Tracking issue: Boot security in NixOS

[RaitoBezarius]

This is a tracking issue for work around Boot security in NixOS incorporating elements of https://github.com/nix-community/projects/blob/main/proposals/nixpkgs-security.md.

Upstream features

• https://github.com/m4b/goblin/pull/361
• https://github.com/m4b/goblin/pull/381
• https://github.com/RaitoBezarius/goblin-signing/pull/2
• https://github.com/RaitoBezarius/goblin-signing/pull/3
• https://github.com/systemd/systemd/pull/28057
• https://github.com/systemd/systemd/pull/28070
• https://github.com/m4b/goblin/pull/389
• not done yet: load a kernel addon.

Work driven by @RaitoBezarius

UEFI Secure Boot by default for NixOS installer images

• https://github.com/RaitoBezarius/nixos-shim
• https://github.com/lheckemann/shim-review
• https://github.com/NixOS/nixpkgs/pull/273567

Work driven by @lheckemann, with the help of @mschwaig.

Bootspec v2

• https://github.com/NixOS/rfcs/pull/165

TPM2 in lanzaboote

• https://github.com/nix-community/lanzaboote/pull/168
• https://github.com/nix-community/lanzaboote/pull/169

Work driven by @RaitoBezarius

A/B schema in NixOS

• https://github.com/NixOS/nixpkgs/pull/84204
• https://github.com/NixOS/nixpkgs/pull/273062

Work driven by @JulienMalka

Integrity checks for the store

• https://github.com/NixOS/nixpkgs/pull/273593

Work driven by @ElvishJerricco

Interpreter-less NixOS

Tracking issue: https://github.com/NixOS/nixpkgs/issues/267982 Design document: https://pad.lassul.us/nixos-perlless-activation#

• https://github.com/NixOS/nixpkgs/pull/263203
• https://github.com/NixOS/nixpkgs/pull/264879
• https://github.com/NixOS/nixpkgs/pull/263462
• https://github.com/NixOS/nixpkgs/pull/267983

Work driven by @nikstur, with the help of @blitz @lheckemann.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345/7