95f596f4dc
* lanzatool: add support for generations and correct naming of kerels and initrds * test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests * lanzatool: ryan is a B class engineer Co-authored-by: nikstur@outlook.com |
||
|---|---|---|
| nix | ||
| pki | ||
| rust | ||
| .envrc | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
| flake.lock | ||
| flake.nix | ||
README.md
Lanzaboote
🚧🚧🚧 This is not working yet. Come back later. 🚧🚧🚧
This repository contains experimental tooling for Secure Boot on NixOS.
High-Level Boot Flow
flowchart LR
systemd[systemd-boot]
lanzaboote[lanzaboote]
kernel[Linux Kernel]
systemd --> lanzaboote
lanzaboote --> kernel
lanzatool
lanzatool is a Linux command line application that takes a
bootspec document and
installs the boot files into the UEFI
ESP.
To make systemd-boot recognize a new boot target, lanzatool builds a
UKI image. To
avoid having to embed kernel and initrd, we use a custom stub
lanzaboote (see below) that loads kernel and initrd from the ESP.
lanzaboote
lanzaboote is the stub that lanzatool uses to form an UKI. It
loads a Linux kernel and initrd without breaking the Secure Boot chain
of trust. Instead of rolling our own crypto, lanzaboote re-uses the
signature verification that is built-in to UEFI.
Relevant Nixpkgs Work
This project depends on upstream nixpkgs work:
- https://github.com/NixOS/nixpkgs/pull/191665
- https://github.com/DeterminateSystems/bootspec-secureboot/
- https://github.com/DeterminateSystems/bootspec
You can find everything integrated as PoC here.