, - "narHash": "sha256-CHSbpvLZf0joKD1cU+Hg02uIYvV3xkvwcx+0oBWL0CQ=", + "lastModified": 1682163822, + "narHash": "sha256-u7vaRlI6rYiutytoTk8lyOtNKO/rz5Q63Z6S6QzYCtU=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "af3b6a0893cc3a05b5ddc1e9d31b2c454b480426", + "rev": "2feabc4dc462644287372922928110eea4c60ca7", "type": "github" }, "original": { @@ -151,19 +349,44 @@ "type": "github" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1682129965, + "narHash": "sha256-1KRPIorEL6pLpJR04FwAqqnt4Tzcm4MqD84yhlD+XSk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2c417c0460b788328220120c698630947547ee83", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" ], - "nixpkgs-stable": "nixpkgs-stable" + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1681821695, - "narHash": "sha256-uwyBGo/9IALi97AfMuzkJroQQhV6hkybaZVdw6pRNG4=", + "lastModified": 1682218555, + "narHash": "sha256-kojMklCNBnPe8KtRvJvBtFGU/gPAqRKYpZEqyehHfn4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5698b06b0731a2c15ff8c2351644427f8ad33993", + "rev": "8a95e6f8cd160a05c2b560e66f702432a53b59ac", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a91452f..cd24209 100644 --- a/flake.nix +++ b/flake.nix @@ -25,12 +25,18 @@ url = "github:tmux-plugins/tmux-yank"; flake = false; }; + + lanzaboote = { + url = "github:nix-community/lanzaboote"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; }; outputs = inputs@{ self , fenix , flake-utils + , lanzaboote , microvm , nixpkgs , nixpkgs-unstable @@ -60,6 +66,7 @@ specialArgs = { inherit inputs; }; modules = [ sops-nix.nixosModules.sops + lanzaboote.nixosModules.lanzaboote ./hosts/toaster diff --git a/hosts/toaster/default.nix b/hosts/toaster/default.nix index 6aaa4bc..e7ff5b9 100644 --- a/hosts/toaster/default.nix +++ b/hosts/toaster/default.nix @@ -6,6 +6,7 @@ ./network-vpns.nix ./network.nix ./secrets.nix + ./secure-boot.nix ./zfs.nix ]; diff --git a/hosts/toaster/secure-boot.nix b/hosts/toaster/secure-boot.nix new file mode 100644 index 0000000..d18e1cb --- /dev/null +++ b/hosts/toaster/secure-boot.nix @@ -0,0 +1,12 @@ +{ pkgs, lib, ... }: { + boot = { + bootspec.enable = true; + loader.systemd-boot.enable = lib.mkForce false; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }; + + environment.systemPackages = [ pkgs.sbctl ]; +}