96 lines
3.6 KiB
Markdown
96 lines
3.6 KiB
Markdown
# Lanzaboote: Secure Boot for NixOS
|
|
|
|
[![Chat on Matrix](https://matrix.to/img/matrix-badge.svg)](https://matrix.to/#/#nixos-secure-boot:ukvly.org)
|
|
![GitHub branch checks state](https://img.shields.io/github/checks-status/blitz/lanzaboote/master)
|
|
[![made-with-rust](https://img.shields.io/badge/Made%20with-Rust-1f425f.svg)](https://www.rust-lang.org/)
|
|
![GitHub](https://img.shields.io/github/license/blitz/lanzaboote)
|
|
|
|
🚧🚧🚧 **This is not ready for non-developer usage.** 🚧🚧🚧
|
|
|
|
This repository contains experimental tooling for Secure Boot on
|
|
[NixOS](https://nixos.org/).
|
|
|
|
## 🪛 To Do 🪛
|
|
|
|
There is a bunch of work to do. Please coordinate in the [Matrix
|
|
room](https://matrix.to/#/#nixos-secure-boot:ukvly.org), if you want
|
|
to take something up:
|
|
|
|
- Overview documentation about the approach
|
|
- Document a experimental setup for developers on how to use this repository
|
|
- Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
|
|
- Cleaning up flakes.nix for AArch64
|
|
- Upstream nixpkgs work
|
|
- Lanzatool
|
|
- Lanzaboote (needs unstable Rust!)
|
|
- NixOS boot loader installation etc.
|
|
- Unit testing for Lanzatool
|
|
- Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
|
|
- Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
|
|
- Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
|
|
- Experimenting with `fwupd` / Green Checkmark in GNOME Device Security
|
|
- https://github.com/fwupd/fwupd/issues/5284
|
|
- Experimenting with TPM2 measurements
|
|
- Support bootspec with no initrd
|
|
- Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
|
|
- ...
|
|
|
|
## High-Level Boot Flow
|
|
|
|
```mermaid
|
|
flowchart LR
|
|
systemd[systemd-boot]
|
|
lanzaboote[lanzaboote]
|
|
kernel[Linux Kernel]
|
|
|
|
systemd --> lanzaboote
|
|
lanzaboote --> kernel
|
|
```
|
|
|
|
## lanzatool
|
|
|
|
`lanzatool` is a Linux command line application that takes a
|
|
[bootspec](https://github.com/NixOS/rfcs/pull/125) document and
|
|
installs the boot files into the UEFI
|
|
[ESP](https://en.wikipedia.org/wiki/EFI_system_partition).
|
|
|
|
|
|
To make systemd-boot recognize a new boot target, `lanzatool` builds a
|
|
[UKI](https://wiki.archlinux.org/title/Unified_kernel_image) image. To
|
|
avoid having to embed kernel and initrd, we use a custom stub
|
|
`lanzaboote` (see below) that loads kernel and initrd from the ESP.
|
|
|
|
Remaining items to implement are:
|
|
|
|
- Migrations from non-SecureBoot machine (old generation files) ;
|
|
- Alternative Nix stores paths ;
|
|
- Key rotation support ;
|
|
- Bootspec (abuse) cleanups ;
|
|
- Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
|
|
- NixOS specialisations support ;
|
|
- Automatic removal of unused files relative to the `configurationLimit` option ;
|
|
- `os-release` patch so `systemd-boot` shows pretty names with generation number
|
|
|
|
## lanzaboote
|
|
|
|
`lanzaboote` is the stub that `lanzatool` uses to form an UKI. It
|
|
loads a Linux kernel and initrd without breaking the Secure Boot chain
|
|
of trust. Instead of rolling our own crypto, `lanzaboote` re-uses the
|
|
signature verification that is built-in to UEFI.
|
|
|
|
Remaining items to implement are:
|
|
|
|
- TPM measurements like `systemd-stub` does
|
|
- Better error management
|
|
|
|
## Relevant Nixpkgs Work
|
|
|
|
This project depends on upstream nixpkgs work:
|
|
|
|
- https://github.com/NixOS/nixpkgs/pull/191665
|
|
- https://github.com/DeterminateSystems/bootspec-secureboot/
|
|
- https://github.com/DeterminateSystems/bootspec
|
|
|
|
You can find everything integrated as PoC
|
|
[here](https://github.com/NixOS/nixpkgs/pull/202497).
|