min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

readme: sprint end!

This commit is contained in:
Raito Bezarius 2022-11-26 03:24:54 +01:00
parent 95f596f4dc
commit 8a430b6578
1 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -9,6 +9,19 @@
This repository contains experimental tooling for Secure Boot on This repository contains experimental tooling for Secure Boot on
[NixOS](https://nixos.org/). [NixOS](https://nixos.org/).
Remaining high-level things to do:
- Document a experimental setup for developers on how to use this repository
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage ;
- Upstream as much as possible things: Rust unstable things on a stable compiler (?), etc. ;
- Unit testing for `lanzatool` ;
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics ;
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc. ;
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks ;
- Experimenting with `fwupd`
- Experimenting with TPM2 measurements
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
## High-Level Boot Flow ## High-Level Boot Flow
```mermaid ```mermaid
@ -34,6 +47,17 @@ To make systemd-boot recognize a new boot target, `lanzatool` builds a
avoid having to embed kernel and initrd, we use a custom stub avoid having to embed kernel and initrd, we use a custom stub
`lanzaboote` (see below) that loads kernel and initrd from the ESP. `lanzaboote` (see below) that loads kernel and initrd from the ESP.
Remaining items to implement are:
- Migrations from non-SecureBoot machine (old generation files) ;
- Alternative Nix stores paths ;
- Key rotation support ;
- Bootspec (abuse) cleanups ;
- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
- NixOS specialisations support ;
- Automatic removal of unused files relative to the `configurationLimit` option ;
- `os-release` patch so `systemd-boot` shows pretty names with generation number
## lanzaboote ## lanzaboote
`lanzaboote` is the stub that `lanzatool` uses to form an UKI. It `lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
@ -41,6 +65,11 @@ loads a Linux kernel and initrd without breaking the Secure Boot chain
of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
signature verification that is built-in to UEFI. signature verification that is built-in to UEFI.
Remaining items to implement are:
- TPM measurements like `systemd-stub` does
- Better error management
## Relevant Nixpkgs Work ## Relevant Nixpkgs Work
This project depends on upstream nixpkgs work: This project depends on upstream nixpkgs work: