docs: add short security guidelines
This commit is contained in:
parent
65896e03fa
commit
e41c02c66b
|
@ -17,7 +17,7 @@ boot.
|
||||||
**We only recommend this to NixOS users that are comfortable using
|
**We only recommend this to NixOS users that are comfortable using
|
||||||
recovery tools to restore their system or have a backup ready.**
|
recovery tools to restore their system or have a backup ready.**
|
||||||
|
|
||||||
## Requirements
|
## Functional Requirements
|
||||||
|
|
||||||
To be able to setup Secure Boot on your device, NixOS needs to be
|
To be able to setup Secure Boot on your device, NixOS needs to be
|
||||||
installed in UEFI mode and
|
installed in UEFI mode and
|
||||||
|
@ -43,6 +43,24 @@ In the `bootctl` output, the firmware needs to be `UEFI` and the
|
||||||
current boot loader needs to be `systemd-boot`. If this is the case,
|
current boot loader needs to be `systemd-boot`. If this is the case,
|
||||||
you are all set to continue.
|
you are all set to continue.
|
||||||
|
|
||||||
|
## Security Requirements
|
||||||
|
|
||||||
|
These requirements are _optional_ for a development system. Feel free
|
||||||
|
to skip them, if you just want to hack on Secure Boot support.
|
||||||
|
|
||||||
|
To provide any security your system needs to defend against an
|
||||||
|
attacker turning UEFI Secure Boot off or being able to sign binaries
|
||||||
|
with the keys we are going to generate.
|
||||||
|
|
||||||
|
The easiest way to achieve this is to:
|
||||||
|
|
||||||
|
1. Enable a BIOS password in your system.
|
||||||
|
2. Use full disk encryption.
|
||||||
|
|
||||||
|
**The topic of security around Secure Boot is complex. We are only
|
||||||
|
scratching the surface here and a comprehensive guide is out of
|
||||||
|
scope.**
|
||||||
|
|
||||||
## Part 1: Preparing Your System
|
## Part 1: Preparing Your System
|
||||||
|
|
||||||
In the first part, we will prepare everything on the software side of
|
In the first part, we will prepare everything on the software side of
|
||||||
|
|
Loading…
Reference in New Issue