secure boot for nixos ~ personal fork

Go to file

Raito Bezarius 1b9fac224d readme: thank (a lot) NLnet for making this possible		2022-12-21 05:09:00 +01:00
nix	Merge pull request #24 from nix-community/remove-auto-entroll	2022-12-11 14:48:27 +00:00
pki	nixos: add a lanzaboote module	2022-11-24 17:07:05 +01:00
rust	lanzatool: remove placeholder code for auto enrolling uefi keys	2022-12-10 18:11:23 +01:00
.envrc	Initial import of Rust files	2022-11-21 12:31:23 +01:00
.gitignore	.gitignore.nix: block result* in subdirectories too	2022-11-23 00:20:27 +01:00
LICENSE	Add GPLv3 license	2022-11-26 03:12:24 +01:00
README.md	readme: thank (a lot) NLnet for making this possible	2022-12-21 05:09:00 +01:00
flake.lock	deduplicate flakes	2022-12-08 20:40:40 +01:00
flake.nix	Merge pull request #25 from nix-community/flake	2022-12-11 14:47:27 +00:00

README.md

Lanzaboote: Secure Boot for NixOS

🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

🪛 To Do 🪛

There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:

Overview documentation about the approach
Document a experimental setup for developers on how to use this repository
Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
Cleaning up flakes.nix for AArch64
Upstream nixpkgs work
- Lanzatool
- Lanzaboote (needs unstable Rust!)
- NixOS boot loader installation etc.
Unit testing for Lanzatool
Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
Experimenting with fwupd / Green Checkmark in GNOME Device Security
- https://github.com/fwupd/fwupd/issues/5284
Experimenting with TPM2 measurements
Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
...

High-Level Boot Flow

flowchart LR
	systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]

	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

Migrations from non-SecureBoot machine (old generation files) ;
Alternative Nix stores paths ;
Key rotation support ;
Bootspec (abuse) cleanups ;
Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
NixOS specialisations support ;
Automatic removal of unused files relative to the configurationLimit option ;
os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

TPM measurements like systemd-stub does
Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.

Funding

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Applications are still open, you can apply today.

If your organization wants to support the project with extra funding in order to add support for more architectures, PKCS#11 workflows or integration, please contact one of the maintainers.