nixos/lanzaboote: support unsigned generation policies #37
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is open for comments, implementation will follow once I have a bit of time.
So we discussed this during the sprint and never got around it properly.
A NixOS user is going to go through these steps in his life:
etc.
NixOS has this neat feature about rollbacks, and SecureBoot interferes with it by breaking the unsigned generations.
Note that a generation signed with the wrong key is considered as an unsigned generation here.
To offer maximum flexibility, I want to offer three policies:
resign
: ignore all risks and resign everything, this is particularly dangerous but fine on a development machine, testing machine and people who do not believe they are going to be targeted by Bad Actors™, of course, we do not advise this level of policy for normal operations.resign-last-only
: resign only the LAST (or current) generation. Assuming a rootkit infecting everything that looks like a kernel, initrd, etc., this will not fix the situation. But, if you build a new generation that you inspect and trust, this can alleviate the problem, then you can have an unsigned generation you can go back in case lanzaboote is broken. We recommend this policy for normal operations.ignore
: break all old generations (until SB is disabled), this is recommended for more serious operations, combined with appropriate way to trust your derivations at runtime.