docs: add more overview information
This commit is contained in:
parent
babb064636
commit
15b966627a
39
README.md
39
README.md
|
@ -4,11 +4,23 @@
|
||||||
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
|
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
|
||||||
[![GitHub license](https://img.shields.io/github/license/blitz/lanzaboot.svg)](https://github.com/blitz/lanzaboote/blob/master/LICENSE)
|
[![GitHub license](https://img.shields.io/github/license/blitz/lanzaboot.svg)](https://github.com/blitz/lanzaboote/blob/master/LICENSE)
|
||||||
|
|
||||||
🚧🚧🚧 **This is not working yet. Come back later.*** 🚧🚧🚧
|
🚧🚧🚧 **This is not working yet. Come back later.** 🚧🚧🚧
|
||||||
|
|
||||||
This repository contains experimental tooling for Secure Boot on
|
This repository contains experimental tooling for Secure Boot on
|
||||||
[NixOS](https://nixos.org/).
|
[NixOS](https://nixos.org/).
|
||||||
|
|
||||||
|
## High-Level Boot Flow
|
||||||
|
|
||||||
|
```mermaid
|
||||||
|
flowchart LR
|
||||||
|
systemd[systemd-boot]
|
||||||
|
lanzaboote[lanzaboote]
|
||||||
|
kernel[Linux Kernel]
|
||||||
|
|
||||||
|
systemd --> lanzaboote
|
||||||
|
lanzaboote --> kernel
|
||||||
|
```
|
||||||
|
|
||||||
## lanzatool
|
## lanzatool
|
||||||
|
|
||||||
`lanzatool` is a Linux command line application that takes a
|
`lanzatool` is a Linux command line application that takes a
|
||||||
|
@ -16,11 +28,26 @@ This repository contains experimental tooling for Secure Boot on
|
||||||
installs the boot files into the UEFI
|
installs the boot files into the UEFI
|
||||||
[ESP](https://en.wikipedia.org/wiki/EFI_system_partition).
|
[ESP](https://en.wikipedia.org/wiki/EFI_system_partition).
|
||||||
|
|
||||||
|
|
||||||
|
To make systemd-boot recognize a new boot target, `lanzatool` builds a
|
||||||
|
[UKI](https://wiki.archlinux.org/title/Unified_kernel_image) image. To
|
||||||
|
avoid having to embed kernel and initrd, we use a custom stub
|
||||||
|
`lanzaboote` (see below) that loads kernel and initrd from the ESP.
|
||||||
|
|
||||||
## lanzaboote
|
## lanzaboote
|
||||||
|
|
||||||
`lanzaboote` is a UEFI application that is started by systemd-boot (or
|
`lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
|
||||||
any other EFI boot loader) and loads a Linux kernel and initrd without
|
loads a Linux kernel and initrd without breaking the Secure Boot chain
|
||||||
breaking the Secure Boot chain of trust.
|
of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
|
||||||
|
signature verification that is built-in to UEFI.
|
||||||
|
|
||||||
The information what kernel with what command line and initrd to boot
|
## Relevant Nixpkgs Work
|
||||||
is embedded into the `lanzaboote` by `lanzatool`.
|
|
||||||
|
This project depends on upstream nixpkgs work:
|
||||||
|
|
||||||
|
- https://github.com/NixOS/nixpkgs/pull/191665
|
||||||
|
- https://github.com/DeterminateSystems/bootspec-secureboot/
|
||||||
|
- https://github.com/DeterminateSystems/bootspec
|
||||||
|
|
||||||
|
You can find everything integrated as PoC
|
||||||
|
[here](https://github.com/NixOS/nixpkgs/pull/202497).
|
||||||
|
|
Loading…
Reference in New Issue