Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling lanzaboote on initial installation #397

Open
Ten0 opened this issue Oct 13, 2024 · 8 comments
Open

Enabling lanzaboote on initial installation #397

Ten0 opened this issue Oct 13, 2024 · 8 comments

Comments

@Ten0
Copy link

Ten0 commented Oct 13, 2024

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.

Readme specifies:

This means if you wish to install lanzaboote on a new machine,
you need to follow the install instruction for systemd-boot
and than switch to lanzaboote after the first boot.

I'd like to be able to apply a configuration with lanzaboote enabled as I run nixos-install, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.

Could you please expand on the limitations that prevent from running sbctl create-keys prior to installation, then applying the initial configuration with lanzaboote enabled right away?
Thanks!

@arthsmn
Copy link

arthsmn commented Oct 18, 2024

You can create your own ISO with your keys in it and a signed kernel. Then, you would only need to import the keys into the machine and copy the keys from the ISO to the installation.

@Ten0
Copy link
Author

Ten0 commented Oct 19, 2024

Hey, thanks for your answer.
I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise).
Thanks!

@arthsmn
Copy link

arthsmn commented Oct 19, 2024

Hey, thanks for your answer.
I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise).
Thanks!

I think this is a misunderstanding of the guide, as I'm pretty sure I installed lanzaboote directly. As the module just replaces systemd-boot, in theory if it has everything in place it should work.

@RaitoBezarius
Copy link
Member

Hi there, sbctl create-keys is frowned upon in activation because this is a side effect that creates private keys and private key creation in an activation script is a bit icky.

Nonetheless, as long as you copied the keys from another location, you can immediately use lanzaboote on the first nixos-install. Lanzaboote will not enforce Secure Boot if Secure Boot is disabled, as soon as you enroll the keys, Secure Boot will be enabled and your bootables will be signed according to the right keys, so it should work out fine in the end.

The guide is a bit conservative to avoid bad experiences, but it could indeed benefit from some clarification.

@kuflierl
Copy link
Contributor

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.

Readme specifies:

This means if you wish to install lanzaboote on a new machine,
you need to follow the install instruction for systemd-boot
and than switch to lanzaboote after the first boot.

I'd like to be able to apply a configuration with lanzaboote enabled as I run nixos-install, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.

Could you please expand on the limitations that prevent from running sbctl create-keys prior to installation, then applying the initial configuration with lanzaboote enabled right away? Thanks!

This is the whole point of #384. This subject is kinda controversial with the maintainers/developers of the repository as seen in the comments of the PR.

@Ten0
Copy link
Author

Ten0 commented Dec 1, 2024

This is the whole point of #384

As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc.

So I don't mind that it doesn't run sbctl create-keys, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines.

At this point I'm rather reassured by #397 (comment) but I haven't tested it yet.

@kuflierl
Copy link
Contributor

kuflierl commented Dec 4, 2024

This is the whole point of #384

As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc.

So I don't mind that it doesn't run sbctl create-keys, I can just add that to my script. I'm mostly just scared that it's specified that I should apply a different config with systemd-boot instead before first boot, do the install, and only then apply with lanzaboote enabled, and that seemed annoying because it means I need to apply an intermediate config during install, so I was wondering if perhaps there's something in the nixos install script that applies systemd-uboot-specific configs upon install when enabled, and that wouldn't work with lanzaboote or something along those lines.

At this point I'm rather reassured by #397 (comment) but I haven't tested it yet.

I can assure you it works. I already did that.

@Ten0
Copy link
Author

Ten0 commented Dec 4, 2024

Thanks! Then this issue only tracks documentation update that this works I guess.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants