min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: add more overview information

This commit is contained in:
Julian Stecklina 2022-11-24 11:34:41 +01:00
parent babb064636
commit 15b966627a
1 changed files with 33 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
README.md
View File

@ -4,11 +4,23 @@
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/) [![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
[![GitHub license](https://img.shields.io/github/license/blitz/lanzaboot.svg)](https://github.com/blitz/lanzaboote/blob/master/LICENSE) [![GitHub license](https://img.shields.io/github/license/blitz/lanzaboot.svg)](https://github.com/blitz/lanzaboote/blob/master/LICENSE)
🚧🚧🚧 **This is not working yet. Come back later.*** 🚧🚧🚧 🚧🚧🚧 **This is not working yet. Come back later.** 🚧🚧🚧
This repository contains experimental tooling for Secure Boot on This repository contains experimental tooling for Secure Boot on
[NixOS](https://nixos.org/). [NixOS](https://nixos.org/).
## High-Level Boot Flow
```mermaid
flowchart LR
systemd[systemd-boot]
lanzaboote[lanzaboote]
kernel[Linux Kernel]
systemd --> lanzaboote
lanzaboote --> kernel
```
## lanzatool ## lanzatool
`lanzatool` is a Linux command line application that takes a `lanzatool` is a Linux command line application that takes a
@ -16,11 +28,26 @@ This repository contains experimental tooling for Secure Boot on
installs the boot files into the UEFI installs the boot files into the UEFI
[ESP](https://en.wikipedia.org/wiki/EFI_system_partition). [ESP](https://en.wikipedia.org/wiki/EFI_system_partition).
To make systemd-boot recognize a new boot target, `lanzatool` builds a
[UKI](https://wiki.archlinux.org/title/Unified_kernel_image) image. To
avoid having to embed kernel and initrd, we use a custom stub
`lanzaboote` (see below) that loads kernel and initrd from the ESP.
## lanzaboote ## lanzaboote
`lanzaboote` is a UEFI application that is started by systemd-boot (or `lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
any other EFI boot loader) and loads a Linux kernel and initrd without loads a Linux kernel and initrd without breaking the Secure Boot chain
breaking the Secure Boot chain of trust. of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
signature verification that is built-in to UEFI.
The information what kernel with what command line and initrd to boot ## Relevant Nixpkgs Work
is embedded into the `lanzaboote` by `lanzatool`.
This project depends on upstream nixpkgs work:
- https://github.com/NixOS/nixpkgs/pull/191665
- https://github.com/DeterminateSystems/bootspec-secureboot/
- https://github.com/DeterminateSystems/bootspec
You can find everything integrated as PoC
[here](https://github.com/NixOS/nixpkgs/pull/202497).