heads
heads copied to clipboard
linuxboot
LUKS encrypted NixOS 23.05+ graphical installer deploys plain luks unlock secret under unnencrypted /boot's initramfs : CVE-2023-36476)
Please identify some basic details to help process the report
A. Provide Hardware Details
Librem 14 1. What board are you using (see list of boards here)? Librem 14 2. Does your computer have a dGPU or is it iGPU-only?
- [ ] dGPU
- [X] iGPU-only
3. Who installed Heads on this computer?
- [ ] Insurgo
- [ ] Nitrokey
- [X] Purism
- [ ] Other provider
- [ ] Self-installed
4. What PGP key is being used?
- [X] Librem Key
- [ ] Nitrokey Pro 2
- [ ] Nitrokey Storage
- [ ] Yubikey
- [ ] Other
5. Are you using the PGP key to provide HOTP verification?
- [X] Yes
- [ ] No
- [ ] I don't know
B. Identify how the board was flashed
1. Is this problem related to updating heads or flashing it for the first time?
- [ ] First-time flash
- [ ] Updating heads
2. If the problem is related to an update, how did you attempt to apply the update?
- [ ] Using the Heads GUI
- [ ] Flashrom via the Recovery Shell
- [ ] External flashing
3. How was Heads initially flashed
- [ ] External flashing
- [ ] Internal-only / 1vyrain
- [X] Don't know
4. Was the board flashed with a maximized or non-maximized/legacy rom?
- [ ] Maximized
- [ ] Non-maximized / legacy
- [X] I don't know
5. If Heads was externally flashed, was IFD unlocked?
- [ ] Yes
- [ ] No
- [ ] Don't know
C. Identify the rom related to this bug report
1. Did you download or build the rom at issue in this bug report?
- [ ] I downloaded it
- [ ] I built it
2. If you downloaded your rom, where did you get it from?
- [ ] Heads CircleCi
- [ ] Purism
- [ ] Nitrokey
- [ ] Somewhere else (please identify)
Please provide the release number or otherwise identify the rom downloaded According to system info: FW_VER: PureBoot-Release-24 Kernel: Linux 5.10.5-PureBoot 3. If you built your rom, which repository:branch did you use?
- [ ] Heads:Master
- [ ] Other (please identify)
4. What version of coreboot did you use in building?
- [ ] 4.8.1 (current default in heads:master)
- [ ] 4.13
- [ ] 4.14
- [ ] 4.15
- [ ] Other (please specify)
- [ ] I don't know
5. In building the rom where did you get the blobs?
- [ ] No blobs required
- [ ] Provided by the company that installed Heads on the device
- [ ] Extracted from a backup rom taken from this device
- [ ] Extracted from another backup rom taken from another device (please identify the board model)
- [ ] Extracted from the online bios using the automated tools provided in Heads
- [ ] I don't know
Please describe the problem
Describe the bug When installing NixOS with LUKS encrypted root partition (boot is unencrypted), the system does not boot. When installing nix unencrypted it does work.
I did not fill out some of the information above, as the Librem 14 was preinstalled with coreboot and heads by purism. So I do cannot answer some of those questions.
If I can provide any additional information or help identify the issue, I'll gladly do that.
To Reproduce
- Install NixOS
- Choose manual partiioning
- Choose MBR as partition table
- Create an unencrypted boot partition (set legacy-boot flag)
- Create an LUKS encrypted root partition (set root flag)
- Choose that the bootloader should be installed into /boot
- After the installation is complete, try to boot into the system
Expected behavior
The system should be able to boot NixOS
Actual behavior
Nothing happens after starting the new kernel
Screenshots
Boot process:
NOTE: I forced boot without tamper protection for the boot in this screenshot.
Current partition layout:
Additional context
In the matrix chat one of you told me they would like to see the kexec line vs the line in the grub.cfg. So here is the full /boot/grub/grub.cfg
# Automatically generated. DO NOT EDIT THIS FILE!
search --set=drive1 --fs-uuid 8B97-CA37
if [ -s $prefix/grubenv ]; then
load_env
fi
# ‘grub-reboot’ sets a one-time saved entry, which we process here and
# then delete.
if [ "${next_entry}" ]; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set timeout=1
set boot_once=true
else
set default=0
set timeout=5
fi
function savedefault {
if [ -z "${boot_once}"]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
# Setup the graphics stack for bios and efi systems
if [ "${grub_platform}" = "efi" ]; then
insmod efi_gop
insmod efi_uga
else
insmod vbe
fi
insmod font
if loadfont ($drive1)//converted-font.pf2; then
insmod gfxterm
if [ "${grub_platform}" = "efi" ]; then
set gfxmode=auto
set gfxpayload=keep
else
set gfxmode=1024x768
set gfxpayload=text
fi
terminal_output gfxterm
fi
background_color '#2F302F'
insmod png
if background_image --mode 'normal' ($drive1)//background.png; then
set color_normal=white/black
set color_highlight=black/white
else
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
fi
menuentry "NixOS - Default" --class nixos --unrestricted {
search --set=drive1 --fs-uuid 8B97-CA37
linux ($drive1)//kernels/z6vmhagxd308pffxnx47pvi27pbi5y5q-linux-5.15.102-bzImage init=/nix/store/y0l8j0n3g5v9zyxw04lrxhxq2qk8np2h-nixos-system-nixos-22.11.3184.9b8e5abb183/init loglevel=4
initrd ($drive1)//kernels/nv544pzpzldq0vpgajmgjkfym448nha4-initrd-linux-5.15.102-initrd ($drive1)//kernels/nv544pzpzldq0vpgajmgjkfym448nha4-initrd-linux-5.15.102-initrd-secrets
}
submenu "NixOS - All configurations" --class submenu {
menuentry "NixOS - Configuration 1 (2023-03-21 - 22.11.3184.9b8e5abb183)" --class nixos {
search --set=drive1 --fs-uuid 8B97-CA37
linux ($drive1)//kernels/z6vmhagxd308pffxnx47pvi27pbi5y5q-linux-5.15.102-bzImage init=/nix/store/y0l8j0n3g5v9zyxw04lrxhxq2qk8np2h-nixos-system-nixos-22.11.3184.9b8e5abb183/init loglevel=4
initrd ($drive1)//kernels/nv544pzpzldq0vpgajmgjkfym448nha4-initrd-linux-5.15.102-initrd ($drive1)//kernels/nv544pzpzldq0vpgajmgjkfym448nha4-initrd-linux-5.15.102-initrd-secrets
}
}
