/boot/EFI/memtest86/memtest.efi is not signed

[Kreyren]

Is there a way to make it sign memtest set through boot.loader.systemd-boot.memtest86.enable ?

[nikstur]

We would need to implement this in Lanzaboote. There currently is no out of the box way to do it.

[Kreyren]

We would need to implement this in Lanzaboote. There currently is no out of the box way to do it. -- @nikstur (https://github.com/nix-community/lanzaboote/issues/273#issuecomment-1870033281)

https://github.com/nix-community/lanzaboote/blob/f707a9be9f061c86a3e5cc163603dd59b5ee07aa/rust/tool/systemd/src/install.rs#L377

# Blind code, untested, meant to show the intention only
if let Some(specialisation_name) = &generation.specialisation_name {
    Ok(PathBuf::from(format!(
        "nixos-generation-{}-specialisation-{}-{}.efi",
        generation, specialisation_name, stub_input_hash
    )))
+ } else if let Some(specialisation_name) = "memtest.efi" {
+     Ok(PathBuf::from("memtest.efi"))
} else {
    Ok(PathBuf::from(format!(
        "nixos-generation-{}-{}.efi",
        generation, stub_input_hash
    )))
}

Is it this easy or does it need additional changes somewhere else? Would probably be better to add some kind of management in nix to make nixos configuration more manageable as not everyone might want to sign the memtest

[RaitoBezarius]

It would require more than that.

[kuflierl]

@Kreyren wouldn't your change sign any binary names memtest.efi without checking its contents? Wouldn't that potentially also sign a malicious binary if it was replaced prior?

[MithicSpirit]

Yeah, maybe it should compare the file's checksum with that from the nix store, or maybe even use a hardcoded checksum.