From c6b59d0e346e2197f1a1d910f104263d946a7a3f Mon Sep 17 00:00:00 2001 From: Aly Raffauf Date: Sat, 24 Aug 2024 15:25:41 -0400 Subject: [PATCH] hosts: enable secureboot and tpm luks unlocking (#99) * flake: add secureboot * petalburg: enable lanzaboote * lavaridge: enable lanzaboote * flake: auto import lanzaboote * mauville: enable secureboot and auto luks unlocking * lavaridge,petalburg: disable autologin * README.md: add lanzaboote * hosts/README.md: add secure boot setup docs --- README.md | 6 +- flake.lock | 211 +++++++++++++++++++++++++++++++++++- flake.nix | 6 + hosts/README.md | 53 +++++++++ hosts/lavaridge/default.nix | 14 ++- hosts/mauville/default.nix | 23 +--- hosts/petalburg/default.nix | 15 ++- 7 files changed, 295 insertions(+), 33 deletions(-) diff --git a/README.md b/README.md index dd864590..a03bdf86 100644 --- a/README.md +++ b/README.md @@ -9,9 +9,8 @@ My comprehensive NixOS flake for managing my laptop, desktop, and home lab envir - **Hyprland:** Dynamic tiling Wayland compositor and window manager. - **Stylix:** Auto-gnerated base16 themes for the whole desktop. -- **Home Lab Services:** Media, file sharing, and more. -- **Reverse Proxy:** Efficient traffic routing for my home lab services. -- **Modular Configuration:** Reasonably adaptable for different hardware and use cases. +- **Encryption:** Encrypted boot drives with Secure Boot and LUKS with TPM decryption. +- **Home Lab:** Media, file sharing, and more with a efficnet routing via reverse proxy. ## Inputs @@ -27,6 +26,7 @@ As well as upstream third-party projects that I use for various tasks: - [home-manager](https://github.com/nix-community/home-manager): declarative dotfile and user package management. - [hyprland](https://github.com/hyprwm/Hyprland): great dynamic tiling wayland compositor. - [iio-hyprland](https://github.com/JeanSchoeller/iio-hyprland): autorotate daemon for Hyprland. +- [lanzaboote](https://github.com/nix-community/lanzaboote): ssecure boot for NixOS. - [nur](https://github.com/nix-community/NUR): extra packages from the nix user repository. - [stylix](https://github.com/danth/stylix): system-wide colorscheming and typography. - [sway](https://github.com/swaywm/sway): fantastic, rock-solid tiling compositor for wayland. diff --git a/flake.lock b/flake.lock index 1de14711..6a80b94d 100644 --- a/flake.lock +++ b/flake.lock @@ -137,6 +137,27 @@ "type": "github" } }, + "crane": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717535930, + "narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=", + "owner": "ipetkov", + "repo": "crane", + "rev": "55e7754ec31dac78980c8be45f8a28e80e370946", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -180,6 +201,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1673956053, @@ -195,6 +232,45 @@ "type": "github" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717285511, + "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -211,6 +287,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -312,6 +410,33 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit-hooks-nix": "pre-commit-hooks-nix", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1718178907, + "narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "b627ccd97d0159214cee5c7db1412b75e4be6086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.4.1", + "repo": "lanzaboote", + "type": "github" + } + }, "nixhw": { "inputs": { "nixpkgs": [ @@ -348,6 +473,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1710695816, + "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "614b4613980a522ba49f0d194531beddbb7220d3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable": { "locked": { "lastModified": 1723637854, @@ -379,6 +520,33 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": [ + "lanzaboote", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1717664902, + "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "raffauflabs": { "inputs": { "nixpkgs": [ @@ -405,6 +573,7 @@ "disko": "disko", "home-manager": "home-manager_2", "iio-hyprland": "iio-hyprland", + "lanzaboote": "lanzaboote", "nixhw": "nixhw", "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", @@ -413,6 +582,31 @@ "stylix": "stylix" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "lanzaboote", + "flake-utils" + ], + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717813066, + "narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "stylix": { "inputs": { "base16": "base16", @@ -422,7 +616,7 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "gnome-shell": "gnome-shell", "home-manager": "home-manager_3", "nixpkgs": [ @@ -472,6 +666,21 @@ "repo": "default-linux", "type": "github" } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index b7cbc75a..274a9b92 100644 --- a/flake.nix +++ b/flake.nix @@ -25,6 +25,11 @@ url = "github:JeanSchoeller/iio-hyprland"; }; + lanzaboote = { + url = "github:nix-community/lanzaboote/v0.4.1"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixhw = { inputs.nixpkgs.follows = "nixpkgs"; url = "github:alyraffauf/nixhw"; @@ -120,6 +125,7 @@ self.inputs.agenix.nixosModules.default self.inputs.disko.nixosModules.disko self.inputs.home-manager.nixosModules.home-manager + self.inputs.lanzaboote.nixosModules.lanzaboote self.inputs.stylix.nixosModules.stylix self.nixosModules.nixos self.nixosModules.users diff --git a/hosts/README.md b/hosts/README.md index 9378ab10..0ffc6087 100644 --- a/hosts/README.md +++ b/hosts/README.md @@ -43,3 +43,56 @@ In short, 1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master. 1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users. 1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts. + +## Secure Boot + +1. Generate secure boot keys: + + ```bash + sudo nix run nixpkgs#sbctl create-keys + ``` + +1. Enable lanzaboote in NixOS host configuration: + + ```nix + boot = { + initrd.systemd.enable = true; # For automatic decryption with TPM. + loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled. + + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + }; + ``` + +1. In UEFI, set secure boot to "setup mode" or erase platform keys. + +1. Enroll your secure boot keys: + + ```bash + sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft + ``` + +1. Reboot, make sure secure boot is enabled in UEFI. + +1. Check secure boot status with `bootctl status`: + + ```bash + System: + Firmware: UEFI 2.70 (American Megatrends 5.17) + Firmware Arch: x64 + Secure Boot: enabled (user) + TPM2 Support: yes + Measured UKI: yes + Boot into FW: supported + ``` + +1. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot: + + ```bash + sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2 + ``` + + Replace `/dev/nvme0n1p2` with your root partition. + Check the [Linux TPM PCR Registry](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) for more details. diff --git a/hosts/lavaridge/default.nix b/hosts/lavaridge/default.nix index 4e28e1ce..f268c98c 100644 --- a/hosts/lavaridge/default.nix +++ b/hosts/lavaridge/default.nix @@ -24,11 +24,17 @@ ]; boot = { + initrd.systemd.enable = true; kernelPackages = lib.mkForce pkgs.linuxPackages_6_9; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; }; }; @@ -45,11 +51,7 @@ }; desktop = { - greetd = { - enable = true; - autologin = "aly"; - }; - + greetd.enable = true; hyprland.enable = true; sway.enable = true; }; diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix index 3a342873..15bc1458 100644 --- a/hosts/mauville/default.nix +++ b/hosts/mauville/default.nix @@ -33,28 +33,17 @@ in { boot = { initrd = { availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"]; + systemd.enable = true; + }; - network = { - enable = true; - flushBeforeStage2 = true; - - ssh = { - enable = true; - hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key]; - }; - - udhcpc.enable = true; - - postCommands = '' - # Automatically ask for the password on SSH login - echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile - ''; - }; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; }; loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; }; }; diff --git a/hosts/petalburg/default.nix b/hosts/petalburg/default.nix index 91a65d21..f18742aa 100644 --- a/hosts/petalburg/default.nix +++ b/hosts/petalburg/default.nix @@ -1,6 +1,7 @@ # Lenovo Yoga 9i Convertible with Intel Core i7-1360P, 16GB RAM, 512GB SSD. { config, + lib, self, ... }: { @@ -22,11 +23,17 @@ ]; boot = { + initrd.systemd.enable = true; extraModulePackages = with config.boot.kernelPackages; [acpi_call]; + lanzaboote = { + enable = true; + pkiBundle = "/etc/secureboot"; + }; + loader = { efi.canTouchEfiVariables = true; - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; }; }; @@ -65,11 +72,7 @@ }; desktop = { - greetd = { - enable = true; - autologin = "aly"; - }; - + greetd.enable = true; hyprland.enable = true; sway.enable = true; };