docs: update README
This commit is contained in:
Julian Stecklina
parent
8a430b6578
commit
f16623d713
37
README.md
37
README.md
|
|
@ -1,35 +1,46 @@
|
||||||
# Lanzaboote
|
# Lanzaboote: Secure Boot for NixOS
|
||||||
|
|
||||||
|
[](https://matrix.to/#/#nixos-secure-boot:ukvly.org)
|
||||||
|
|
||||||
[](https://www.rust-lang.org/)
|
[](https://www.rust-lang.org/)
|
||||||
[](https://github.com/blitz/lanzaboote/blob/master/LICENSE)
|
|
||||||
|
|
||||||
🚧🚧🚧 **This is not working yet. Come back later.** 🚧🚧🚧
|
🚧🚧🚧 **This is not ready for non-developer usage.** 🚧🚧🚧
|
||||||
|
|
||||||
This repository contains experimental tooling for Secure Boot on
|
This repository contains experimental tooling for Secure Boot on
|
||||||
[NixOS](https://nixos.org/).
|
[NixOS](https://nixos.org/).
|
||||||
|
|
||||||
Remaining high-level things to do:
|
## 🪛 To Do 🪛
|
||||||
|
|
||||||
|
There is a bunch of work to do. Please coordinate in the [Matrix
|
||||||
|
room](https://matrix.to/#/#nixos-secure-boot:ukvly.org), if you want
|
||||||
|
to take something up:
|
||||||
|
|
||||||
|
- Overview documentation about the approach
|
||||||
- Document a experimental setup for developers on how to use this repository
|
- Document a experimental setup for developers on how to use this repository
|
||||||
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage ;
|
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
|
||||||
- Upstream as much as possible things: Rust unstable things on a stable compiler (?), etc. ;
|
- Upstream nixpkgs work
|
||||||
- Unit testing for `lanzatool` ;
|
- Lanzatool
|
||||||
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics ;
|
- Lanzaboote (needs unstable Rust!)
|
||||||
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc. ;
|
- NixOS boot loader installation etc.
|
||||||
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks ;
|
- Unit testing for Lanzatool
|
||||||
- Experimenting with `fwupd`
|
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
|
||||||
|
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
|
||||||
|
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
|
||||||
|
- Experimenting with `fwupd` / Green Checkmark in GNOME Device Security
|
||||||
|
- https://github.com/fwupd/fwupd/issues/5284
|
||||||
- Experimenting with TPM2 measurements
|
- Experimenting with TPM2 measurements
|
||||||
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
|
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
|
||||||
|
- ...
|
||||||
|
|
||||||
## High-Level Boot Flow
|
## High-Level Boot Flow
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
flowchart LR
|
flowchart LR
|
||||||
systemd[systemd-boot]
|
systemd[systemd-boot]
|
||||||
lanzaboote[lanzaboote]
|
lanzaboote[lanzaboote]
|
||||||
kernel[Linux Kernel]
|
kernel[Linux Kernel]
|
||||||
|
|
||||||
systemd --> lanzaboote
|
systemd --> lanzaboote
|
||||||
lanzaboote --> kernel
|
lanzaboote --> kernel
|
||||||
```
|
```
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue