Add support for generating a .iso with a signed bootloader

[Pablito2020]

I am having an issue generating a new .iso that has a signed bootloader (so I don't have to disable secure-boot on the pc when I am booting from a usb drive with a custom nixos iso on it).

When we generate an ISO file (with Nixos Generators or by importing the DVD-iso-image the EFI application is a grub2 bootloader (The code can be found here: https://github.com/NixOS/nixpkgs/blob/72631d762fafb9a126b5908e6387e163dc7ba8b7/nixos/modules/installer/cd-dvd/iso-image.nix#L243).

I think it would be beneficial to introduce a NixOS module that allows for ISO generation using the systemd-boot bootloader module from lanzaboote. This would enable the creation of ISOs with a signed bootloader, making them compatible with Secure Boot without requiring users to disable it.

I am thinking about a module because I don't see an easy way for the end user to add it "manually" without using the make-iso-9660-image function. Anyway, if an easy solution exists I think it could be added to the documentation.

PS: Thanks in advance! This project has made it easier than ever to enable Secure Boot on my machines 😄

[scj643]

Funny I was just trying to make a secure boot install media myself. I am interested in this as well.

[RaitoBezarius]

Not sure whether it makes a bunch of sense in lanzaboote itself, all you need to build a signed ISO is a Secure Boot signer, and you need to sign the boot chain of your ISO.

Given my experience of the ISO building in nixpkgs, I'm not sure whether it's even feasible to achieve this downstream without some modifications upstream.

Either way, I think the easiest approach would be maybe to repack a built-ISO to sign it.

Anyway, here are the actionables :

• Look into integrating a signing phase upstream for the ISO (this means that you will leak your keys in your Nix store if you do it naively, you probably need to leak a UNIX socket in the sandbox)
• Look into signing post-build by repacking the ISO outside the Nix sandbox

In the future, I may provide a solution based on (1) but I think it should just be part of nixpkgs.

cc @lheckemann (as you looked into shim and stuff.)

[lheckemann]

https://github.com/RaitoBezarius/nixos-shim and NixOS/nixpkgs@master...lheckemann:nixpkgs:shim contain the work I did on this, which does result in a secure-boot-able ISO. The secure boot ISO module in particular isn't merged into nixpkgs though. I'm not sure when I'll pick this up again, but if you want to try getting the necessary pieces merged upstream I'm happy to help with that.

[Pablito2020]

First of all, thank you for all this information.

I believe the simplest approach for my use case will be to unpack the .efi files from the ISO manually (as suggested by @RaitoBezarius in the second option) and sign them with my own keys (following the process explained here: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#ISO_repacking ).

The solution I was expecting to see implemented was something similar to what @lheckemann suggests, but without using Shim (i.e., directly signing the .efi programs with my own keys, even if they get leaked in the Nix store).

I didn't realize that upstream code changes would also be necessary; I had envisioned it more as a module that could be added to lanzaboote, where including the iso-image-secureboot.nix file would configure the .iso directly with the keys defined in the config.lanzaboote .

Thanks for the responses, and sorry if I misunderstood something (I am pretty new to NixOS and Secure Boot in general).

[pnmadelaine]

I'm really not familiar with the technical details of UEFI and secure boot in particular, so maybe this makes no sense. But my vague understanding of lanzaboote is that it signs the bootloader during activation using the user's key available at that time. To boot an ISO built with nixpkgs (or any other way really), one must then repackage it to sign its bootloader using the same key. I'll dig into it to write a script for myself, but would it make sense for lanzaboote to expose this script as a package, looking for the key at the same location that the activation script does?

EDIT: to be clear, I guess I see how this does not exactly fit lanzaboote's purpose, but not being able to easily boot from another media may not seem worth the hastle for some, and having a clear and simple solution to do this may convince people of finally enabling secureboot :)