7 Oct 2024 |
ElvishJerricco | oh | 23:54:20 |
ElvishJerricco | no | 23:54:21 |
ElvishJerricco | I have an issue already | 23:54:25 |
ElvishJerricco | initrd-nixos-activation.service | 23:54:39 |
ElvishJerricco | it runs mid-initrd | 23:54:43 |
ElvishJerricco | and just runs whatever is at the system config path on sysroot | 23:54:54 |
mjm | uh oh | 23:55:07 |
ElvishJerricco | i.e. if you're pwned there it has access to the enter-initrd phase | 23:55:12 |
ElvishJerricco | yea that's a problem | 23:55:28 |
ElvishJerricco | I mean thankfully I don't think anyone is relying on pcrphase right now | 23:55:38 |
ElvishJerricco | but this is why auto-unlock is so damn hard | 23:55:44 |
ElvishJerricco | In reply to @elvishjerricco:matrix.org I mean thankfully I don't think anyone is relying on pcrphase right now (lanzaboote doesn't support it) | 23:56:02 |
ElvishJerricco | ok, well, I think there's a solution to that | 23:56:29 |
ElvishJerricco | We should run nixos activation After=initrd-switch-root.target and Before=initrd-switch-root.service . That target just causes everything to be stopped before it, and the service actually does the switch-root afterward | 23:57:10 |
ElvishJerricco | so initrd is well and truly finished after the target | 23:57:18 |
ElvishJerricco | with only switch-root remaining | 23:57:23 |
ElvishJerricco | that's probably the right time to do activation | 23:57:29 |
mjm | and that would be after leave-initrd has already been measured into pcr 11? | 23:57:50 |
ElvishJerricco | yea, systemd-pcrphase-initrd.service will have been stopped before the target | 23:58:08 |
mjm | that makes sense | 23:58:16 |
ElvishJerricco | yea, in this very specific sense, initrd-nixos-activation.service represents a notable security hole, where code is run from sysroot before sysroot is the real root | 23:59:21 |
ElvishJerricco | understandably, we weren't thinking about that back in 2022 :P | 23:59:39 |
8 Oct 2024 |
ElvishJerricco | mjm: thanks for making me think of that! | 00:00:50 |
mjm | yay 🎉 | 00:05:07 |
ElvishJerricco | I wonder what other stuff uses sysroot before it's the right time. Upstream, I mean; where things are normal and not all nixos-y. Like repart will read partition definitions from sysroot during initrd, but that's not code execution from sysroot. | 00:10:00 |
ElvishJerricco | fstab-generator will read mount definitions | 00:10:24 |
ElvishJerricco | again not code execution... | 00:10:33 |
ElvishJerricco | well, except for x-systemd.{requires,wants} | 00:10:43 |
ElvishJerricco | but that only starts units that are already configured? | 00:11:02 |
ElvishJerricco | like, if there was a pwn_my_systemd.ko kernel module, you could put x-systemd.requires=modprobe@pwn_my_system.service,x-initrd-mount in a fake sysroot's /etc/fstab | 00:12:04 |