Browse Source

boot: keep secrets off of nix, setup grub password

master
parent
commit
7b27ecae4a
Signed by: govanify GPG Key ID: DE62E1E2A6145556
8 changed files with 35 additions and 11 deletions
  1. +11
    -0
      bootstrap/default.nix
  2. +18
    -6
      bootstrap/gen_secrets.sh
  3. +5
    -2
      component/bootloader.nix
  4. +1
    -3
      overlays/grub/grub.nix
  5. BIN
      secrets/bootloader/alastor/priv.gpg
  6. BIN
      secrets/bootloader/alastor/pub.gpg
  7. BIN
      secrets/bootloader/xanadu/priv.gpg
  8. BIN
      secrets/bootloader/xanadu/pub.gpg

+ 11
- 0
bootstrap/default.nix View File

@ -0,0 +1,11 @@
{ pkgs ? import <nixpkgs> {}
}:
pkgs.mkShell {
name = "bootstrap_config";
buildInputs = with pkgs; [
grub2
gnupg
findutils
coreutils
];
}

+ 18
- 6
bootstrap/gen_secrets.sh View File

@ -1,8 +1,16 @@
#!/bin/sh
if [ "$#" -ne 1 ]; then
echo "usage: ./gen_secrets.sh hostname"
if [ "$#" -ne 2 ]; then
echo "usage: ./gen_secrets.sh hostname root"
echo "example: ./gen_secrets.sh alastor /mnt"
exit 1
fi
mkdir $2/var/lib/bootloader
if [ ! -d "$2/var/lib/bootloader" ]; then
echo "could not create secret path! do you have sufficient rights?"
exit 1
fi
old_gpg_home=$GNUPGHOME
export GNUPGHOME="$(mktemp -d)"
script_key="$(mktemp)"
@ -16,11 +24,15 @@ Name-Email: $1@navi
Passphrase: ''
Expire-Date: 0
EOF
gpg --batch --generate-key $script_key
mkdir ../secrets/bootloader/$1
gpg --output ../secrets/bootloader/$1/pub.gpg --export $1@navi
gpg --output ../secrets/bootloader/$1/priv.gpg --export-secret-key $1@navi
gpg --output $2/var/lib/bootloader/pub.gpg --export $1@navi
gpg --output $2/var/lib/bootloader/priv.gpg --export-secret-key $1@navi
rm -rf $script_key
rm -rf $GNUPGHOME
export GNUPGHOME=$old_gpg_home
tmp_password=$(mktemp)
echo "Please set the password of your bootloader"
grub-mkpasswd-pbkdf2 | tee $tmp_password
grep "grub." $tmp_password | sed -r 's/.*grub\./grub\./' > $2/var/lib/bootloader/pass_hash
rm -rf $tmp_password

+ 5
- 2
component/bootloader.nix View File

@ -13,7 +13,6 @@ let
${optionalString cfg.no_mercy
"sed -i 's/grub_rescue_run ();/grub_exit ();/' $(grep -Rl 'grub_rescue_run ();')"}
'';
secrets_path = ./. + "/../secrets/bootloader/${config.networking.hostName}/pub.gpg";
in
{
disabledModules = [ "system/boot/loader/grub/grub.nix"
@ -44,7 +43,7 @@ in
boot.loader.grub.copyKernels = true;
boot.loader.grub.extraGrubInstallArgs = [
"--pubkey=${pkgs.copyPathToStore secrets_path}"
"--pubkey=${pkgs.copyPathToStore /var/lib/bootloader/pub.gpg}"
"--modules=verifiers gcry_sha256 gcry_sha512 gcry_dsa gcry_rsa" ];
boot.loader.grub.configurationName = "navi";
@ -55,6 +54,10 @@ in
set timeout_style='hidden'
'';
# if our users can load some signed config it'd be neat if they couldn't
# also modify it
boot.loader.grub.users.govanify.hashedPasswordFile = "/var/lib/bootloader/pass_hash";
# this shows the UEFI framebuffer if it isn't cleaned, get a UEFI that likes
# you or configure grub to clear that
boot.loader.grub.splashImage = null;


+ 1
- 3
overlays/grub/grub.nix View File

@ -34,8 +34,6 @@ let
else null;
secrets_path = ./. + "/../../secrets/bootloader/${config.networking.hostName}/priv.gpg";
f = x: if x == null then "" else "" + x;
grubConfig = args:
@ -725,7 +723,7 @@ in
old_gpg_home=$GNUPGHOME
export GNUPGHOME="$(pwd)/gpgtmp"
${pkgs.gnupg}/bin/gpg --import ${pkgs.copyPathToStore secrets_path} > /dev/null 2>&1
${pkgs.gnupg}/bin/gpg --import ${/var/lib/bootloader/priv.gpg} > /dev/null 2>&1
${pkgs.findutils}/bin/find /boot -not -path "/boot/efi/*" -type f -exec ${pkgs.gnupg}/bin/gpg --detach-sign "{}" \; > /dev/null 2>&1
rm -rf $GNUPGHOME


BIN
secrets/bootloader/alastor/priv.gpg View File


BIN
secrets/bootloader/alastor/pub.gpg View File


BIN
secrets/bootloader/xanadu/priv.gpg View File


BIN
secrets/bootloader/xanadu/pub.gpg View File


Loading…
Cancel
Save