lanzaboote-stub: init at 0.3.0

[RaitoBezarius]

Description of changes

This brings https://github.com/nix-community/lanzaboote UEFI stub in-tree.

Dependents:

• nixos/boot/systemd-boot: add UEFI Secure Boot via lanzaboote #263713

Dependencies:

• Either of:
  • lib.systems.inspect: isEfi → hasEfi rename #263711
  • lib.systems.inspect: deprecate isEfi #264297

Related:

• lanzaboote-tool: init at 0.3.0 #263712
• lib/systems: add aarch64-windows #263714.

Current design

Stub and tool are packaged in the global hierarchy as: lanzaboote-tool and lanzaboote-uefi-stub, no assumption on the system are encoded inside their package respectively.

It is expected to build the UEFI stub using a UEFI system with a UEFI compiler.

The linker is a flavored linker which will propagate adequately the lld Windows-style driver for arguments.

lanzaboote-tool is supposed to be wrapped to know about its lanzaboote-stub, unfortunately, this is impossible to achieve inside of nixpkgs, multiple attempts were proposed to the reviewers in the next section and were all rejected. Therefore, the only solution is to give up on having a wrapped lanzaboote-tool and propose a semi-wrapped lanzaboote-tool and expect the user to understand they have to export the LANZABOOTE_STUB environment variable to know about the stub itself.

This is what we do in the systemd-boot NixOS module ourselves and we expect to work in many cases, either case, author would like to move this PR forward ideally and not concern themselves further with the semi wrapping issue stemming from the impossibility to build a package as a data via cross-compilation inside of nixpkgs, alas.

What has been tried?

• Trivial implementation using nixpkgs reimport inside of pkgs/ hierarchy: NACK because it reimports nixpkgs inside nixpkgs.
• Introduction of a UEFI system example: NACK because there is divergence on the system data, see discussion on MinGW style vs MSVC and GNU-Config as a general.
• Complicated implementation by locally rebooting nixpkgs inside the package definition of the tool to compile the stub using a hacked stdenv: NACK because it's too complicated.
• Complicated implementation by locally rebooting a new package scope called uefiPkgs for cross compilation inside nixpkgs without a direct reimport: NACK because it's too complicated and does not compose well.

Some funny questions

It seems like this PR tries to move to make UEFI a proper target in nixpkgs, but there's already plenty of "data as UEFI binaries" inside of nixpkgs without any cross compilation involved per se:

• EDK2/OVMF firmware
• systemd-boot
• GRUB EFI

Ideally, we should treat the same way as in this PR, I suppose this will be very hard given their build system.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[ghost]

#235230 is done; reviewing this PR is next on my list.

[ghost]

Pushed to this branch:

• 6bc656b to fix CI.
• a17e894 to drop the gnu-config patch.

When I run CI locally it passes. Let's see what ofborg says.

[ghost]

Got CI to pass.

My opinion remains unchanged: UEFI is a boondoggle.

But if the boon must be doggled, at least it will be done using Nix and Rust. 🤷‍♂️

[ghost]

Suggested change

	platforms = [ "x86_64-uefi" "i686-uefi" "aarch64-uefi" ];
	hydraPlatforms = [ lib.systems.inspect.platformPatterns.isUefi ];

[ghost]

Suggested change

	broken = stdenv.isi686 || stdenv.isAarch64;
	broken = with stdenv.hostPlatform; isi686 || isAarch64;

[ghost]

Suggested change

[ghost]

Suggested change

	uefi = filterDoubles predicates.isEfiEnvironment;
	uefi = filterDoubles predicates.isUefi;

[ghost]

Suggested change

	isEfiEnvironment = [
	isUefi = [

[ghost]

Suggested change

	# aarch64: compile fine but...
	# aarch64: compile fine but unable to test on real hardware

[Janik-Haag]

shouldn't it be # aarch64: compiles fine but unable to test on real hardware?

[ghost]

If you rebase this to a more recent staging (or switch branch to master) I think the ofborg rebuild tags will go away.

[RaitoBezarius]

If you rebase this to a more recent staging (or switch branch to master) I think the ofborg rebuild tags will go away.

I just need to do it when I don't feel like I will fuck up :D.

[TobiPeterG]

Is there any progress on this? :)

[baloo]

Got CI to pass.

@ghost

I'm a bit late to the party, but I'm trying to revive it in #353050, but I'm getting compilation errors on compiler-rt and I'm not sure which derivation you tried to build. None of the options I tried worked.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/installation-medium-has-invalid-secure-boot-signature/58952/6

[Mic92]

This pull requests is stalled.

[RaitoBezarius]

This pull requests is stalled.

Can I ask you the courtesy to ping the author of PR whom you close PRs? (Or put the documentation of that new nixpkgs process in your closing messages?)

Thank you.

[Mic92]

Well, do you want to work on this? You said me in several occasions that you don't want to contribute to nixpkgs anymore and working on your NixOS fork. I do not think we should add too many processes to nixpkgs because it will make it too hard to understand how to make changes, so please just re-open the pull request again if you want to work on this. Otherwise just delete the branch.

[RaitoBezarius]

Well, do you want to work on this? You said me in several occasions that you don't want to contribute to nixpkgs anymore and working on your NixOS fork. I do not think we should add too many processes to nixpkgs because it will make it too hard to understand how to make changes, so please just re-open the pull request again if you want to work on this. Otherwise just delete the branch.

Again, all of this has nothing to do with my request. Simply ask before doing what when it comes to other people's work is what I would like you to do. Thank you.

[Mic92]

Well, usually I ask them to re-open their pull request if they want to continue to work on the pull request. But I was 95% sure you would want not do that, so I kept it at that.

[RaitoBezarius]

Well, usually I ask them to re-open their pull request if they want to continue to work on the pull request. But I was 95% sure you would want not do that, so I kept it at that.

If you want to make up your own rules, please consider discussing it with others before applying them out of the blue, especially when it comes to the work of others. "Closing then asking to re-open" is not courtesy, it's just you doing whatever you think is acceptable to do at any time, and you are continuing to shove your view.