Security: Difference between revisions

(4 intermediate revisions by 4 users not shown)

Line 6:

These are security elements that are core features of using Nix(OS).

~~=== Obscurity of Nix store ===~~

In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection.

=== Effort to isolate runtime search paths ===

In general, there is an effort to avoid [~~https~~:~~//en.wikipedia.org/wiki/~~Rpath rpath] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b].

In general, there is an effort to avoid [[wikipedia:Rpath|rpath]] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b].

=== Multi-user installation ===

Line 21:

Line 17:

=== Data integrity and authenticity ===

The core installation resources for Nix(OS) have [~~https~~:~~//en.wikipedia.org/wiki/~~SHA-2 SHA256] checksums which are [~~https~~:~~//en.wikipedia.org/wiki/~~GNU_Privacy_Guard GPG] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.

The core installation resources for Nix(OS) have [[wikipedia:SHA-2|SHA256]] checksums which are [[wikipedia:GNU_Privacy_Guard|GPG]] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.

All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials).

=== Obscurity of Nix store ===

In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection.

== Supported by Nix ==

Line 73:

* [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations]

* [https://github.com/firecracker-microvm/firecracker Firecracker microVM] - packages [https://search.nixos.org/packages?channel=unstable&show=firecracker&from=0&size=30&sort=relevance&type=packages&query=firecracker available]

* [https://github.com/astro/microvm.nix microvm.nix] builds and runs NixOS on various hypervisors

===== Test machines =====

Line 109:

Line 110:

=== Secure Boot ===

Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. ~~Looking potential for release~~ in ~~22.05~~.

Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental secure boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]

=== SELinux ===

It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019].

It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019]. However, there has been revived work in 2025 but there's no telling when things will land in NixOS.

== Nix official references ==

@@ Line 6: / Line 6: @@
 These are security elements that are core features of using Nix(OS).
-=== Obscurity of Nix store ===
-In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection.
 === Effort to isolate runtime search paths ===
-In general, there is an effort to avoid [https://en.wikipedia.org/wiki/Rpath rpath] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b].
+In general, there is an effort to avoid [[wikipedia:Rpath|rpath]] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b].
 === Multi-user installation ===
@@ Line 21: / Line 17: @@
 === Data integrity and authenticity ===
-The core installation resources for Nix(OS) have [https://en.wikipedia.org/wiki/SHA-2 SHA256] checksums which are [https://en.wikipedia.org/wiki/GNU_Privacy_Guard GPG] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.
+The core installation resources for Nix(OS) have [[wikipedia:SHA-2|SHA256]] checksums which are [[wikipedia:GNU_Privacy_Guard|GPG]] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.
 All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials).
+=== Obscurity of Nix store ===
+In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection.
 == Supported by Nix ==
@@ Line 73: / Line 73: @@
 * [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations]
 * [https://github.com/firecracker-microvm/firecracker Firecracker microVM] - packages [https://search.nixos.org/packages?channel=unstable&show=firecracker&from=0&size=30&sort=relevance&type=packages&query=firecracker available]
+* [https://github.com/astro/microvm.nix microvm.nix] builds and runs NixOS on various hypervisors
 ===== Test machines =====
@@ Line 109: / Line 110: @@
 === Secure Boot ===
-Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. Looking potential for release in 22.05.
+Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental secure boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]
 === SELinux ===
-It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019].
+It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019]. However, there has been revived work in 2025 but there's no telling when things will land in NixOS.
 == Nix official references ==