search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.2k stars 14.2k forks source link

Hardened module breaks boot. #343516

Open Mikilio opened 1 month ago

Mikilio commented 1 month ago

https://github.com/NixOS/nixpkgs/blame/e88358265511d3a73b30dc6e4c15579844b35280/nixos/modules/profiles/hardened.nix#L46

Turning off this above parameter allows me to boot again. I could not exactly identify what exact pieces of my configuration need this to be disabled, but here is my best description of what is happening.

  1. HP 845 G10 starts
  2. systemd-boot installed by lanzaboote allows me to choose a generation.
  3. I start the generation in question.
  4. Secureboot verifies the EFI stub successfully
  5. Computer reboots immediately

Notice that it does not even enter systemd stage 1.

I can only suspect that maybe lanzaboote is doing some unexpected access to freed memory, but I couldn't test yet if it's actually lanzaboote fault. That is because it is really annoying on my laptop to disable secure boot and re-enable it later. So maybe someone can help me verify here?

Mikilio commented 2 weeks ago

Just trying to notify an active contributor to this module @emilazy

emilazy commented 2 weeks ago

Thanks for the ping. Unfortunately while “active contributor” and “contributor this module” are both true, “active contributor to this module” isn’t quite :) The hardened profile isn’t in an ideal state and needs a lot of work. I do think we should have a good hardened profile, and I’d like to work on that, but I perennially have higher‐priority tasks that mean I haven’t touched it in years. Some of the settings it adjusts can actually make security worse; e.g. turning off security.unprivilegedUsernsClone is inadvisable on a normal desktop system, as it interferes with browser sandboxing. It may be worth considering how much you benefit from the profile.

page_poison=1 has come up as a suboptimal option to be setting in conjunction with the hardened kernel we use before, in https://github.com/NixOS/nixpkgs/issues/90704. Perhaps it would be worth trying to address that in the hopes that it may accidentally fix this issue. Failing that, did this work for you previously and then break? If so, I suspect that it will probably take a git bisect over Nixpkgs (remember to use --first-parent) to find out why.

Mikilio commented 2 weeks ago

Totally understandable. I just wanted this to be seen by someone with more voice than me. I have actually adjusted this module for use with a laptop and a specified thread model after doing some thorough reading on kernel hardening. Likewise, I'm willing to share it, but I'd need some names to ping when I do, as it otherwise may never be viewed. NixOS members are an awfully busy bunch.