docs: remove stale information and add overview
This commit is contained in:
parent
7afbc43195
commit
337689bbbc
132
README.md
132
README.md
|
@ -5,94 +5,92 @@
|
||||||
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
|
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
|
||||||
![GitHub](https://img.shields.io/github/license/blitz/lanzaboote)
|
![GitHub](https://img.shields.io/github/license/blitz/lanzaboote)
|
||||||
|
|
||||||
🚧🚧🚧 **This is not ready for non-developer usage.** 🚧🚧🚧
|
This repository contains tooling for [UEFI Secure
|
||||||
|
Boot](https://en.wikipedia.org/wiki/UEFI#Secure_Boot) on
|
||||||
|
[NixOS](https://nixos.org/). The goal is to make Secure Boot available
|
||||||
|
from [nixpkgs](https://github.com/NixOS/nixpkgs) for any platform that
|
||||||
|
supports UEFI.
|
||||||
|
|
||||||
This repository contains experimental tooling for Secure Boot on
|
## ⚡ Quickstart ⚡
|
||||||
[NixOS](https://nixos.org/).
|
|
||||||
|
|
||||||
## 🪛 To Do 🪛
|
If you want to try this out, head over [here](./docs/QUICK_START) for
|
||||||
|
instructions.
|
||||||
|
|
||||||
There is a bunch of work to do. Please coordinate in the [Matrix
|
## 🪛 Get Involved 🪛
|
||||||
room](https://matrix.to/#/#nixos-secure-boot:ukvly.org), if you want
|
|
||||||
to take something up:
|
|
||||||
|
|
||||||
- Overview documentation about the approach
|
There is still a bunch of work to do before this work can be
|
||||||
- Document a experimental setup for developers on how to use this repository
|
upstreamed into [nixpkgs](https://github.com/NixOS/nixpkgs). Please
|
||||||
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
|
coordinate in the [Matrix
|
||||||
- Cleaning up flakes.nix for AArch64
|
room](https://matrix.to/#/#nixos-secure-boot:ukvly.org) or check the
|
||||||
- Upstream nixpkgs work
|
[issues](https://github.com/nix-community/lanzaboote/issues), if you
|
||||||
- Lanzatool
|
want to take something up.
|
||||||
- Lanzaboote (needs unstable Rust!)
|
|
||||||
- NixOS boot loader installation etc.
|
|
||||||
- Unit testing for Lanzatool
|
|
||||||
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
|
|
||||||
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
|
|
||||||
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
|
|
||||||
- Experimenting with `fwupd` / Green Checkmark in GNOME Device Security
|
|
||||||
- https://github.com/fwupd/fwupd/issues/5284
|
|
||||||
- Experimenting with TPM2 measurements
|
|
||||||
- Support bootspec with no initrd
|
|
||||||
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
|
|
||||||
- ...
|
|
||||||
|
|
||||||
## High-Level Boot Flow
|
## Overview
|
||||||
|
|
||||||
```mermaid
|
### Secure Boot
|
||||||
flowchart LR
|
|
||||||
systemd[systemd-boot]
|
|
||||||
lanzaboote[lanzaboote]
|
|
||||||
kernel[Linux Kernel]
|
|
||||||
|
|
||||||
systemd --> lanzaboote
|
The goal of UEFI Secure Boot is to allow only trusted operating
|
||||||
lanzaboote --> kernel
|
systems to boot on a system. This can be used to defend against
|
||||||
```
|
certain classes of attacks that compromise the boot flow of a
|
||||||
|
system. For example, an attacker will have difficulty replacing the
|
||||||
|
Linux kernel that boots a system when Secure Boot is active.
|
||||||
|
|
||||||
## lanzatool
|
UEFI Secure Boot works by digitally signing all drivers, bootloaders,
|
||||||
|
the Linux kernel and its initrd. This establishes a chain of trust
|
||||||
|
where one trusted component only hands off control to the next part of
|
||||||
|
the boot flow when the integrity of the chain is cryptographically
|
||||||
|
validated.
|
||||||
|
|
||||||
`lanzatool` is a Linux command line application that takes a
|
### Caveats
|
||||||
[bootspec](https://github.com/NixOS/rfcs/pull/125) document and
|
|
||||||
installs the boot files into the UEFI
|
|
||||||
[ESP](https://en.wikipedia.org/wiki/EFI_system_partition).
|
|
||||||
|
|
||||||
|
There are some additional steps that are required to make UEFI Secure
|
||||||
|
Boot effective:
|
||||||
|
|
||||||
To make systemd-boot recognize a new boot target, `lanzatool` builds a
|
- There must be a BIOS password or a similar restriction that prevents
|
||||||
[UKI](https://wiki.archlinux.org/title/Unified_kernel_image) image. To
|
unauthorized changes to the Secure Boot policy.
|
||||||
avoid having to embed kernel and initrd, we use a custom stub
|
- The booted system must have some form of integrity protection.
|
||||||
`lanzaboote` (see below) that loads kernel and initrd from the ESP.
|
- The firmware must be kept up-to-date.
|
||||||
|
|
||||||
Remaining items to implement are:
|
These steps will not be covered here.
|
||||||
|
|
||||||
- Migrations from non-SecureBoot machine (old generation files) ;
|
### Lanzatool
|
||||||
- Alternative Nix stores paths ;
|
|
||||||
- Key rotation support ;
|
|
||||||
- Bootspec (abuse) cleanups ;
|
|
||||||
- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
|
|
||||||
- NixOS specialisations support ;
|
|
||||||
- Automatic removal of unused files relative to the `configurationLimit` option ;
|
|
||||||
- `os-release` patch so `systemd-boot` shows pretty names with generation number
|
|
||||||
|
|
||||||
## lanzaboote
|
At the moment, boot loaders, kernels and initrds on NixOS are signed
|
||||||
|
on the current system. These then need to be prepared as [Unified
|
||||||
|
Kernel Images
|
||||||
|
(UKI)](https://uapi-group.org/specifications/specs/boot_loader_specification/#type-2-efi-unified-kernel-images) and placed on the [EFI System Partition (ESP)](https://en.wikipedia.org/wiki/EFI_system_partition).
|
||||||
|
|
||||||
`lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
|
`lanzatool` is a Linux command line application that takes care of
|
||||||
loads a Linux kernel and initrd without breaking the Secure Boot chain
|
this flow. It takes a [NixOS
|
||||||
of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
|
bootspec](https://github.com/NixOS/rfcs/pull/125) document, signs the
|
||||||
signature verification that is built-in to UEFI.
|
relevant files, creates a UKI using lanzaboote (see below) and
|
||||||
|
installs the UKI along with other required files to the
|
||||||
|
ESP. `lanzatool` is also aware of multiple NixOS genertions and will
|
||||||
|
sign all configurations that should be bootable.
|
||||||
|
### Lanzaboote
|
||||||
|
|
||||||
Remaining items to implement are:
|
When the Linux kernel and initrd are packed into a UKI, they need an
|
||||||
|
UEFI application stub. This role is typically filled by
|
||||||
|
[`systemd-stub`](https://www.freedesktop.org/software/systemd/man/systemd-stub.html).
|
||||||
|
|
||||||
- TPM measurements like `systemd-stub` does
|
The downside of `systemd-stub` is that it requires the kernel and
|
||||||
- Better error management
|
initrd to be packed into the UKI, which makes it pretty large. As we
|
||||||
|
need one UKI per NixOS configuration, systems with many configurations
|
||||||
|
quickly run out of the limited disk space in the ESP.
|
||||||
|
|
||||||
## Relevant Nixpkgs Work
|
`lanzaboote` is a UEFI stub that solves the same problem as
|
||||||
|
`systemd-stub`, but allows kernel and initrd to be stored separately
|
||||||
|
on the ESP. The chain of trust is maintained by validating the
|
||||||
|
signature on the Linux kernel and embedding a cryptographic hash of
|
||||||
|
the initrd into the signed UKI.
|
||||||
|
|
||||||
This project depends on upstream nixpkgs work:
|
`lanzaboote` lives in `rust/lanzaboote`.
|
||||||
|
|
||||||
- https://github.com/NixOS/nixpkgs/pull/191665
|
## State of Upstreaming to Nixpkgs
|
||||||
- https://github.com/DeterminateSystems/bootspec-secureboot/
|
|
||||||
- https://github.com/DeterminateSystems/bootspec
|
|
||||||
|
|
||||||
You can find everything integrated as PoC
|
Secure Boot is available as an Nixpkgs out-of-tree feature using the
|
||||||
[here](https://github.com/NixOS/nixpkgs/pull/202497).
|
[bootspec feature preview](https://github.com/NixOS/rfcs/pull/125). It
|
||||||
|
works with current nixpkgs-unstable.
|
||||||
|
|
||||||
## Funding
|
## Funding
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue