secure boot for nixos ~ personal fork
Go to file
Ryan Lahfa 81975f3bc4
Merge pull request #257 from nix-community/aarch64-ci
feat(flake): perform final fixups to the flake outputs
2023-11-10 14:23:16 +00:00
.github renovate: ignore goblin updates 2023-10-16 10:51:59 +02:00
docs docs: clarify migration path for new installations 2023-10-30 10:14:55 +01:00
nix tests: add 5 minutes default timeout 2023-10-30 13:40:20 +01:00
rust Merge pull request #254 from nix-community/renovate/all 2023-11-08 19:59:35 +01:00
.envrc Initial import of Rust files 2022-11-21 12:31:23 +01:00
.gitignore flake: enable pre-commit hooks 2023-01-08 14:42:53 +01:00
LICENSE Add GPLv3 license 2022-11-26 03:12:24 +01:00
README.md docs: Add troubleshooting documentation 2023-10-03 21:08:12 +02:00
default.nix chore: support non-flake users 2022-12-26 01:22:34 +01:00
flake.lock chore(deps): lock file maintenance 2023-11-08 11:02:15 +00:00
flake.nix feat(flake): perform final fixups to the flake outputs 2023-11-10 15:15:48 +01:00

README.md

Lanzaboote: Secure Boot for NixOS

Chat on Matrix GitHub branch checks state made-with-rust GitHub

This repository contains tooling for UEFI Secure Boot on NixOS. The goal is to make Secure Boot available from nixpkgs for any platform that supports UEFI.

Quickstart

If you want to try this out, head over here for instructions. In case of any issues, have a look at the troubleshooting document.

🪛 Get Involved 🪛

There is still a bunch of work to do before this work can be upstreamed into nixpkgs. Please coordinate in the Matrix room or check the issues, if you want to take something up.

Overview

Secure Boot

The goal of UEFI Secure Boot is to allow only trusted operating systems to boot on a system. This can be used to defend against certain classes of attacks that compromise the boot flow of a system. For example, an attacker will have difficulty replacing the Linux kernel that boots a system when Secure Boot is active.

UEFI Secure Boot works by digitally signing all drivers, bootloaders, the Linux kernel and its initrd. This establishes a chain of trust where one trusted component only hands off control to the next part of the boot flow when the integrity of the chain is cryptographically validated.

Caveats

There are some additional steps that are required to make UEFI Secure Boot effective:

  • There must be a BIOS password or a similar restriction that prevents unauthorized changes to the Secure Boot policy.
  • The booted system must have some form of integrity protection.
  • The firmware must be kept up-to-date.

These steps will not be covered here.

lzbt-*, the Lanzaboote tool

At the moment, boot loaders, kernels and initrds on NixOS are signed on the current system. These then need to be prepared as Unified Kernel Images (UKI) and placed on the EFI System Partition (ESP).

lzbt is a Linux command line application that takes care of this flow. It takes a NixOS bootspec document, signs the relevant files, creates a UKI using the stub (see below) and installs the UKI along with other required files to the ESP. lzbt is also aware of multiple NixOS generations and will sign all configurations that should be bootable.

We have multiple backends for lzbt:

In the future, lzbt may support more backends.

Shared code lives in rust/tool/shared.

Stub

When the Linux kernel and initrd are packed into a UKI, they need an UEFI application stub. This role is typically filled by systemd-stub.

The downside of systemd-stub is that it requires the kernel and initrd to be packed into the UKI, which makes it pretty large. As we need one UKI per NixOS configuration, systems with many configurations quickly run out of the limited disk space in the ESP.

The Lanzaboote stub is a UEFI stub that solves the same problem as systemd-stub, but allows kernel and initrd to be stored separately on the ESP. The chain of trust is maintained by validating the signature on the Linux kernel and embedding a cryptographic hash of the initrd into the signed UKI.

The stub is available in a "thin" and a "fat" variant. The "thin" variant is the one described above and is tailor made for NixOS. The "fat" variant aims to work exactly like the systemd-stub---in fact, it's supposed to eventually replace it. The "thin" variant is the default, you can build it from the stub directory with cargo build. The "fat" variant needs to be enabled at build time with cargo build --no-default-features --features fat.

The stub lives in rust/uefi/stub.

Fwupd

When both Lanzaboote and services.fwupd are enabled, for fwupd.service a preStart will be added that ensures a signed fwupd binary is placed in /run that fwupd will use.

State of Upstreaming to Nixpkgs

SecureBoot is available by adding this project to your configuration.

It relies on bootspec which is enabled by default since NixOS 23.05.

An optimistic plan is to have a "in-tree" feature preview of Lanzaboote as part of NixOS 23.11.

Funding

Logo of NLnet Foundation     Logo of NGI Assure

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Applications are still open, you can apply today.

If your organization wants to support the project with extra funding in order to add support for more architectures, PKCS#11 workflows or integration, please contact one of the maintainers.