nix-evm - Generate EVM signature for Nix paths/closures
This tool automatically creates a portable EVM signature for Nix store paths, and optionally dumps them to a file.
The output file format is a recursive getfattr dump, piped through gzip. You can restore the dump on another system with the following command:
zcat xattrs.txt.gz | setfattr --restore=-By leveraging the Linux kernel's IMA/EVM security infrastructure, one can establish and enforce a trusted computing environment, in a way that is complementary to Secure Boot. This can already be achieved with dm-verity, but this approach prevents us from incrementally upgrading a NixOS system.
nix-evm is designed with a specific use case in mind, where the user may wish to decouple the signing process from production hardware. As nix-evm generates a set of portable IMA/EVM extended attributes, it can "certify" a NixOS closure to run on a separate machine, where the attributes set can be applied while maintaining a chain of trust.
In order to be effective, nix-evm needs to be paired with a robust Secure Boot policy, such as a unified kernel image.