About a month left to land the promised deliverables. Here’s a status report.
tl;dr We’re on track.
Since the initial announcement, the working group has grown as the specification became more refined, with every milestone having at least one individual responsible.
NixOS Boot Security
- @lheckemann got an ISO to build that can be booted with Secure Boot enabled via shim. It currently works by signing the kernel directly. It doesn’t verify the initramfs or store image, so the next step is to build a Unified Kernel Image to get the initrd verified, and do a checksum of the store image to get all the desired security properties. This is not ideal, especially performance-wise, but will unblock kicking off the shim-review process to obtain a signature that allows booting on machines that only ship with Microsoft keys.
- @mschwaig generously helped out
- @ElvishJerricco explored multiple options to verify the store closure
- The most secure and attainable solution for now is using
nix-store --verifyon regular systems, despite a significant performance penalty, anddm-crypton appliances. - At the end of the year there will be a an outline for what an optimal solution would loook like: something very much along the lines of APFS Signed System Volume, with ZFS being closest to being able to implement it, despite being far from ideal in many other respects.
- The most secure and attainable solution for now is using
- @nikstur opened a tracking issue: Perlless Activation - Tracking Issue · Issue #267982 · NixOS/nixpkgs · GitHub
- Booting NixOS without running the Perl interpreter is almost done
- At the end of the year we’ll have a clear implementation strategy to also get rid of Bash in a possible next round of work
- @RaitoBezarius
- Added PE write support in Goblin
- Got an even fancier PE assembling solution, which aims to replace
objcopyor systemd’sukifyin the future - Added Signing support for PE via Goblin
- Verifying PE certificates in a basic way, with a UEFI example using your own
dbvariable, which should work with Lanzaboote!- X.509 resolution chain is not implemented yet, so you cannot have a chain of verification from an organizational certificate authority to your “machine” certificate.
- Writing cursed PKCS#11 code in to enable users to test the creation of a simple certificate authority, then build a certificate for a specific machine or group of machines (a “sub CA”) and use it to sign your binaries, all of that from your PKCS#11 hardware security token (that is, a (Nitro|Yubi|expensive)HSM, a smartcard key, a SoftHSM2, a TPM2, maybe your phone, and much more)
- Used it to assemble companion files according to the BLS specification and systemd semantics inside of lanzastub. This involved some contributions and discussions with
uefi-rspeople. - Wrote the
pio(for pico I/O) dedicated to write CPIO archives in ano_stdcontext, albeit withalloc
- @Dmills27 started working on documenting the complete setup for end users
Vulnerability tracker
- Due to a constellation of unfortunate situations, we had to quickly re-plan some milestones. Special thanks to Ryan Trinkle and Ali Abrar from Obsidian Systems for jumping in to support us with developer time and project management expertise on short notice, with @cidkid being part of the group now.
- Progress is tracked here: Issues · Nix-Security-WG/nix-security-tracker · GitHub
- @thubrecht implemented the web service infrastructure and CVE ingestion, and is working on providing APIs to implement clients against
- @raboof and @cidkid, after an extensive survey of prior art, are developing a tool to match local store path closures and metadata against advisories, which will use the web APIs to improve accuracy.
- @mightyiam, @jfly, and @modprog work on extending and integrating
label-tracker, a tool to track PRs/issues in nixpkgs according to their tags, generously supported with input from @pennae
Nixpkgs full-source bootstrap chain
- @emilytrau is tracking progress with PRs referencing stdenv: begin work on 256b bootstrap i.e. Trusting Trust by emilytrau · Pull Request #227914 · NixOS/nixpkgs · GitHub
- Implementation is in the home stretch, with GCC 8 compiling with musl, bootstrapped off the latest
stag0-posixrelease 1.6.0 - There was lots of volunteer support in the form of reviews, thanks @picnoir, @artturin, @Ericson2314 and everyone else involved!
- Implementation is in the home stretch, with GCC 8 compiling with musl, bootstrapped off the latest
- @alejandrosame is writing in-code and maintainer-oriented documentation, since a major contribution to security by this sub-project is being able to understanding how and why things work
Phase 2
Overall, the project is on a path to fulfill the envisioned requirements in terms of security, but due to time limits has to strike many compromises between implementation complexity and performance. One important byproduct are findings that inform possible next implementation steps.
The second application phase is coming up, where we can continue to build upon what’s currently being done and incorporate those findings. We invite everyone available to work on security in the first quarter of 2024 to participate in planning. The deadline to hand in a proposal to the STF is Wednesday 2023-12-13.