secure boot for nixos ~ personal fork
Go to file
Ryan Lahfa 95f596f4dc lanzatool: add support for generations and correct naming of kernels a… (#12)
* lanzatool: add support for generations and correct naming of kerels and initrds

* test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests

* lanzatool: ryan is a B class engineer

Co-authored-by: nikstur@outlook.com
2022-11-26 03:14:21 +01:00
nix lanzatool: add support for generations and correct naming of kernels a… (#12) 2022-11-26 03:14:21 +01:00
pki nixos: add a lanzaboote module 2022-11-24 17:07:05 +01:00
rust lanzatool: add support for generations and correct naming of kernels a… (#12) 2022-11-26 03:14:21 +01:00
.envrc Initial import of Rust files 2022-11-21 12:31:23 +01:00
.gitignore .gitignore.nix: block result* in subdirectories too 2022-11-23 00:20:27 +01:00
LICENSE Add GPLv3 license 2022-11-26 03:12:24 +01:00
README.md docs: add more overview information 2022-11-24 11:41:35 +01:00
flake.lock nixos: add a lanzaboote module 2022-11-24 17:07:05 +01:00
flake.nix lanzatool: add support for generations and correct naming of kernels a… (#12) 2022-11-26 03:14:21 +01:00

README.md

Lanzaboote

GitHub branch checks state made-with-rust GitHub license

🚧🚧🚧 This is not working yet. Come back later. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

High-Level Boot Flow

flowchart LR
    systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]
	
	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.