Tracking issue: Boot security in NixOS #265640
Description
This is a tracking issue for work around Boot security in NixOS incorporating elements of https://github.com/nix-community/projects/blob/main/proposals/nixpkgs-security.md.
Upstream features
- Write support for PE binaries m4b/goblin#361
- pe: offer basic section manipulations m4b/goblin#381
- project: initial proof of concept nix-community/goblin-signing#2
- feat: simple
verifyalgorithms nix-community/goblin-signing#3 - boot: load addons from systemd-boot Type 1 entries systemd/systemd#28057
- systemd-stub: support loading
.initrdvia addons systemd/systemd#28070 - PE: preparations for a writer outside of Goblin m4b/goblin#389
- not done yet: load a kernel addon.
Work driven by @RaitoBezarius
UEFI Secure Boot by default for NixOS installer images
- https://github.com/RaitoBezarius/nixos-shim
- https://github.com/lheckemann/shim-review
- Shim-based ISO image for Secure Boot #273567
Work driven by @lheckemann, with the help of @mschwaig.
Bootspec v2
TPM2 in lanzaboote
- feat: add CPIO packing for companion files nix-community/lanzaboote#168
- feat: support TPM2 PCR unified sections packed as CPIOs nix-community/lanzaboote#169
Work driven by @RaitoBezarius
A/B schema in NixOS
- [WIP] nixos/systemd-boot: boot counting and automatic fallback #84204
- nixos/systemd-boot: init boot counting #273062
Work driven by @JulienMalka
Integrity checks for the store
Work driven by @ElvishJerricco
Interpreter-less NixOS
Tracking issue: #267982
Design document: https://pad.lassul.us/nixos-perlless-activation#
- Replace simple activationScripts #263203
- systemd: enable sysusers by default #264879
- Rebuildable system & appliance #263462
- nixos: replace activationScripts 2/x #267983
Work driven by @nikstur, with the help of @blitz @lheckemann.