secure boot for nixos // personal fork

Go to file

Julian Stecklina 3779e81b20 lanzaboote: handle errors in print_logo		2022-11-25 18:14:58 +01:00
nix	nixpkgs: integrate the whole thing (#7 )	2022-11-25 17:59:15 +01:00
pki	nixpkgs: integrate the whole thing (#7 )	2022-11-25 17:59:15 +01:00
rust	lanzaboote: handle errors in print_logo	2022-11-25 18:14:58 +01:00
.envrc	Initial import of Rust files	2022-11-21 12:31:23 +01:00
.gitignore	.gitignore.nix: block result* in subdirectories too	2022-11-23 00:20:27 +01:00
README.md	docs: add more overview information	2022-11-24 11:41:35 +01:00
flake.lock	nixpkgs: integrate the whole thing (#7 )	2022-11-25 17:59:15 +01:00
flake.nix	nixpkgs: integrate the whole thing (#7 )	2022-11-25 17:59:15 +01:00

README.md

Lanzaboote

🚧🚧🚧 This is not working yet. Come back later. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

High-Level Boot Flow

flowchart LR
    systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]
	
	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.