feat: remote signing server and signature generalization

flake.nix

@@ -57,6 +57,17 @@
         }
       );
 
+      flake.nixosModules.lanzasignd = moduleWithSystem (
+        perSystem@{ config }:
+        { ... }: {
+          imports = [
+            ./nix/modules/lanzasignd.nix
+          ];
+
+          services.lanzasignd.package = perSystem.config.packages.lanzasignd;
+        }
+      );
+
       flake.nixosModules.uki = moduleWithSystem (
         perSystem@{ config }:
         { lib, ... }: {
@@ -96,6 +107,8 @@
             , src
             , target ? null
             , doCheck ? true
+              # By default, it builds the default members of the workspace.
+            , packages ? null
             , extraArgs ? { }
             }:
             let
@@ -123,7 +136,9 @@
                   #[cfg_attr(any(target_os = "none", target_os = "uefi"), export_name = "efi_main")]
                   fn main() {}
                 '';
-              } // extraArgs;
+
+                cargoExtraArgs = (extraArgs.cargoExtraArgs or "") + (if packages != null then (lib.concatStringsSep " " (map (p: "--package ${p}") packages)) else "");
+              } // builtins.removeAttrs extraArgs [ "cargoExtraArgs" ];
 
               cargoArtifacts = craneLib.buildDepsOnly commonArgs;
             in
@@ -154,6 +169,14 @@
             };
           };
 
+          lanzasigndCrane = buildRustApp {
+            pname = "lanzasignd";
+            src = craneLib.cleanCargoSource ./rust/tool;
+            doCheck = false;
+            packages = [ "lanzasignd" ];
+          };
+
+          lanzasignd = lanzasigndCrane.package;
           stub = stubCrane.package;
           fatStub = fatStubCrane.package;
 
@@ -188,18 +211,22 @@
         in
         {
           packages = {
-            inherit stub fatStub;
+            inherit stub fatStub lanzasignd;
             tool = wrappedTool;
             lzbt = wrappedTool;
           };
 
           overlayAttrs = {
-            inherit (config.packages) tool;
+            inherit (config.packages) tool lanzasignd;
           };
 
           checks =
             let
               nixosLib = import (pkgs.path + "/nixos/lib") { };
+              lanzaLib = import ./nix/tests/lib.nix {
+                inherit pkgs;
+                lanzabooteModule = self.nixosModules.lanzaboote;
+              };
               runTest = module: nixosLib.runTest {
                 imports = [ module ];
                 hostPkgs = pkgs;
@@ -212,11 +239,14 @@
               toolFmt = toolCrane.rustfmt;
               stubFmt = stubCrane.rustfmt;
             } // (import ./nix/tests/lanzaboote.nix {
-              inherit pkgs;
+              inherit pkgs lanzaLib;
               lanzabooteModule = self.nixosModules.lanzaboote;
             }) // (import ./nix/tests/stub.nix {
               inherit pkgs runTest;
               ukiModule = self.nixosModules.uki;
+            }) // (import ./nix/tests/remote-signing.nix {
+              inherit pkgs lanzaLib;
+              lanzasigndModule = self.nixosModules.lanzasignd;
             });
 
           devShells.default = pkgs.mkShell {

nix/modules/lanzaboote.nix

@@ -36,23 +36,33 @@ in
       '';
     };
 
-    pkiBundle = mkOption {
-      type = types.nullOr types.path;
-      description = "PKI bundle containing db, PK, KEK";
+    localSigning = {
+      enable = mkEnableOption "local signing" // { default = cfg.pkiBundle != null; defaultText = lib.literalExpression "cfg.pkiBundle != null"; };
+      publicKeyFile = mkOption {
+        type = types.path;
+        default = "${cfg.pkiBundle}/keys/db/db.pem";
+        description = "Public key to sign your boot files";
+      };
+
+      privateKeyFile = mkOption {
+        type = types.path;
+        default = "${cfg.pkiBundle}/keys/db/db.key";
+        description = "Private key to sign your boot files";
+      };
     };
 
-    publicKeyFile = mkOption {
-      type = types.path;
-      default = "${cfg.pkiBundle}/keys/db/db.pem";
-      defaultText = "\${cfg.pkiBundle}/keys/db/db.pem";
-      description = "Public key to sign your boot files";
+    remoteSigning = {
+      enable = mkEnableOption "remote signing";
+      serverUrl = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Remote signing server to contact to ask for signatures";
+      };
     };
 
-    privateKeyFile = mkOption {
-      type = types.path;
-      default = "${cfg.pkiBundle}/keys/db/db.key";
-      defaultText = "\${cfg.pkiBundle}/keys/db/db.key";
-      description = "Private key to sign your boot files";
+    pkiBundle = mkOption {
+      type = types.nullOr types.path;
+      description = "PKI bundle containing db, PK, KEK";
     };
 
     package = mkOption {
@@ -103,31 +113,56 @@ in
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !(cfg.localSigning.enable && cfg.remoteSigning.enable);
+        message = ''
+          You cannot enable local and remote signing at the same time, pick either of the strategy.
+
+          Did you set `pkiBundle` and forgot to set `localSigning.enable` to false?
+        '';
+      }
+    ];
     boot.bootspec = {
       enable = true;
     };
     boot.loader.supportsInitrdSecrets = true;
     boot.loader.external = {
       enable = true;
-      installHook = pkgs.writeShellScript "bootinstall" ''
-        ${optionalString cfg.enrollKeys ''
-          mkdir -p /tmp/pki
-          cp -r ${cfg.pkiBundle}/* /tmp/pki
-          ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
-        ''}
-
-        # Use the system from the kernel's hostPlatform because this should
-        # always, even in the cross compilation case, be the right system.
-        ${cfg.package}/bin/lzbt install \
-          --system ${config.boot.kernelPackages.stdenv.hostPlatform.system} \
-          --systemd ${config.systemd.package} \
-          --systemd-boot-loader-config ${loaderConfigFile} \
-          --public-key ${cfg.publicKeyFile} \
-          --private-key ${cfg.privateKeyFile} \
-          --configuration-limit ${toString configurationLimit} \
-          ${config.boot.loader.efi.efiSysMountPoint} \
-          /nix/var/nix/profiles/system-*-link
-      '';
+      installHook =
+        let
+          lzbtArgs = [
+            "install"
+            "--system"
+            config.boot.kernelPackages.stdenv.hostPlatform.system
+            "--systemd"
+            config.systemd.package
+            "--systemd-boot-loader-config"
+            loaderConfigFile
+          ] ++ lib.optionals cfg.localSigning.enable [
+            "--public-key"
+            cfg.localSigning.publicKeyFile
+            "--private-key"
+            cfg.localSigning.privateKeyFile
+          ] ++ lib.optionals cfg.remoteSigning.enable [
+            "--remote-signing-server-url"
+            cfg.remoteSigning.serverUrl
+          ] ++ [
+            "--configuration-limit"
+            (toString configurationLimit)
+            config.boot.loader.efi.efiSysMountPoint
+            "/nix/var/nix/profiles/system-*-link"
+          ];
+        in
+        pkgs.writeShellScript "bootinstall" ''
+          ${optionalString cfg.enrollKeys ''
+            mkdir -p /tmp/pki
+            cp -r ${cfg.pkiBundle}/* /tmp/pki
+            ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
+          ''}
+
+          ${cfg.package}/bin/lzbt ${concatStringsSep " " lzbtArgs}
+        '';
     };
 
     systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {

nix/modules/lanzasignd.nix

@@ -0,0 +1,76 @@
+{ lib, config, pkgs, ... }:
+let
+  inherit (lib) mkOption mkEnableOption mkPackageOptionMD types mkIf;
+  cfg = config.services.lanzasignd;
+  policyFile = (pkgs.formats.json { }).generate "lanzasignd-policy.json" {
+    allowedKernelCmdlineItems = cfg.policy.allowedCommandLineItems;
+  };
+in
+{
+  options.services.lanzasignd = {
+    enable = mkEnableOption "lanzasignd, a Secure Boot remote signing server for NixOS";
+
+    package = mkPackageOptionMD pkgs "lanzasignd" { };
+
+    port = mkOption {
+      type = types.port;
+      default = 9999;
+      description = "Port to run lanzasignd on";
+    };
+
+    openFirewall = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Open the firewall for the port lanzasignd is running on";
+    };
+
+    policy = {
+      allowedCommandLineItems = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+        example = [ "quiet" "init=some init script" ];
+      };
+    };
+
+    pkiBundle = mkOption {
+      type = types.nullOr types.path;
+      description = "PKI bundle containing db, PK, KEK";
+    };
+
+    publicKeyFile = mkOption {
+      type = types.path;
+      default = "${cfg.pkiBundle}/keys/db/db.pem";
+      description = "Public key to sign your boot files";
+    };
+
+    privateKeyFile = mkOption {
+      type = types.path;
+      default = "${cfg.pkiBundle}/keys/db/db.key";
+      description = "Private key to sign your boot files";
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.lanzasignd = {
+      description = "Sign on demand bootables files compatible with Lanzaboote scheme";
+      wants = [ "network.target" ];
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.Type = "simple";
+      path = [
+        pkgs.binutils
+        pkgs.sbsigntool
+      ];
+      script = ''
+        ${cfg.package}/bin/lanzasignd -vvv serve \
+          --policy-file ${policyFile} \
+          --public-key ${cfg.publicKeyFile} \
+          --private-key ${cfg.privateKeyFile} \
+          --port ${toString cfg.port}
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
+  };
+}