secure boot for nixos ~ personal fork

Go to file

Julian Stecklina 7a15bba50b lanzaboote: load kernel and initrd into memory only once		2022-11-30 09:22:14 +01:00
nix	nix: switch everything to crane and drop naersk	2022-11-28 14:01:35 +01:00
pki	nixos: add a lanzaboote module	2022-11-24 17:07:05 +01:00
rust	lanzaboote: load kernel and initrd into memory only once	2022-11-30 09:22:14 +01:00
.envrc	Initial import of Rust files	2022-11-21 12:31:23 +01:00
.gitignore	.gitignore.nix: block result* in subdirectories too	2022-11-23 00:20:27 +01:00
LICENSE	Add GPLv3 license	2022-11-26 03:12:24 +01:00
README.md	doc: mention aarch64 support	2022-11-26 16:22:53 +01:00
flake.lock	nix: switch everything to crane and drop naersk	2022-11-28 14:01:35 +01:00
flake.nix	Merge pull request #22 from nix-community/crane	2022-11-29 22:42:13 +01:00

README.md

Lanzaboote: Secure Boot for NixOS

🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

🪛 To Do 🪛

There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:

Overview documentation about the approach
Document a experimental setup for developers on how to use this repository
Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
Cleaning up flakes.nix for AArch64
Upstream nixpkgs work
- Lanzatool
- Lanzaboote (needs unstable Rust!)
- NixOS boot loader installation etc.
Unit testing for Lanzatool
Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
Experimenting with fwupd / Green Checkmark in GNOME Device Security
- https://github.com/fwupd/fwupd/issues/5284
Experimenting with TPM2 measurements
Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
...

High-Level Boot Flow

flowchart LR
	systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]

	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

Migrations from non-SecureBoot machine (old generation files) ;
Alternative Nix stores paths ;
Key rotation support ;
Bootspec (abuse) cleanups ;
Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
NixOS specialisations support ;
Automatic removal of unused files relative to the configurationLimit option ;
os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

TPM measurements like systemd-stub does
Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.