hosts: enable secureboot and tpm luks unlocking (#99)

* flake: add secureboot

* petalburg: enable lanzaboote

* lavaridge: enable lanzaboote

* flake: auto import lanzaboote

* mauville: enable secureboot and auto luks unlocking

* lavaridge,petalburg: disable autologin

* README.md: add lanzaboote

* hosts/README.md: add secure boot setup docs
This commit is contained in:
Aly Raffauf 2024-08-24 15:25:41 -04:00 committed by GitHub
parent 3fa234270e
commit c6b59d0e34
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 295 additions and 33 deletions

View file

@ -9,9 +9,8 @@ My comprehensive NixOS flake for managing my laptop, desktop, and home lab envir
- **Hyprland:** Dynamic tiling Wayland compositor and window manager. - **Hyprland:** Dynamic tiling Wayland compositor and window manager.
- **Stylix:** Auto-gnerated base16 themes for the whole desktop. - **Stylix:** Auto-gnerated base16 themes for the whole desktop.
- **Home Lab Services:** Media, file sharing, and more. - **Encryption:** Encrypted boot drives with Secure Boot and LUKS with TPM decryption.
- **Reverse Proxy:** Efficient traffic routing for my home lab services. - **Home Lab:** Media, file sharing, and more with a efficnet routing via reverse proxy.
- **Modular Configuration:** Reasonably adaptable for different hardware and use cases.
## Inputs ## Inputs
@ -27,6 +26,7 @@ As well as upstream third-party projects that I use for various tasks:
- [home-manager](https://github.com/nix-community/home-manager): declarative dotfile and user package management. - [home-manager](https://github.com/nix-community/home-manager): declarative dotfile and user package management.
- [hyprland](https://github.com/hyprwm/Hyprland): great dynamic tiling wayland compositor. - [hyprland](https://github.com/hyprwm/Hyprland): great dynamic tiling wayland compositor.
- [iio-hyprland](https://github.com/JeanSchoeller/iio-hyprland): autorotate daemon for Hyprland. - [iio-hyprland](https://github.com/JeanSchoeller/iio-hyprland): autorotate daemon for Hyprland.
- [lanzaboote](https://github.com/nix-community/lanzaboote): ssecure boot for NixOS.
- [nur](https://github.com/nix-community/NUR): extra packages from the nix user repository. - [nur](https://github.com/nix-community/NUR): extra packages from the nix user repository.
- [stylix](https://github.com/danth/stylix): system-wide colorscheming and typography. - [stylix](https://github.com/danth/stylix): system-wide colorscheming and typography.
- [sway](https://github.com/swaywm/sway): fantastic, rock-solid tiling compositor for wayland. - [sway](https://github.com/swaywm/sway): fantastic, rock-solid tiling compositor for wayland.

View file

@ -137,6 +137,27 @@
"type": "github" "type": "github"
} }
}, },
"crane": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717535930,
"narHash": "sha256-1hZ/txnbd/RmiBPNUs7i8UQw2N89uAK3UzrGAWdnFfU=",
"owner": "ipetkov",
"repo": "crane",
"rev": "55e7754ec31dac78980c8be45f8a28e80e370946",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -180,6 +201,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1673956053,
@ -195,6 +232,45 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717285511,
"narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fromYaml": { "fromYaml": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -211,6 +287,28 @@
"type": "github" "type": "github"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gnome-shell": { "gnome-shell": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -312,6 +410,33 @@
"type": "github" "type": "github"
} }
}, },
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1718178907,
"narHash": "sha256-eSZyrQ9uoPB9iPQ8Y5H7gAmAgAvCw3InStmU3oEjqsE=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "b627ccd97d0159214cee5c7db1412b75e4be6086",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.1",
"repo": "lanzaboote",
"type": "github"
}
},
"nixhw": { "nixhw": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -348,6 +473,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1710695816,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1723637854, "lastModified": 1723637854,
@ -379,6 +520,33 @@
"type": "github" "type": "github"
} }
}, },
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1717664902,
"narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"raffauflabs": { "raffauflabs": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -405,6 +573,7 @@
"disko": "disko", "disko": "disko",
"home-manager": "home-manager_2", "home-manager": "home-manager_2",
"iio-hyprland": "iio-hyprland", "iio-hyprland": "iio-hyprland",
"lanzaboote": "lanzaboote",
"nixhw": "nixhw", "nixhw": "nixhw",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
@ -413,6 +582,31 @@
"stylix": "stylix" "stylix": "stylix"
} }
}, },
"rust-overlay": {
"inputs": {
"flake-utils": [
"lanzaboote",
"flake-utils"
],
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717813066,
"narHash": "sha256-wqbRwq3i7g5EHIui0bIi84mdqZ/It1AXBSLJ5tafD28=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "6dc3e45fe4aee36efeed24d64fc68b1f989d5465",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"stylix": { "stylix": {
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
@ -422,7 +616,7 @@
"base16-kitty": "base16-kitty", "base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux", "base16-tmux": "base16-tmux",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"gnome-shell": "gnome-shell", "gnome-shell": "gnome-shell",
"home-manager": "home-manager_3", "home-manager": "home-manager_3",
"nixpkgs": [ "nixpkgs": [
@ -472,6 +666,21 @@
"repo": "default-linux", "repo": "default-linux",
"type": "github" "type": "github"
} }
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

View file

@ -25,6 +25,11 @@
url = "github:JeanSchoeller/iio-hyprland"; url = "github:JeanSchoeller/iio-hyprland";
}; };
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.1";
inputs.nixpkgs.follows = "nixpkgs";
};
nixhw = { nixhw = {
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
url = "github:alyraffauf/nixhw"; url = "github:alyraffauf/nixhw";
@ -120,6 +125,7 @@
self.inputs.agenix.nixosModules.default self.inputs.agenix.nixosModules.default
self.inputs.disko.nixosModules.disko self.inputs.disko.nixosModules.disko
self.inputs.home-manager.nixosModules.home-manager self.inputs.home-manager.nixosModules.home-manager
self.inputs.lanzaboote.nixosModules.lanzaboote
self.inputs.stylix.nixosModules.stylix self.inputs.stylix.nixosModules.stylix
self.nixosModules.nixos self.nixosModules.nixos
self.nixosModules.users self.nixosModules.users

View file

@ -43,3 +43,56 @@ In short,
1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master. 1. Add the new public key to `secrets/secrets.nix`, rekey all secrets with `agenix --rekey`, and push your changes to master.
1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users. 1. Rebuild the new system from git. Secrets will be automatically decrypted and immediately available in `/run/agenix/` for NixOS and `$XDG_RUNTIME_DIR/agenix/` for users.
1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts. 1. (OPTIONAL) Generate a new user SSH key and add it to `nixosModules/users/default.nix` in order to enable passwordless logins to other hosts.
## Secure Boot
1. Generate secure boot keys:
```bash
sudo nix run nixpkgs#sbctl create-keys
```
1. Enable lanzaboote in NixOS host configuration:
```nix
boot = {
initrd.systemd.enable = true; # For automatic decryption with TPM.
loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
};
```
1. In UEFI, set secure boot to "setup mode" or erase platform keys.
1. Enroll your secure boot keys:
```bash
sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft
```
1. Reboot, make sure secure boot is enabled in UEFI.
1. Check secure boot status with `bootctl status`:
```bash
System:
Firmware: UEFI 2.70 (American Megatrends 5.17)
Firmware Arch: x64
Secure Boot: enabled (user)
TPM2 Support: yes
Measured UKI: yes
Boot into FW: supported
```
1. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:
```bash
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2
```
Replace `/dev/nvme0n1p2` with your root partition.
Check the [Linux TPM PCR Registry](https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/) for more details.

View file

@ -24,11 +24,17 @@
]; ];
boot = { boot = {
initrd.systemd.enable = true;
kernelPackages = lib.mkForce pkgs.linuxPackages_6_9; kernelPackages = lib.mkForce pkgs.linuxPackages_6_9;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
loader = { loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot.enable = true; systemd-boot.enable = lib.mkForce false;
}; };
}; };
@ -45,11 +51,7 @@
}; };
desktop = { desktop = {
greetd = { greetd.enable = true;
enable = true;
autologin = "aly";
};
hyprland.enable = true; hyprland.enable = true;
sway.enable = true; sway.enable = true;
}; };

View file

@ -33,28 +33,17 @@ in {
boot = { boot = {
initrd = { initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"]; availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"];
systemd.enable = true;
network = {
enable = true;
flushBeforeStage2 = true;
ssh = {
enable = true;
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
}; };
udhcpc.enable = true; lanzaboote = {
enable = true;
postCommands = '' pkiBundle = "/etc/secureboot";
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
}; };
loader = { loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot.enable = true; systemd-boot.enable = lib.mkForce false;
}; };
}; };

View file

@ -1,6 +1,7 @@
# Lenovo Yoga 9i Convertible with Intel Core i7-1360P, 16GB RAM, 512GB SSD. # Lenovo Yoga 9i Convertible with Intel Core i7-1360P, 16GB RAM, 512GB SSD.
{ {
config, config,
lib,
self, self,
... ...
}: { }: {
@ -22,11 +23,17 @@
]; ];
boot = { boot = {
initrd.systemd.enable = true;
extraModulePackages = with config.boot.kernelPackages; [acpi_call]; extraModulePackages = with config.boot.kernelPackages; [acpi_call];
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
};
loader = { loader = {
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
systemd-boot.enable = true; systemd-boot.enable = lib.mkForce false;
}; };
}; };
@ -65,11 +72,7 @@
}; };
desktop = { desktop = {
greetd = { greetd.enable = true;
enable = true;
autologin = "aly";
};
hyprland.enable = true; hyprland.enable = true;
sway.enable = true; sway.enable = true;
}; };