readme: sprint end!
This commit is contained in:
Raito Bezarius
parent
95f596f4dc
commit
8a430b6578
29
README.md
29
README.md
|
|
@ -9,6 +9,19 @@
|
|||
This repository contains experimental tooling for Secure Boot on
|
||||
[NixOS](https://nixos.org/).
|
||||
|
||||
Remaining high-level things to do:
|
||||
|
||||
- Document a experimental setup for developers on how to use this repository
|
||||
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage ;
|
||||
- Upstream as much as possible things: Rust unstable things on a stable compiler (?), etc. ;
|
||||
- Unit testing for `lanzatool` ;
|
||||
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics ;
|
||||
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc. ;
|
||||
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks ;
|
||||
- Experimenting with `fwupd`
|
||||
- Experimenting with TPM2 measurements
|
||||
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
|
||||
|
||||
## High-Level Boot Flow
|
||||
|
||||
```mermaid
|
||||
|
|
@ -34,6 +47,17 @@ To make systemd-boot recognize a new boot target, `lanzatool` builds a
|
|||
avoid having to embed kernel and initrd, we use a custom stub
|
||||
`lanzaboote` (see below) that loads kernel and initrd from the ESP.
|
||||
|
||||
Remaining items to implement are:
|
||||
|
||||
- Migrations from non-SecureBoot machine (old generation files) ;
|
||||
- Alternative Nix stores paths ;
|
||||
- Key rotation support ;
|
||||
- Bootspec (abuse) cleanups ;
|
||||
- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
|
||||
- NixOS specialisations support ;
|
||||
- Automatic removal of unused files relative to the `configurationLimit` option ;
|
||||
- `os-release` patch so `systemd-boot` shows pretty names with generation number
|
||||
|
||||
## lanzaboote
|
||||
|
||||
`lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
|
||||
|
|
@ -41,6 +65,11 @@ loads a Linux kernel and initrd without breaking the Secure Boot chain
|
|||
of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
|
||||
signature verification that is built-in to UEFI.
|
||||
|
||||
Remaining items to implement are:
|
||||
|
||||
- TPM measurements like `systemd-stub` does
|
||||
- Better error management
|
||||
|
||||
## Relevant Nixpkgs Work
|
||||
|
||||
This project depends on upstream nixpkgs work:
|
||||
|
|
|
|||
Loading…
Reference in New Issue