Enable secure boot for ghaf on Lenovo X1

This patch enables secure boot only on debug builds using
demo keys, which is still unsecure way of booting OS.

Task: SP-3201

Signed-off-by: Vunny Sodhi <[email protected]>

docs/src/SUMMARY.md

@@ -16,6 +16,7 @@
     - [Networking VM](architecture/adr/netvm.md)
     - [Platform Bus for Rust VMM](architecture/adr/platform-bus-passthrough-support.md)
   - [Hardening](architecture/hardening.md)
+  - [Secure Boot](architecture/secureboot.md)
   - [Stack](architecture/stack.md)
 
 # For Developers

docs/src/architecture/secureboot.md

@@ -0,0 +1,52 @@
+<!--
+    Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+    SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# Secure Boot
+
+This section describes Secure Boot and how to create secure keys.
+
+The reader is expected to know the fundamentals of UEFI and have a basic understanding of Secure Boot [UEFI specification](https://uefi.org/specifications).
+
+## Enabling Secure Boot
+
+Secure Boot can be enabled on NixOS using [Lanzaboote](https://github.com/nix-community/lanzaboote). Secure Boot is a UEFI feature that only allows trusted operating systems to boot.
+Lanzaboote has two components: lzbt and stub. lzbt signs and installs the boot files on the ESP. stub is a UEFI application that loads the kernel and initrd from the ESP.
+
+## Creating Secure Boot Keys
+
+Secure Boot keys can be created with [sbctl](https://github.com/Foxboron/sbctl), a Secure Boot Manager. sbctl is available in Nixpkgs as pkgs.sbctl.
+
+After you installed sbctl or entered a Nix shell, use the following command to create your Secure Boot keys:
+```
+$ sudo sbctl create-keys
+```
+
+Using "sudo sbctl create-keys" command user can create secure keys on the trusted system.
+
+## Current Implementation
+
+For demonstration purposes, we use pre-generated secure keys which are **unsecure** as whoever has keys can break into the system.
+Currently, the Secure Boot feature is enabled in debug builds only, since secure key creation requires sudo rights.
+
+### Secure Boot Verification
+* For enabling secure boot instructions, see the [Part 2: Enabling Secure Boot](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#part-2-enabling-secure-boot) section of the NixOS Secure Boot Quick Start Guide.
+
+* Make sure your Secure Boot is enabled from the BIOS menu.
+* Once you boot your system with Secure Boot enabled, enroll keys with the following command:
+```
+$ sudo sbctl enroll-keys --microsoft
+```
+
+Reboot the system to activate Secure Boot in the user mode:
+
+```
+$ bootctl status
+System:
+      Firmware: UEFI 2.70 (Lenovo 0.4720)
+ Firmware Arch: x64
+   Secure Boot: enabled (user)
+  TPM2 Support: yes
+  Boot into FW: supported
+```

flake.nix

@@ -31,6 +31,10 @@
       url = "github:anduril/jetpack-nixos";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.3.0";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {
@@ -41,6 +45,7 @@
     nixos-hardware,
     microvm,
     jetpack-nixos,
+    lanzaboote,
   }: let
     systems = with flake-utils.lib.system; [
       x86_64-linux
@@ -70,6 +75,7 @@
                 ++ [
                   jetpack-nixos.nixosModules.default
                   microvm.nixosModules.host
+                  lanzaboote.nixosModules.lanzaboote
                 ];
             };
           in
@@ -116,7 +122,7 @@
       }
 
       # Target configurations
-      (import ./targets {inherit self lib nixpkgs nixos-generators nixos-hardware microvm jetpack-nixos;})
+      (import ./targets {inherit self lib nixpkgs nixos-generators nixos-hardware microvm jetpack-nixos lanzaboote;})
 
       # User apps
       (import ./user-apps {inherit lib nixpkgs flake-utils;})

modules/host/demo-secure-boot-keys/GUID

@@ -0,0 +1 @@
+f8948cc1-daca-4d6e-896d-56577dc09f81

modules/host/demo-secure-boot-keys/files.db

@@ -0,0 +1,12 @@
+{
+    "/boot/EFI/BOOT/BOOTX64.EFI": {
+        "file": "/boot/EFI/BOOT/BOOTX64.EFI",
+        "output_file": "/boot/EFI/BOOT/BOOTX64.EFI",
+        "checksum": "3d035c0745161803d3d34334a214906b9e4f2e91a6a57df2750b0148e2be6059"
+    },
+    "/boot/EFI/systemd/systemd-bootx64.efi": {
+        "file": "/boot/EFI/systemd/systemd-bootx64.efi",
+        "output_file": "/boot/EFI/systemd/systemd-bootx64.efi",
+        "checksum": "33609dd2e743d803ffe98c3689b262d28d5e03e6ae17766a34527676c7f811eb"
+    }
+}