Trustix - A new model for Nix binary substitutions
Problem description
The Nix binary substituters are a single source of failure in the chain of trust when delivering binaries to Nix users. This is problematic for several reasons:
- Getting code execution on the NixOS Hydra build machines means it’s possible to upload backdoored builds.
And the way https://cache.nixos.org is set up does not make key-rolling easy. This means that a key compromise would realistically mean that all packages would have to be rebuilt or garbage collected.
- The NixOS Hydra hardware may not be considered trustworthy by some more security conscious users.
Trustix design
Trustix
aims to solve this problem by allowing distributed trust & trust agility.
This is achieved through the following methodology:
Each builder is associated with public-private key pair
In a post-build hook the output hash (NAR hash) of the build is uploaded to a ledger
This allows a user to:
- Trust binary substitutions on an M-of-N basis
Let’s say we have 4 builders configured: Alice
, Bob
, Chuck
& Dan
.
We have configured Trustix
to require a 3/4 majority for a build to be trusted.
Alice
, Bob
, & Dan
have all built the hello
derivation but Chuck
has not
All 3 builders have arrived at the same output hash.
This build can now be considered trusted and we can use the binary substitution.
- Automatically identify misbehaving builders
Let’s say again that we have 4 builders configured: Alice
, Bob
, Chuck
& Dan
.
Alice
, Bob
, Chuck
& Dan
have all built the hello
derivation but has not arrived at the same output hash!
We can now identify that Chuck
is up to no good and may decide to distrust this builder from future substutions completely.
- Track build reproducability across a large number of builders
As a nice side-effect of the systems general design we can now track reproducability across all builders participating in the global namespace.