Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for building fully dm-verity protected images with systemd-repart #343252

Merged
merged 3 commits into from
Sep 20, 2024
Merged

add support for building fully dm-verity protected images with systemd-repart #343252

merged 3 commits into from
Sep 20, 2024

Conversation

WilliButz
Copy link
Member

Description of changes

Please see the commit messages for more details.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@msanft @nikstur @WilliButz
nixos: add support for dm-verity
5ee6467 
Co-authored-by: nikstur <[email protected]>
Co-authored-by: WilliButz <[email protected]>
@WilliButz WilliButz requested a review from a team as a code owner September 20, 2024 11:50
@WilliButz
Copy link
Member Author

@ofborg test appliance-repart-image-verity-store

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` 6.topic: systemd labels Sep 20, 2024
RaitoBezarius
RaitoBezarius reviewed Sep 20, 2024
View reviewed changes
Copy link
Member

@RaitoBezarius RaitoBezarius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. I will test it and report.

msanft
msanft reviewed Sep 20, 2024
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Diff LGTM otherwise, but I'd also love to give it some testing with my own use-cases before approving. Will do so now

nixos/modules/image/repart-verity-store.nix Show resolved Hide resolved
nixos/modules/image/repart-verity-store.nix Outdated Show resolved Hide resolved
nixos/modules/image/repart-verity-store.nix Show resolved Hide resolved
nixos/modules/image/repart-verity-store.nix Show resolved Hide resolved
@WilliButz
Copy link
Member Author

hmm, was the ofborg test cancelled because of the force-push with the formatting change? 👀

@ofborg test appliance-repart-image-verity-store

msanft
msanft reviewed Sep 20, 2024
View reviewed changes
Copy link
Contributor

@msanft msanft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ NixOS test works
✅ My own read-only-root use-case works
✅ Personal non-NixOS-test usage test of the usr-scaffolded integrity-protected Nix store works

Great PR! Thank you so much for picking this up. Will approve once the remaining nits of mine are addressed.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 1-10 labels Sep 20, 2024
@WilliButz WilliButz force-pushed the repart-image/verity-store branch 2 times, most recently from ea2b97b to 6c03e64 Compare September 20, 2024 13:23
RaitoBezarius
RaitoBezarius previously requested changes Sep 20, 2024
View reviewed changes
Copy link
Member

@RaitoBezarius RaitoBezarius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's an infrec architectural loop.

If you are using image repart to create an ESP with a UKI reference, the intermediate image will reference that UKI reference which is overriden to point to the new UKI with the intermediate image reference.

Causing an infinite recursion. I am not sure what is the easiest here.

@WilliButz
nixos/repart-verity-store: init
942588c 
This module provides some abstraction for a multi-stage build to create
a dm-verity protected NixOS repart image.

The opinionated approach realized by this module is to first create an
immutable, verity-protected nix store partition, then embed the root
hash of the corresponding verity hash partition in a UKI, that is then
injected into the ESP of the resulting image.
The UKI can then precisely identify the corresponding data from which
the entire system is bootstrapped.

The module comes with a script that checks the UKI used in the final
image corresponds to the intermediate image created in the first step.
This is necessary to notice incompatible substitutions of
non-reproducible store paths, for example when working with distributed
builds, or when offline-signing the UKI.
@WilliButz
nixos/tests/appliance-repart-image-verity-store: init
56d038e 
This test should illustrate how to build a verity-protected NixOS image
with systemd-repart, using the opinionated image.repart.verityStore module.
RaitoBezarius
RaitoBezarius approved these changes Sep 20, 2024
View reviewed changes
Copy link
Member

@RaitoBezarius RaitoBezarius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Modulo documentation, all good!

@RaitoBezarius RaitoBezarius merged commit fed418a into NixOS:master Sep 20, 2024
23 checks passed
@ElvishJerricco ElvishJerricco mentioned this pull request Sep 20, 2024
Closed
13 tasks
@WilliButz WilliButz deleted the repart-image/verity-store branch September 23, 2024 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arianvp arianvp arianvp approved these changes

@msanft msanft msanft approved these changes

@RaitoBezarius RaitoBezarius RaitoBezarius approved these changes

@ElvishJerricco ElvishJerricco Awaiting requested review from ElvishJerricco

@jmbaur jmbaur Awaiting requested review from jmbaur

@nikstur nikstur Awaiting requested review from nikstur

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: systemd 8.has: changelog 8.has: documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@WilliButz @RaitoBezarius @arianvp @msanft