grub support [ready for review, not for merge] #96
Conversation
|
grub now boots! Although lanzaboote panics |
|
I disabled the systemd version check during the rebasing as we need some way to infer whether a binary is systemd and that it did not work at all on my system, even with systemd: |
make the tests run with a grub efi binary
Remove the systemd arg as it is redundant with efi_boot. The version check is currently commented out as it cannot work in all situations, we need to figure out something for this!
|
Not ready to be merged, but marking it as ready for review so that people can look at this PR and discuss it. The main sticking points so far are:
|
GovanifY
changed the title
|
I added a patchset implementing I can confirm GRUB currently chainloads and correctly verifies the binary sent to it through the standard LoadImage and StartImage functions of the spec, as seen below: The whole chain seems to be secure on my end, just need to investigate the boot services now. |
GRUB does not implement Simple Filesystem it seems like: https://savannah.gnu.org/bugs/?51570 |
|
I've converted it to a draft to prevent merging it for now. |
|
@GovanifY I'll look into this in the coming days! |
s/prePatch/postPatch and add grub_uki to nativeBuildInputs
| variant = mkOption { | ||
| type = types.str; | ||
| default = "${pkgs.systemd}/lib/systemd/boot/efi/systemd-bootx64.efi"; | ||
| description = "Bootloader variant to use with lanzaboot"; |
There was a problem hiding this comment.
Couldn't resist:
| description = "Bootloader variant to use with lanzaboot"; | |
| description = "Bootloader variant to use with lanzaboote"; |
| ${optionalString cfg.enrollKeys '' | ||
| mkdir -p /tmp/pki | ||
| cp -r ${cfg.pkiBundle}/* /tmp/pki | ||
| ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine | ||
| ''} |
There was a problem hiding this comment.
@RaitoBezarius We should really get rid of this functionality. It's an easy way to get to the keys on a multiuser system.
| patches = [ ]; | ||
| src = fetchFromGitHub { | ||
| owner = "GovanifY"; | ||
| repo = "grub"; | ||
| rev = "master"; | ||
| sha256 = "sha256-2XhZdRCK73QJ5QIeTdqXVFinzXq36pJ/6EwnluY5rnA="; | ||
| }; |
There was a problem hiding this comment.
What changes does your Grub fork have? Do you have an idea about how these could be upstreamed?
There was a problem hiding this comment.
The fork is currently not necessary per se, this was more of an experiment. The patch adds some of systemd's boot loader interface, but are really unneeded, I'll probably remove it. The more pressing concern is that GRUB does not implement SimpleFS which is used in the stub and thus causes it to panic.
Correct me if I'm wrong too but it seems like EmbeddedConfig reads back the binary from the filesystem after it was verified by SB with StartImage? If so this is a TOCTOU in the making as anything that could MITM the filesystem could first return a correctly signed stub which then loads back its config from an edited version after that. If I'm right we need to redesign the stub's way of loading the config, regardless of GRUB, which would also make it boot as a side effect.
| # this is very probably a terrible idea but grub doesn't allow to generate | ||
| # at runtime menus like systemd-boot does, so we will need to wait for | ||
| # lanzaboot to be ready to generate config for both sd-boot and grub. |
There was a problem hiding this comment.
I guess this is one of the bigger items left to be done?
There was a problem hiding this comment.
Well we won't have any runtime menus, no. What can be done though is auto-generation of config a la systemd, but nothing can be done about runtime menus parsing I'm afraid. (We can have menus, but they will need to be generated build-time is what I meant)
| @@ -39,6 +35,10 @@ struct InstallCommand { | |||
| #[arg(long, default_value_t = 1)] | |||
| configuration_limit: usize, | |||
|
|
|||
| /// EFI Bootloader Path (e.g. systemd/lib/systemd/boot/efi/systemd-bootx64.efi) | |||
| #[arg(long)] | |||
| efi_boot_path: PathBuf, | |||
There was a problem hiding this comment.
lzbt would need two different modes, one for systemd-boot and one for grub to generate the right configs.
There was a problem hiding this comment.
Do we want two modes specific for those two boot loaders? If we add support to other things like ext/syslinux later on, wouldn't it make more sense to have a standard interface and then specifics for each bootloaders? E.g. a config generator that could be extended for systemd and grub, an EFI path that would work for any given EFI binary, etc.
| // TODO(GovanifY): The tests currently fail because of an empty .osrel in my machine | ||
| // and can fail if using something else than systemd as an EFI binary, what to do with | ||
| // this? |
There was a problem hiding this comment.
relevant error:
Error: Failed to read systemd-boot version from "/nix/store/9rjdvhq7hnzwwhib8na2gmllsrh671xg-systemd-252.1/lib/systemd/boot/efi/linuxx64.efi.stub".
Caused by:
PE section '.osrel' is empty: "/nix/store/9rjdvhq7hnzwwhib8na2gmllsrh671xg-systemd-252.1/lib/systemd/boot/efi/linuxx64.efi.stub"
|
It seems to me the next steps here are:
@nikstur @RaitoBezarius What do you say? |
Those changes probably won't be required as commented above, sorry about the confusion. See also #96 (comment) for the current main concern |
|
So, to summarize everything: I found a TOCTOU in the config loading routine. Here we load the configuration from the binary using uefi_helpers. Those helpers make use of the SimpleFilesystem EFI API. This configuration contains the hashes of the kernel and initrd. This is a cause for concern as anyone who can MITM the filesystem can then return a different binary that was not verified, as the verification of Secure Boot happens during the Load/StartImage stages, much earlier in the boot stage. We need to switch to an in-memory way of reading the hashes. Now, the second issue is that we use SimpleFs at all, e.g. to load the kernel after the config. Some UEFIs do not have it implemented and currently cause my GRUB tests to fail, but could very well make system-boot fail as well. Fortunately for us, uefi-rs has a function that automatically toggles between SimpleFs, LoadFile2 and Loadfile which we definitely want to use compared to the current method. This is essentially the main concern of this PR. Any thoughts regarding this/possible implementation? |
Per last comment, I think we only need to do the first and address the TOCTOU thing, enable the fallback to LoadFile(2) and we have a prototype support here. |
|
Please reopen when you rebased it on master (we have some CI issues that requires closing any PRs that are not rebased), do not let this prevent you from rebasing + reopening so we can finally merge it. |
Ready for review, see #96 (comment) for current concerns
This is more of an RFC than anything else to discuss of the design decisions of lanzaboote and know where to go from here.The way this PR works is it implements a new CLI option to lanzatool to specify a EFI binary to install, instead of systemd-boot.
It is then specified by the variant option of the nixos module, which is then generated by a new package/derivation, grub-efi-binary, in order to have a static reproducible binary.
Now the two main issues: First, GRUB cannot generate menus at runtime by giving it a folder the way systemd-boot does.
AFAIK you need to generate a config file AOT which does include a list of the current generations. This leads to two issues:
We cannot load an external configuration file separate from the binary that we regenerate without adding a new signature mechanism integrated in GRUB, GPG based and all the like because of SB, and thus:
We need to either modify the UKI for each generation or add an external configuration that is signed or use UKI names that are reproducible, along with a default configuration.
I'm not sure whether that's relevant yet as we do not have a custom configuration possible for systemd-boot but it's definitely something to keep in mind..
Fixed by including the TPM module, this seems to be a bug of 2.06 requiring the TPM verifier in order to call the proper UEFI functions:
Sorry for this wall of text, and thank for reviewing !This closes #29
cc @RaitoBezarius