nix-community · RaitoBezarius · Apr 30, 2023 · Nov 9, 2023 · Nov 9, 2023 · Nov 9, 2023
diff --git a/flake.lock b/flake.lock
diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
@@ -12,6 +12,25 @@ let
     lib.generators.mkKeyValueDefault { } " " k v;
   };
 
+  assembleCredentialDirectoryFromDrv = drv: ''
+    for credential in ${drv}/*; do
+      echo "Processing $credential"
+      if [[ "''${credential##*.}" != "cred" ]]; then
+        echo "Found a non-credential: $credential, please remove it or move it."
+        exit 1
+      fi
+      cp $credential $out/
+    done
+  '';
+
+  assembleCredentialDirectory = drvs: pkgs.runCommand "assemble-credentials" { } ''
+    mkdir -p $out/
+    ${concatStringsSep "\n" (map assembleCredentialDirectoryFromDrv drvs)}
+  '';
+
+  globalCredentialsDirectory = assembleCredentialDirectory cfg.globalCredentials;
+  localCredentialsDirectory = assembleCredentialDirectory cfg.localCredentials;
+
   loaderConfigFile = loaderSettingsFormat.generate "loader.conf" cfg.settings;
 
   configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
@@ -36,6 +55,30 @@ in
       '';
     };
 
+    globalCredentials = mkOption {
+      type = types.listOf types.package;
+      description = lib.mdDoc ''
+        A list of derivations containing multiple .cred files inside of it.
+        If anything else than a .cred is found, in the top-level, this will fail
+        at assembly time.
+
+        This will be installed in $ESP/loader/credentials.
+        In case of data conflict, the installer will fail and ask for manual removal.
+      '';
+    };
+
+    localCredentials = mkOption {
+      type = types.listOf types.package;
+      description = lib.mdDoc ''
+        A list of derivations containing multiple .cred files inside of it.
+        If anything else than a .cred is found, in the top-level, this will fail
+        at assembly time.
+
+        This will be installed in this generation's drop-in directory specifically.
+        In case of data conflict, the installer will fail and ask for manual removal.
+      '';
+    };
+
     pkiBundle = mkOption {
       type = types.nullOr types.path;
       description = "PKI bundle containing db, PK, KEK";
@@ -125,6 +168,8 @@ in
           --public-key ${cfg.publicKeyFile} \
           --private-key ${cfg.privateKeyFile} \
           --configuration-limit ${toString configurationLimit} \
+          --global-credentials-directory ${globalCredentialsDirectory} \
+          --local-credentials-directory ${localCredentialsDirectory} \
           ${config.boot.loader.efi.efiSysMountPoint} \
           /nix/var/nix/profiles/system-*-link
       '';

diff --git a/nix/tests/lanzaboote.nix b/nix/tests/lanzaboote.nix
@@ -6,7 +6,8 @@ let
   inherit (pkgs) lib system;
   defaultTimeout = 5 * 60; # = 5 minutes
 
-  mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, useTPM2 ? false, readEfiVariables ? false, testScript }:
+  # `handInstrumentationOverInInitrd`: stop the test script at initrd time in stage 1 so you can assert stage 1 behavior via https://github.com/NixOS/nixpkgs/pull/256226 backdoor.
+  mkSecureBootTest = { name, machine ? { }, useSecureBoot ? true, useTPM2 ? false, readEfiVariables ? false, handInstrumentationInInitrd ? false, globalCredentials ? [ ], localCredentials ? [ ], testScript }:
     let
       tpmSocketPath = "/tmp/swtpm-sock";
       tpmDeviceModels = {
@@ -94,6 +95,9 @@ let
           machine
         ];
 
+        testing.initrdBackdoor = lib.mkIf handInstrumentationInInitrd true;
+        boot.initrd.systemd.enable = lib.mkIf handInstrumentationInInitrd true;
+
         virtualisation = {
           useBootLoader = true;
           useEFIBoot = true;
@@ -146,6 +150,7 @@ let
           enable = true;
           enrollKeys = lib.mkDefault true;
           pkiBundle = ./fixtures/uefi-keys;
+          inherit globalCredentials localCredentials;
         };
       };
     };
@@ -450,4 +455,17 @@ in
     '';
   };
 
+  credentials-basic = mkSecureBootTest {
+    name = "lanzaboote-credentials-basic";
+    readEfiVariables = true;
+    handInstrumentationInInitrd = true;
+    globalCredentials = [
+      (pkgs.writeTextDir "super-secret.cred" "MASTER_KEY=lanzarote")
+    ];
+    testScript = ''
+      machine.start()
+      contents = machine.succeed("cat /.extra/global_credentials/super-secret.cred")
+      assert "MASTER_KEY=lanzarote" == contents, f"Unexpected credential contents, got: {contents}"
+    '';
+  };
 }
diff --git a/rust/stub/Cargo.toml b/rust/stub/Cargo.toml
@@ -0,0 +1,28 @@
+[package]
+name = "lanzaboote_stub"
+version = "0.1.0"
+edition = "2021"
+publish = false
+# For UEFI target
+rust-version = "1.68"
+
+[dependencies]
+uefi = { version = "0.20.0", default-features = false, features = [ "alloc", "global_allocator" ] }
+uefi-services = { version = "0.17.0", default-features = false, features = [ "panic_handler", "logger" ] }
+goblin = { version = "0.6.1", default-features = false, features = [ "pe64", "alloc" ]}
+bitflags = "2.2.1"
+
+# Even in debug builds, we don't enable the debug logs, because they generate a lot of spam from goblin.
+log = { version = "0.4.17", default-features = false, features = [ "max_level_info", "release_max_level_warn" ]}
+
+# Use software implementation because the UEFI target seems to need it.
+sha2 = { version = "0.10.6", default-features = false, features = ["force-soft"] }
+# SHA1 for TPM TCG interface version 1.
+sha1_smol = "1.0.0"
+# std::io for alloc/no_std
+# FIXME: I don't want this extra dependency actually.
+acid_io = { git = "https://github.com/dataphract/acid_io", default-features = false, features = [ "alloc" ] }
+
+[profile.release]
+opt-level = "s"
+lto = true