From e41c02c66bc8352f46cb5d4d6a52fecd41536c40 Mon Sep 17 00:00:00 2001 From: Julian Stecklina Date: Thu, 2 Feb 2023 14:21:58 +0100 Subject: [PATCH] docs: add short security guidelines --- docs/QUICK_START.md | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/QUICK_START.md b/docs/QUICK_START.md index 6cf9fa2..ec7edd6 100644 --- a/docs/QUICK_START.md +++ b/docs/QUICK_START.md @@ -17,7 +17,7 @@ boot. **We only recommend this to NixOS users that are comfortable using recovery tools to restore their system or have a backup ready.** -## Requirements +## Functional Requirements To be able to setup Secure Boot on your device, NixOS needs to be installed in UEFI mode and @@ -43,6 +43,24 @@ In the `bootctl` output, the firmware needs to be `UEFI` and the current boot loader needs to be `systemd-boot`. If this is the case, you are all set to continue. +## Security Requirements + +These requirements are _optional_ for a development system. Feel free +to skip them, if you just want to hack on Secure Boot support. + +To provide any security your system needs to defend against an +attacker turning UEFI Secure Boot off or being able to sign binaries +with the keys we are going to generate. + +The easiest way to achieve this is to: + +1. Enable a BIOS password in your system. +2. Use full disk encryption. + +**The topic of security around Secure Boot is complex. We are only +scratching the surface here and a comprehensive guide is out of +scope.** + ## Part 1: Preparing Your System In the first part, we will prepare everything on the software side of