search

nix-community / lanzaboote

Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur]
GNU General Public License v3.0
933 stars 44 forks source link

Impermanence with lanzabote Compatibility issues #404

Open eqfae opened 3 weeks ago

eqfae commented 3 weeks ago 
#     lanzaboote = {
#       url = "github:nix-community/lanzaboote/v0.4.1";
#       inputs.nixpkgs.follows = "nixpkgs";
#     };
  # TODO home root和普通用户也需要 主要.cache 需要挂到tmpfs 其中占用最大
# https://github.com/nix-community/impermanence
  environment.persistence."/persist" = {
    enable = true; # NB: Defaults to true, not needed
    hideMounts = true;
    directories = [
      # "/var/log"
      "/var/lib/bluetooth"
      "/var/lib/nixos"
      "/var/lib/systemd/coredump"
      "/etc/NetworkManager/system-connections"
      "/etc/config"
      {
        directory = "/var/lib/colord";
        user = "colord";
        group = "colord";
        mode = "u=rwx,g=rx,o=";
      }
    ];
    files = [
      "/etc/machine-id"
      {
        file = "/var/keys/secret_file";
        parentDirectory = {
          mode = "u=rwx,g=,o=";
        };
      }
    ];

  };

  # tmp root结束

  # 安全启动
  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
    pkgs.sbctl
  ];

  boot.loader.systemd-boot.enable = lib.mkForce false;

  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/persist/initrd/secureboot"; # TODO sbctl 默认生成在/etc下
    #  sudo sbctl create-keys -d /persist/initrd/secureboot -e /persist/initrd/secureboot/keys # 基本默认设置修改
  };
  # 安全启动结束

/etc/machine-id : 文件里面是0538.. Inside the file is 0538.. 

warning: the following units failed: systemd-machine-id-commit.service
× systemd-machine-id-commit.service - Save Transient machine-id to Disk
     Loaded: loaded (/etc/systemd/system/systemd-machine-id-commit.service; enabled; preset: ignored)
     Active: failed (Result: exit-code) since Thu 2024-10-31 22:48:08 CST; 316ms ago
 Invocation: a86da6019f9b4f0e9f913aac722b0cce
       Docs: man:systemd-machine-id-commit.service(8)
    Process: 109496 ExecStart=systemd-machine-id-setup --commit (code=exited, status=1/FAILURE)
   Main PID: 109496 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
   Mem peak: 1.4M
        CPU: 10ms

10月 31 22:48:08 112 systemd[1]: Starting Save Transient machine-id to Disk...
10月 31 22:48:08 112 systemd-machine-id-setup[109496]: /etc/machine-id is not on a temporary file system.
10月 31 22:48:08 112 systemd[1]: systemd-machine-id-commit.service: Main process exited, code=exited, status=1/FAILURE
10月 31 22:48:08 112 systemd[1]: systemd-machine-id-commit.service: Failed with result 'exit-code'.
10月 31 22:48:08 112 systemd[1]: Failed to start Save Transient machine-id to Disk.
warning: error(s) occurred while switching to the new configuration

df /etc/machine-id 
/dev/dm-0      124492800 16842800 105618272   14% /etc/machine-id

cat /persist/etc/machine-id 
0538..

[1]> sbctl -d /persist/initrd/secureboot -e /persist/initrd/secureboot/keys verify
unknown shorthand flag: 'd' in -d
Usage:
  sbctl verify [flags]

Flags:
  -h, --help   help for verify

Global Flags:
      --json    Output as json
      --quiet   Mute info from logging

[1]> sbctl verify
couldn't access /etc/secureboot/keys/db/db.pem: no such file or directory
# 应该使用默认路径吗 Should I use the default path

我该怎么做 ? 是这样吗 1.取消持久化 /etc/machine-id 2.取消自定义路径 和 使用默认值 持久化 /etc/secureboot 全盘加密的最后一块拼图

What should I do? is that right

  1. Unpersist/etc/machine-id
  2. Cancel custom paths and persist/etc/secureboot with default values The last piece of the puzzle for full encryption
eqfae commented 3 weeks ago 
~# bootctl status
System:
      Firmware: UEFI 2.70 (American Megatrends 5.17)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 256.6
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Boot loader sets ESP information
         Stub: lanzastub 0.4.1
     Features: ✓ Stub sets ESP information
               ✗ Picks up credentials from boot partition
               ✗ Picks up system extension images from boot partition
               ✗ Picks up configuration extension images from boot partition
               ✗ Measures kernel+command line+sysexts
               ✗ Support for passing random seed to OS
               ✗ Pick up .cmdline from addons
               ✗ Pick up .cmdline from SMBIOS Type 11
               ✗ Pick up .dtb from addons
          ESP: /dev/disk/by-partuuid/11cc905a-90eb-452d-8b85-e66302b2f4ba
         File: └─/EFI/SYSTEMD/SYSTEMD-BOOTX64.EFI

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/11cc905a-90eb-452d-8b85-e66302b2f4ba)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.6)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.6)

Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x0006
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/11cc905a-90eb-452d-8b85-e66302b2f4ba
         File: └─/EFI/SYSTEMD/SYSTEMD-BOOTX64.EFI

        Title: UEFI OS
           ID: 0x000E
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/11cc905a-90eb-452d-8b85-e66302b2f4ba
         File: └─/EFI/BOOT/BOOTX64.EFI

        Title: Windows Boot Manager
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/e56a777b-a174-433c-9ac3-6fcbf60c30cb
         File: └─/EFI/MICROSOFT/BOOT/BOOTMGFW.EFI

Boot Loader Entries:
        $BOOT: /boot (/dev/disk/by-partuuid/11cc905a-90eb-452d-8b85-e66302b2f4ba)
        token: nixos

Default Boot Loader Entry:
         type: Boot Loader Specification Type #2 (.efi)
        title: NixOS Vicuna 24.11.20241029.807e915 (Linux 6.11.4-cachyos) (Generation 49, 2024-11-01)
           id: nixos-generation-49-wf7to3yx2dd6wmj752cwasxstdyy4fhwmznupawiwpbxryhtdplq.efi
       source: /boot//EFI/Linux/nixos-generation-49-wf7to3yx2dd6wmj752cwasxstdyy4fhwmznupawiwpbxryhtdplq.efi
     sort-key: lanza
      version: Generation 49, 2024-11-01
        linux: /boot//EFI/Linux/nixos-generation-49-wf7to3yx2dd6wmj752cwasxstdyy4fhwmznupawiwpbxryhtdplq.efi
      options: init=/nix/store/p6p1s8p8nklyf4f1h9k4hcrbmaqspxpp-nixos-system-112-24.11.20241029.807e915/init mitigations=off loglevel=4 ip=dhcp loglevel=4

warning: the following units failed: systemd-machine-id-commit.service
× systemd-machine-id-commit.service - Save Transient machine-id to Disk
     Loaded: loaded (/etc/systemd/system/systemd-machine-id-commit.service; enabled; preset: ignored)
     Active: failed (Result: exit-code) since Fri 2024-11-01 17:37:30 CST; 304ms ago
 Invocation: 16a68117e9a843648fc730e53099a4bb
       Docs: man:systemd-machine-id-commit.service(8)
    Process: 5154 ExecStart=systemd-machine-id-setup --commit (code=exited, status=1/FAILURE)
   Main PID: 5154 (code=exited, status=1/FAILURE)
         IP: 0B in, 0B out
   Mem peak: 1.4M
        CPU: 8ms

11月 01 17:37:30 112 systemd[1]: Starting Save Transient machine-id to Disk...
11月 01 17:37:30 112 systemd-machine-id-setup[5154]: /etc/machine-id is not on a temporary file system.
11月 01 17:37:30 112 systemd[1]: systemd-machine-id-commit.service: Main process exited, code=exited, status=1/FAILURE
11月 01 17:37:30 112 systemd[1]: systemd-machine-id-commit.service: Failed with result 'exit-code'.
11月 01 17:37:30 112 systemd[1]: Failed to start Save Transient machine-id to Disk.
warning: error(s) occurred while switching to the new configuration

算成功了吗 如果是的话 这个警告怎么办 1.取消持久化 /etc/machine-id (不持久化 似乎每次开机都会变?) 2.取消自定义路径 和 使用默认值 持久化 /etc/secureboot (做了这一点 但仍然有报错)

之前使用refind 作为双系统启动 除了进biso输入密码选择 还有哪些方法 Did it work, and if so, what about this warning?

  1. Unpersist /etc/machine-id (without it, it seems to change every time I boot?)
  2. unpersist /etc/secureboot by removing custom paths and using defaults (did this, but it still gives me an error). Previously, I was using refind as a dual system boot. What are the alternatives to entering biso and typing in the password?