-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/boot/EFI/memtest86/memtest.efi is not signed #273
Comments
We would need to implement this in Lanzaboote. There currently is no out of the box way to do it. |
lanzaboote/rust/tool/systemd/src/install.rs Line 377 in f707a9b
# Blind code, untested, meant to show the intention only
if let Some(specialisation_name) = &generation.specialisation_name {
Ok(PathBuf::from(format!(
"nixos-generation-{}-specialisation-{}-{}.efi",
generation, specialisation_name, stub_input_hash
)))
+ } else if let Some(specialisation_name) = "memtest.efi" {
+ Ok(PathBuf::from("memtest.efi"))
} else {
Ok(PathBuf::from(format!(
"nixos-generation-{}-{}.efi",
generation, stub_input_hash
)))
} Is it this easy or does it need additional changes somewhere else? Would probably be better to add some kind of management in nix to make nixos configuration more manageable as not everyone might want to sign the memtest |
It would require more than that. |
@Kreyren wouldn't your change sign any binary names memtest.efi without checking its contents? Wouldn't that potentially also sign a malicious binary if it was replaced prior? |
Yeah, maybe it should compare the file's checksum with that from the nix store, or maybe even use a hardcoded checksum. |
Is there a way to make it sign memtest set through
boot.loader.systemd-boot.memtest86.enable
?The text was updated successfully, but these errors were encountered: