From e53d9cb72cab223c07a9b3e9d86040649f211614 Mon Sep 17 00:00:00 2001 From: Patrick Date: Wed, 15 Jan 2025 13:11:41 +0100 Subject: [PATCH] feat: check luks on boot --- config/services/adguardhome.nix | 4 +- hosts/desktopnix/default.nix | 1 + hosts/desktopnix/fs.nix | 12 +-- hosts/patricknix/fs.nix | 26 +----- modules/ensure-pcr.nix | 135 +++++++++++++++++++++++++++++--- 5 files changed, 135 insertions(+), 43 deletions(-) diff --git a/config/services/adguardhome.nix b/config/services/adguardhome.nix index 18537c3..d3ab6af 100644 --- a/config/services/adguardhome.nix +++ b/config/services/adguardhome.nix @@ -41,8 +41,8 @@ ]; }; user_rules = [ - # "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}" - # "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}" + "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}" + "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}" "||smb.internal^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}" "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}" "@@||${globals.services.vaultwarden.domain}" diff --git a/hosts/desktopnix/default.nix b/hosts/desktopnix/default.nix index 47f97e1..6f0d421 100644 --- a/hosts/desktopnix/default.nix +++ b/hosts/desktopnix/default.nix @@ -56,6 +56,7 @@ "nohibernate" "root=fstab" "loglevel=4" + "rd.luks=no" "nvidia-drm.modeset=1" "nvidia.NVreg_PreserveVideoMemoryAllocations=1" ]; diff --git a/hosts/desktopnix/fs.nix b/hosts/desktopnix/fs.nix index f11d9d7..e3babba 100644 --- a/hosts/desktopnix/fs.nix +++ b/hosts/desktopnix/fs.nix @@ -65,12 +65,8 @@ }; }; }; - boot.initrd.luks.devices.rpool_m2-ssd.crypttabExtraOpts = [ - "tpm2-device=auto" - "tpm2-measure-pcr=yes" - ]; - boot.initrd.luks.devices.panzer_sata-hdd.crypttabExtraOpts = [ - "tpm2-device=auto" - "tpm2-measure-pcr=yes" - ]; + systemIdentity = { + enable = true; + pcr15 = "dc9b7fa0d2a0ef5441bb8bfb7b2103b9f45f1143d87f69929c12cf7a3cc35ccf"; + }; } diff --git a/hosts/patricknix/fs.nix b/hosts/patricknix/fs.nix index cc34af5..547520b 100644 --- a/hosts/patricknix/fs.nix +++ b/hosts/patricknix/fs.nix @@ -33,31 +33,11 @@ }; fileSystems."/state".neededForBoot = true; fileSystems."/persist".neededForBoot = true; - boot.initrd.systemd.extraBin = { jq = lib.getExe pkgs.jq; }; - # In ermergency shell type: - # ´systemctl disable check-pcrs´ - # ´systemctl default´ - # to continue booting - boot.initrd.systemd.services.check-pcrs = { - script = '' - echo "Checking PCRS tag: ctiectie" - if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "a8cfdc8ec869f9edf4635129ba6bb19a076a5d234655cf4684286dc57e325a38" ]] ; then - echo "PCR 15 contains invalid hash" - exit 1 - else - echo "PCR 15 checked" - fi - ''; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - unitConfig.DefaultDependencies = "no"; - after = [ "cryptsetup.target" ]; - before = [ "sysroot.mount" ]; - requiredBy = [ "sysroot.mount" ]; + systemIdentity = { + enable = true; + pcr15 = "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547"; }; } diff --git a/modules/ensure-pcr.nix b/modules/ensure-pcr.nix index 1017175..9ccd969 100644 --- a/modules/ensure-pcr.nix +++ b/modules/ensure-pcr.nix @@ -1,13 +1,128 @@ -{ lib, ... }: { - options.boot.initrd.luks.devices = lib.mkOption { - type = - with lib.types; - attrsOf (submodule { - config.crypttabExtraOpts = [ - "tpm2-device=auto" - "tpm2-measure-pcr=yes" - ]; - }); + lib, + utils, + config, + ... +}: +let + inherit (lib) + head + optional + foldl' + nameValuePair + listToAttrs + optionals + concatStringsSep + sortOn + mkIf + mkEnableOption + mkOption + types + ; +in +{ + options = { + systemIdentity = { + enable = mkEnableOption "hashing of Luks values into PCR 15 and subsequent checks"; + pcr15 = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + The expected value of PCR 15 after all luks partitions have been unlocked + Should be a 64 character hex string as ouput by the sha256 field of + ´systemd-analyze pcrs 15 --json=short´ + If set to null (the default) it will not check the value. + If the check fails the boot will abort and you will be dropped into an emergency shell, if enabled. + In ermergency shell type: + ´systemctl disable check-pcrs´ + ´systemctl default´ + to continue booting + ''; + example = "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547"; + }; + }; + boot.initrd.luks.devices = lib.mkOption { + type = + with lib.types; + attrsOf (submodule { + config.crypttabExtraOpts = optionals config.systemIdentity.enable [ + "tpm2-device=auto" + "tpm2-measure-pcr=yes" + ]; + }); + }; + }; + config = mkIf config.systemIdentity.enable { + boot.kernelParams = [ + "rd.luks=no" + ]; + boot.initrd.systemd.services = + { + check-pcrs = mkIf (config.systemIdentity.pcr15 != null) { + script = '' + echo "Checking PCR 15 value" + if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "${config.systemIdentity.pcr15}" ]] ; then + echo "PCR 15 check failed" + exit 1 + else + echo "PCR 15 check suceed" + fi + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig.DefaultDependencies = "no"; + after = [ "cryptsetup.target" ]; + before = [ "sysroot.mount" ]; + requiredBy = [ "sysroot.mount" ]; + }; + } + // (listToAttrs ( + foldl' ( + acc: attrs: + let + extraOpts = attrs.value.crypttabExtraOpts ++ (optional attrs.value.allowDiscards "discard"); + cfg = config.boot.initrd.systemd; + in + [ + (nameValuePair "cryptsetup-${attrs.name}" { + unitConfig = { + Description = "Cryptography setup for ${attrs.name}"; + DefaultDependencies = "no"; + IgnoreOnIsolate = true; + Conflicts = [ "umount.target" ]; + BindsTo = "${utils.escapeSystemdPath attrs.value.device}.device"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + TimeoutSec = "infinity"; + KeyringMode = "shared"; + OOMScoreAdjust = 500; + ImportCredential = "cryptsetup.*"; + ExecStart = ''${cfg.package}/bin/systemd-cryptsetup attach '${attrs.name}' '${attrs.value.device}' '-' '${concatStringsSep "," extraOpts}' ''; + ExecStop = ''${cfg.package}/bin/systemd-cryptsetup detach '${attrs.name}' ''; + }; + after = + [ + "cryptsetup-pre.target" + "systemd-udevd-kernel.socket" + "${utils.escapeSystemdPath attrs.value.device}.device" + ] + ++ (optional cfg.tpm2.enable "systemd-tpm2-setup-early.service") + ++ optional (acc != [ ]) "${(head acc).name}.service"; + before = [ + "blockdev@dev-mapper-${attrs.name}.target" + "cryptsetup.target" + "umount.target" + ]; + wants = [ "blockdev@dev-mapper-${attrs.name}.target" ]; + requiredBy = [ "sysroot.mount" ]; + }) + ] + ++ acc + ) [ ] (sortOn (x: x.name) (lib.attrsets.attrsToList config.boot.initrd.luks.devices)) + )); }; }