4fb1e0d0dd
Flake lock file updates:
• Updated input 'crane':
'github:ipetkov/crane/c61d98aaea5667607a36bafe5a6fa87fe5bb2c7e' (2022-11-21)
→ 'github:ipetkov/crane/24591d5f8cc979f7b243b88a2d39da09976970ad' (2022-11-28)
• Updated input 'naersk/nixpkgs':
'github:NixOS/nixpkgs/3ea5616c21dd186129f90a86c66352359a45cb07' (2022-11-23)
→ 'github:NixOS/nixpkgs/b45ec953794bb07922f0468152ad1ebaf8a084b3' (2022-11-27)
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/3ea5616c21dd186129f90a86c66352359a45cb07' (2022-11-23)
→ 'github:NixOS/nixpkgs/b45ec953794bb07922f0468152ad1ebaf8a084b3' (2022-11-27)
• Updated input 'rust-overlay':
'github:oxalica/rust-overlay/018df6d3f900fc53d567045bd86208f5c00d8956' (2022-11-24)
→ 'github:oxalica/rust-overlay/b9da8e68a08707115be750c0cf7ade33f49d8ec4' (2022-11-28)
|
||
|---|---|---|
| nix | ||
| pki | ||
| rust | ||
| .envrc | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
| flake.lock | ||
| flake.nix | ||
README.md
Lanzaboote: Secure Boot for NixOS
🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧
This repository contains experimental tooling for Secure Boot on NixOS.
🪛 To Do 🪛
There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:
- Overview documentation about the approach
- Document a experimental setup for developers on how to use this repository
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
- Cleaning up flakes.nix for AArch64
- Upstream nixpkgs work
- Lanzatool
- Lanzaboote (needs unstable Rust!)
- NixOS boot loader installation etc.
- Unit testing for Lanzatool
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
- Experimenting with
fwupd/ Green Checkmark in GNOME Device Security - Experimenting with TPM2 measurements
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
- ...
High-Level Boot Flow
flowchart LR
systemd[systemd-boot]
lanzaboote[lanzaboote]
kernel[Linux Kernel]
systemd --> lanzaboote
lanzaboote --> kernel
lanzatool
lanzatool is a Linux command line application that takes a
bootspec document and
installs the boot files into the UEFI
ESP.
To make systemd-boot recognize a new boot target, lanzatool builds a
UKI image. To
avoid having to embed kernel and initrd, we use a custom stub
lanzaboote (see below) that loads kernel and initrd from the ESP.
Remaining items to implement are:
- Migrations from non-SecureBoot machine (old generation files) ;
- Alternative Nix stores paths ;
- Key rotation support ;
- Bootspec (abuse) cleanups ;
- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
- NixOS specialisations support ;
- Automatic removal of unused files relative to the
configurationLimitoption ; os-releasepatch sosystemd-bootshows pretty names with generation number
lanzaboote
lanzaboote is the stub that lanzatool uses to form an UKI. It
loads a Linux kernel and initrd without breaking the Secure Boot chain
of trust. Instead of rolling our own crypto, lanzaboote re-uses the
signature verification that is built-in to UEFI.
Remaining items to implement are:
- TPM measurements like
systemd-stubdoes - Better error management
Relevant Nixpkgs Work
This project depends on upstream nixpkgs work:
- https://github.com/NixOS/nixpkgs/pull/191665
- https://github.com/DeterminateSystems/bootspec-secureboot/
- https://github.com/DeterminateSystems/bootspec
You can find everything integrated as PoC here.