From e41c02c66bc8352f46cb5d4d6a52fecd41536c40 Mon Sep 17 00:00:00 2001
From: Julian Stecklina <js@alien8.de>
Date: Thu, 2 Feb 2023 14:21:58 +0100
Subject: [PATCH] docs: add short security guidelines

---
 docs/QUICK_START.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/docs/QUICK_START.md b/docs/QUICK_START.md
index 6cf9fa2..ec7edd6 100644
--- a/docs/QUICK_START.md
+++ b/docs/QUICK_START.md
@@ -17,7 +17,7 @@ boot.
 **We only recommend this to NixOS users that are comfortable using
 recovery tools to restore their system or have a backup ready.**
 
-## Requirements
+## Functional Requirements
 
 To be able to setup Secure Boot on your device, NixOS needs to be
 installed in UEFI mode and
@@ -43,6 +43,24 @@ In the `bootctl` output, the firmware needs to be `UEFI` and the
 current boot loader needs to be `systemd-boot`. If this is the case,
 you are all set to continue.
 
+## Security Requirements
+
+These requirements are _optional_ for a development system. Feel free
+to skip them, if you just want to hack on Secure Boot support.
+
+To provide any security your system needs to defend against an
+attacker turning UEFI Secure Boot off or being able to sign binaries
+with the keys we are going to generate.
+
+The easiest way to achieve this is to:
+
+1. Enable a BIOS password in your system.
+2. Use full disk encryption.
+
+**The topic of security around Secure Boot is complex. We are only
+scratching the surface here and a comprehensive guide is out of
+scope.**
+
 ## Part 1: Preparing Your System
 
 In the first part, we will prepare everything on the software side of