nikstur
commented
10 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it.
Open Kreyren opened 10 months ago
nikstur
commented
10 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it.
Kreyren
commented
10 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it. -- @nikstur (https://github.com/nix-community/lanzaboote/issues/273#issuecomment-1870033281)
# Blind code, untested, meant to show the intention only
if let Some(specialisation_name) = &generation.specialisation_name {
Ok(PathBuf::from(format!(
"nixos-generation-{}-specialisation-{}-{}.efi",
generation, specialisation_name, stub_input_hash
)))
+ } else if let Some(specialisation_name) = "memtest.efi" {
+ Ok(PathBuf::from("memtest.efi"))
} else {
Ok(PathBuf::from(format!(
"nixos-generation-{}-{}.efi",
generation, stub_input_hash
)))
}Is it this easy or does it need additional changes somewhere else? Would probably be better to add some kind of management in nix to make nixos configuration more manageable as not everyone might want to sign the memtest
RaitoBezarius
commented
10 months ago It would require more than that.
kuflierl
commented
3 months ago @Kreyren wouldn't your change sign any binary names memtest.efi without checking its contents? Wouldn't that potentially also sign a malicious binary if it was replaced prior?
MithicSpirit
commented
3 months ago Yeah, maybe it should compare the file's checksum with that from the nix store, or maybe even use a hardcoded checksum.
Is there a way to make it sign memtest set through
boot.loader.systemd-boot.memtest86.enable?