min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lanzaboote/README.md

3.2 KiB
Raw Blame History

Lanzaboote

GitHub branch checks state made-with-rust GitHub license

🚧🚧🚧 This is not working yet. Come back later. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

Remaining high-level things to do:

  • Document a experimental setup for developers on how to use this repository
  • Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage ;
  • Upstream as much as possible things: Rust unstable things on a stable compiler (?), etc. ;
  • Unit testing for lanzatool ;
  • Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics ;
  • Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc. ;
  • Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks ;
  • Experimenting with fwupd
  • Experimenting with TPM2 measurements
  • Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2

High-Level Boot Flow

flowchart LR
    systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]
	
	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

  • Migrations from non-SecureBoot machine (old generation files) ;
  • Alternative Nix stores paths ;
  • Key rotation support ;
  • Bootspec (abuse) cleanups ;
  • Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
  • NixOS specialisations support ;
  • Automatic removal of unused files relative to the configurationLimit option ;
  • os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

  • TPM measurements like systemd-stub does
  • Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.