-
-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NixOS with systemd-boot results in "security hole" warnings #279362
Comments
Since the expected workflow is to occasionally potentially using fileSystems."/boot" = {
options = [ "uid=0" "gid=0" "fmask=0077" "dmask=0077" ];
}; But of course, this is just a workaround. Something like this should ideally be setup automatically. |
Why did you add all those options instead of just |
I really don't recall. It's just the fix that was in my system flake module for orchestrating boot processes. If |
Worth noting that the ESP must be a FAT partition, which does not support permissions, so the only way to actually close the security hole would be to encrypt /boot, or put the random seed file elsewhere. The |
Ooof. That's a nasty footgun. Do you have any examples of NixOS configs that encrypt boot? I actually would be interested in doing that! It's useful for anti-tampering as well. Also, for those who are interested, I can think of two other maybe-options:
|
@eclairevoyant: I don't think you need to encrypt /boot, and a sufficient fix/workaround is posted above (change perms on the mount). |
This issue has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/security-warning-when-installing-nixos-23-11/37636/3 |
@eclairevoyant No, not at all. It's true that it doesn't change any permissions on-disk, because FAT doesn't have permissions. But the only reason this is important is the first place is simply to keep non-root users from reading/writing the random-seed, which is accomplished with You cannot encrypt the ESP or (reliably) use any other file system than FAT. UEFI includes protocols for accessing file systems that the firmware supports, which is how systemd-boot accesses |
FWIW, Grub does support encrypting the boot partition, for the hyper paranoid. I've done it before along with secureboot to prevent the possibility of an evil maid attack. |
@nrdxp To be clear, I was talking about UEFI drivers. You can add drivers for file systems in UEFI, e.g. with |
I'm aware, I also had secure boot setup on the system in question. I agree though grub's support is rather ad hoc, which is why I don't use it anymore |
The default is to mount these world-readable, but that's a security risk for the EFI System Partition. Ref NixOS#279362.
This prevents world-readable access to /boot, which is a security issue that systemd-boot warns about. Fixes NixOS#279362.
I made a fix at #300673. Can someone review please? |
The default is to mount these world-readable, but that's a security risk for the EFI System Partition. Ref #279362.
This prevents world-readable access to /boot, which is a security issue that systemd-boot warns about. Fixes #279362.
The default is to mount these world-readable, but that's a security risk for the EFI System Partition. Ref NixOS#279362. (cherry picked from commit 8ee9b79)
This prevents world-readable access to /boot, which is a security issue that systemd-boot warns about. Fixes NixOS#279362. (cherry picked from commit 69aae55)
Describe the bug
Since NixOS 23.11, using
boot.loader.systemd-boot.enable = true;
results in these warnings at bootloader install time:(Minimal repro:
sudo bootctl --esp-path=/mnt/boot install
)This happens when following the official NixOS installation manual (https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning), which in particular says that for UEFI systems the ESP is to be created with
mkfs.fat -F 32 -n boot /dev/sda3
and mounted withmount /dev/disk/by-label/boot /mnt/boot
. Doing that makes files under/mnt/boot
world readable, which apparently is a security hole.I fixed the install time warning by mounting the ESP with
sudo mount -o umask=007 /dev/sda3 /mnt/boot
, but sincenixos-generate-config
doesn't pick up on mount options (at least not theumask=
one), the installed OS still has the security hole and the warnings will be shown the next time the bootloader gets updated.Manually adding the required
umask=
mount option in hardware-configuration.nix should permanently fix it.Steps To Reproduce
Steps to reproduce the behavior:
boot.loader.systemd-boot.enable = true;
in configuration.nix.nixos-install ...
and see the mentioned warning.Expected behavior
nixos-generate-config
should probably pick up on umask= mount options, so that when the installation instructions get fixed the fix is also propagated to the installed OS.Notify maintainers
Metadata
NixOS 23.11 (32f6357).
Add a 👍 reaction to issues you find important.
The text was updated successfully, but these errors were encountered: