nikstur
commented
8 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it.
Open Kreyren opened 8 months ago
nikstur
commented
8 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it.
Kreyren
commented
8 months ago We would need to implement this in Lanzaboote. There currently is no out of the box way to do it. -- @nikstur (https://github.com/nix-community/lanzaboote/issues/273#issuecomment-1870033281)
# Blind code, untested, meant to show the intention only
if let Some(specialisation_name) = &generation.specialisation_name {
Ok(PathBuf::from(format!(
"nixos-generation-{}-specialisation-{}-{}.efi",
generation, specialisation_name, stub_input_hash
)))
+ } else if let Some(specialisation_name) = "memtest.efi" {
+ Ok(PathBuf::from("memtest.efi"))
} else {
Ok(PathBuf::from(format!(
"nixos-generation-{}-{}.efi",
generation, stub_input_hash
)))
}Is it this easy or does it need additional changes somewhere else? Would probably be better to add some kind of management in nix to make nixos configuration more manageable as not everyone might want to sign the memtest
RaitoBezarius
commented
8 months ago It would require more than that.
kuflierl
commented
1 month ago @Kreyren wouldn't your change sign any binary names memtest.efi without checking its contents? Wouldn't that potentially also sign a malicious binary if it was replaced prior?
MithicSpirit
commented
1 month ago Yeah, maybe it should compare the file's checksum with that from the nix store, or maybe even use a hardcoded checksum.
Is there a way to make it sign memtest set through
boot.loader.systemd-boot.memtest86.enable?