From 8a430b65780fbabffa4e17471b9cace45d8b829c Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 26 Nov 2022 03:24:54 +0100 Subject: [PATCH] readme: sprint end! --- README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/README.md b/README.md index 7e45ccf..247c6b3 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,19 @@ This repository contains experimental tooling for Secure Boot on [NixOS](https://nixos.org/). +Remaining high-level things to do: + +- Document a experimental setup for developers on how to use this repository +- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage ; +- Upstream as much as possible things: Rust unstable things on a stable compiler (?), etc. ; +- Unit testing for `lanzatool` ; +- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics ; +- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc. ; +- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks ; +- Experimenting with `fwupd` +- Experimenting with TPM2 measurements +- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2 + ## High-Level Boot Flow ```mermaid @@ -34,6 +47,17 @@ To make systemd-boot recognize a new boot target, `lanzatool` builds a avoid having to embed kernel and initrd, we use a custom stub `lanzaboote` (see below) that loads kernel and initrd from the ESP. +Remaining items to implement are: + +- Migrations from non-SecureBoot machine (old generation files) ; +- Alternative Nix stores paths ; +- Key rotation support ; +- Bootspec (abuse) cleanups ; +- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ; +- NixOS specialisations support ; +- Automatic removal of unused files relative to the `configurationLimit` option ; +- `os-release` patch so `systemd-boot` shows pretty names with generation number + ## lanzaboote `lanzaboote` is the stub that `lanzatool` uses to form an UKI. It @@ -41,6 +65,11 @@ loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the signature verification that is built-in to UEFI. +Remaining items to implement are: + +- TPM measurements like `systemd-stub` does +- Better error management + ## Relevant Nixpkgs Work This project depends on upstream nixpkgs work: