min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: add short security guidelines

This commit is contained in:
Julian Stecklina 2023-02-02 14:21:58 +01:00
parent 65896e03fa
commit e41c02c66b
1 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/QUICK_START.md
View File

@ -17,7 +17,7 @@ boot.
**We only recommend this to NixOS users that are comfortable using **We only recommend this to NixOS users that are comfortable using
recovery tools to restore their system or have a backup ready.** recovery tools to restore their system or have a backup ready.**
## Requirements ## Functional Requirements
To be able to setup Secure Boot on your device, NixOS needs to be To be able to setup Secure Boot on your device, NixOS needs to be
installed in UEFI mode and installed in UEFI mode and
@ -43,6 +43,24 @@ In the `bootctl` output, the firmware needs to be `UEFI` and the
current boot loader needs to be `systemd-boot`. If this is the case, current boot loader needs to be `systemd-boot`. If this is the case,
you are all set to continue. you are all set to continue.
## Security Requirements
These requirements are _optional_ for a development system. Feel free
to skip them, if you just want to hack on Secure Boot support.
To provide any security your system needs to defend against an
attacker turning UEFI Secure Boot off or being able to sign binaries
with the keys we are going to generate.
The easiest way to achieve this is to:
1. Enable a BIOS password in your system.
2. Use full disk encryption.
**The topic of security around Secure Boot is complex. We are only
scratching the surface here and a comprehensive guide is out of
scope.**
## Part 1: Preparing Your System ## Part 1: Preparing Your System
In the first part, we will prepare everything on the software side of In the first part, we will prepare everything on the software side of