docs: update sharp edges after Linux kernel signing changes
This commit is contained in:
Julian Stecklina
parent
37ccc5d578
commit
cc2af0a081
|
|
@ -167,18 +167,20 @@ Verifying file database and EFI images in /boot...
|
||||||
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
|
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
|
||||||
✓ /boot/EFI/Linux/nixos-generation-355.efi is signed
|
✓ /boot/EFI/Linux/nixos-generation-355.efi is signed
|
||||||
✓ /boot/EFI/Linux/nixos-generation-356.efi is signed
|
✓ /boot/EFI/Linux/nixos-generation-356.efi is signed
|
||||||
✓ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is signed
|
✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed
|
||||||
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
|
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
|
||||||
```
|
```
|
||||||
|
|
||||||
🔪 **Sharp edge:** 🔪 In case something is **not** signed in the
|
It is expected that the files ending with `bzImage.efi` are _not_
|
||||||
`sbctl verify` output, you have hit a bug
|
signed.
|
||||||
([#39](https://github.com/nix-community/lanzaboote/issues/39)). You
|
|
||||||
**have to fix this** to avoid ending up with an unbootable system
|
🔪 **Sharp edge:** 🔪 In case any of the `nixos-generation-*.efi`
|
||||||
([#58](https://github.com/nix-community/lanzaboote/issues/58)). The
|
files are not signed, you have hit a bug
|
||||||
way to solve this is **deleting** the unsigned files indicated by
|
([#39](https://github.com/nix-community/lanzaboote/issues/39)). This
|
||||||
`sbctl` and switching to the configuration again. This will copy and
|
issue will prevent the system from booting successfully when Secure
|
||||||
sign the missing files.
|
Boot is enabled. The way to solve this is **deleting** the unsigned
|
||||||
|
files indicated by `sbctl` and switching to the configuration
|
||||||
|
again. This will copy and sign the missing files.
|
||||||
|
|
||||||
## Part 2: Enabling Secure Boot
|
## Part 2: Enabling Secure Boot
|
||||||
|
|
||||||
|
|
@ -236,12 +238,19 @@ System:
|
||||||
|
|
||||||
That's all! 🥳
|
That's all! 🥳
|
||||||
|
|
||||||
|
## Troubleshooting
|
||||||
|
|
||||||
|
If your system doesn't boot with Secure Boot enabled, the most likely
|
||||||
|
issue is that Lanzaboote could not verify a cryptographic hash. To
|
||||||
|
recover from this, disable Secure Boot in your firmware
|
||||||
|
settings. Please file a bug, if you hit this issue.
|
||||||
|
|
||||||
## Disabling Secure Boot and Lanzaboote
|
## Disabling Secure Boot and Lanzaboote
|
||||||
|
|
||||||
When you want to get back to a system without the Secure Boot stack,
|
When you want to permanently get back to a system without the Secure
|
||||||
**first** disable Secure Boot in your firmware settings. Then you can
|
Boot stack, **first** disable Secure Boot in your firmware
|
||||||
disable the Lanzaboote related settings in the NixOS configuration and
|
settings. Then you can disable the Lanzaboote related settings in the
|
||||||
rebuild.
|
NixOS configuration and rebuild.
|
||||||
|
|
||||||
You may need to clean up the `EFI/Linux` directory in the ESP manually
|
You may need to clean up the `EFI/Linux` directory in the ESP manually
|
||||||
to get rid of stale boot entries. **Please backup your ESP, before you
|
to get rid of stale boot entries. **Please backup your ESP, before you
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue