Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Lenovo X1]: Created host-hardening profile & updated lanzaboote #708

Merged
merged 2 commits into from
Aug 7, 2024
Merged

[Lenovo X1]: Created host-hardening profile & updated lanzaboote #708

merged 2 commits into from
Aug 7, 2024

Conversation

vunnyso
Copy link
Contributor

@vunnyso vunnyso commented Aug 2, 2024
edited
Loading

Description of changes

  • Created host-hardening profile which holds hardening configuration needed for the host.
    Also added secure boot configuration under host. By default host-hardening profile is disabled.
  • Updated lanzaboote package version to v0.4.1.
  • Addresses SP-4919

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run nix flake check --accept-flake-config and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing

  1. To test secure boot working change here host-hardening.enable = true;
  2. You may need to flash image as some of lanzaboote file may not install with nixos-rebuild ... switch
  3. Enable secure boot from BIOS.
  4. Enroll keys sudo sbctl enroll-keys --microsoft and reboot
  5. Run below command to verify functionality
[ghaf@ghaf-host:~]$ sbctl status | grep Secure
Secure Boot:    ✓ Enabled
  1. Also can verify lanzaboote version
[ghaf@ghaf-host:~]$ sudo bootctl status | grep lanza
         Stub: lanzastub 0.4.1

@vunnyso vunnyso temporarily deployed to internal-build-workflow August 2, 2024 10:30 — with GitHub Actions Inactive
@vunnyso vunnyso requested a review from vilvo August 2, 2024 10:42
@vilvo vilvo added the Needs Testing CI Team to pre-verify label Aug 2, 2024
@vunnyso
hardening: Added secure boot configuration for host
6d58bee 
Created host-hardening profile which holds hardening
configuration needed for the host. Also added secure
boot configuration under host. By default host-hardening
profile is disabled.

Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
@vunnyso
lanzaboote: Update version from v0.3.0 to v0.4.1
7651346 
Updated lanzaboote package version to v0.4.1.

Signed-off-by: Vunny Sodhi <vunny.sodhi@unikie.com>
@vunnyso vunnyso temporarily deployed to internal-build-workflow August 2, 2024 12:59 — with GitHub Actions Inactive
@milva-unikie
Copy link

milva-unikie commented Aug 5, 2024
edited
Loading

Lenovo-X1 debug image gets stuck at boot, same problem that Samuli first noticed here. I built the pr with nix build github:vunnyso/ghaf/vs-sbfix#lenovo-x1-carbon-gen11-debug and booted from external SSD.

@vunnyso
Copy link
Contributor Author

vunnyso commented Aug 5, 2024
edited
Loading

Issue is seen with mainline ghaf commit c7eab7f as well.
image

@milva-unikie
Copy link

Issue is seen with mainline ghaf commit c7eab7f as well. image

We confirmed that the issue is caused by mainline. It did not happen the first two times I tried, but both me and Samuli have now seen it in main too. #703 (comment)

@vunnyso
Copy link
Contributor Author

vunnyso commented Aug 5, 2024

Looks like some issue with zfs pool selection during system boot, I have tried to import zfspool manually but somehow system boot cannot continue.
image

@unbel13ver
Copy link
Contributor

The root cause of the issue with ZFS pool is that ZFS keeps its metadata in the beginning and in the end of the storage device. When the media device is reflashed, this metadata does not match anymore. I made a PR with the flashing script that correctly wipes the target device before reflashing the image.
#713

@vunnyso
Copy link
Contributor Author

vunnyso commented Aug 6, 2024

The root cause of the issue with ZFS pool is that ZFS keeps its metadata in the beginning and in the end of the storage device. When the media device is reflashed, this metadata does not match anymore. I made a PR with the flashing script that correctly wipes the target device before reflashing the image. #713

Thanks @unbel13ver

@milva-unikie
Copy link

Tested on Lenovo-X1

  • Automated tests pass with both host-hardening off and on, performance ok
  • Secure boot works when host-hardening is on
  • Secure boot is not available when host-hardening is off
  • Lanzaboote version is correct
  • No findings in manual regression tests

@milva-unikie milva-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon and removed Needs Testing CI Team to pre-verify labels Aug 7, 2024
@brianmcgillion brianmcgillion merged commit 565e456 into tiiuae:main Aug 7, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@vilvo vilvo vilvo approved these changes

Assignees
No one assigned
Labels
Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vunnyso @milva-unikie @unbel13ver @vilvo @brianmcgillion