lix-community/lanzaboote

Fork 0

WIP: in-memory assembling of PEs #1

Draft

raito wants to merge 16 commits from in-memory-assembling into master

raito commented

2025-05-09 19:07:37 +00:00

Owner

No description provided.

raito added 16 commits

2025-05-09 19:07:37 +00:00

flake: support fine-grained buildRustApp inside of the workspace wrt packages 1b5143356f

Now, it is possible to build any package of the workspace in a fine grained fashion.

tool(pe): extract stub parameters in their own structure c3c2d6744e

We want here to capture the required data to assemble a stub, here is a partial structure
modulo ESP generation paths.

Other pieces of code can consume this structure, validate it before passing it to the PE assembler
and the signer.

We convert everything into owned structures because we cannot really do
deserialization in any context with lifetimes going around, but,
allocations are generally very cheap in this context.

tool(*): generalize signature mechanisms 6287f015cb

In order to offer more flexible signature mechanisms in lanzaboote,
we need to take a step back and offer a general PE signature trait.

After this, we will be able to plug various different implementations.

signature: introduce remote signing client API 930cbc1cf9

Remote signing enables a user to request for:

- PE signature of a given store path, which is assumed to be available on the server side
- PE signature oi a stub given by its parameters, which are assumed to be analyzable on the server side
  (i.e. computing hashes is possible.)
- Verifying if a PE signature is correct according to PE signatures and Secure Boot policy

tool(systemd): rewire remote signature inside lzbt-systemd e84180c5a1

It is now possible to use remote signature inside lzbt-systemd.

tool(lanzasigned): init 1ffa2291e3

This is an example server to perform remote signatures
based on stub parameters provided.

nix/tests: extract into a lanzaboote library some common functions 3dfa22b1dc

Our lanzaboote integration tests are getting more and more sophisticated and ambitious.

Let's extract them into a "lanzalib", so they can be used with multiple backends.

flake: build lanzasignd 3ff14feb4d

We build lanzasignd now as part of the flake as an additional software we provide.

nix/modules/lanzasignd: init 523062a351

Introduces the Secure Boot remote signing server for NixOS.

nix/modules/lanzaboote: support remote signing 934b2fa200

Lanzaboote boot module now supports using a potential remote signer server,
but this support is limited to the lanzaboote bootables and not the fwupd ones.

nix/tests/remote-signing: init 51ff0c9e5c

A simple test harness for remote signatures with lanzasignd.

tool(systemd): improve testing logic for overwrite unsigned images a53fcec03d

We didn't test if there *was* a signature, idempotency of removal of signatures (i.e. removing an non-existent signature
is the identity operation) could fool us into believing we had a signed thing then not signed.

shared: detect when it's infeasible to sign a stub parameter 2c46efce6e

This is relevant for a remote signer who relies on the existence of store paths
remotely, for example.

[DO NOT MERGE] fix: do not emit a temporary initrd location if it's not needed 5dad068652

We should wait on the upstream PR to be merged so we can get rid of the
flake reference.

contrib: offer legendary powers — debug and symbolication of EDK2 e3bd06d2d6

Life is too short to guess why EDK2 is broken, hence, I needed to debug the PE loader
and I wrote that in another project for debugging a kernel.

Here we go for this project.

feat(tool): assemble the PE binary in-memory 147958aa0b

`lanzaboote_image` is no more, we directly go from a set of stub parameters to the in-memory
representation of the final image.

Whatever the consumer wants to do with it, they are free to do so.

For now, we redump it into a temporary directory to make the changes minimal.

This depends on an unreleased branch of Goblin.

raito referenced this pull request

2025-05-09 19:10:30 +00:00

auto-enroll: use safe auto enrollment rather than YOLO enrollment #4

This pull request has changes conflicting with the target branch.

flake.lock
flake.nix
nix/modules/lanzaboote.nix
nix/tests/lanzaboote.nix
rust/tool/Cargo.lock
rust/tool/shared/Cargo.toml
rust/tool/shared/src/pe.rs
rust/tool/shared/src/signature/local.rs
rust/tool/shared/src/signature/mod.rs
rust/tool/systemd/src/cli.rs

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin in-memory-assembling:in-memory-assembling

git switch in-memory-assembling

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff in-memory-assembling

git switch in-memory-assembling

git rebase master

git switch master

git merge --ff-only in-memory-assembling

git switch in-memory-assembling

git rebase master

git switch master

git merge --no-ff in-memory-assembling

git switch master

git merge --squash in-memory-assembling

git switch master

git merge --ff-only in-memory-assembling

git switch master

git merge in-memory-assembling

git push origin master

No reviewers

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: lix-community/lanzaboote#1

No description provided.

Rows
Columns