secure boot for nixos ~ personal fork

Go to file

Jörg Thalheim a4ddbada50 deduplicate flakes without this users end up with multiple copies of nixpkgs, which cannot be overriden from the outside (follows only works on 1 level).		2022-12-08 20:40:40 +01:00
nix	nix: switch everything to crane and drop naersk	2022-11-28 14:01:35 +01:00
pki	nixos: add a lanzaboote module	2022-11-24 17:07:05 +01:00
rust	lanzaboote: fix clippy issues	2022-11-28 13:38:01 +01:00
.envrc	Initial import of Rust files	2022-11-21 12:31:23 +01:00
.gitignore	.gitignore.nix: block result* in subdirectories too	2022-11-23 00:20:27 +01:00
LICENSE	Add GPLv3 license	2022-11-26 03:12:24 +01:00
README.md	doc: mention aarch64 support	2022-11-26 16:22:53 +01:00
flake.lock	deduplicate flakes	2022-12-08 20:40:40 +01:00
flake.nix	deduplicate flakes	2022-12-08 20:40:40 +01:00

README.md

Lanzaboote: Secure Boot for NixOS

🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

🪛 To Do 🪛

There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:

Overview documentation about the approach
Document a experimental setup for developers on how to use this repository
Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
Cleaning up flakes.nix for AArch64
Upstream nixpkgs work
- Lanzatool
- Lanzaboote (needs unstable Rust!)
- NixOS boot loader installation etc.
Unit testing for Lanzatool
Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
Experimenting with fwupd / Green Checkmark in GNOME Device Security
- https://github.com/fwupd/fwupd/issues/5284
Experimenting with TPM2 measurements
Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
...

High-Level Boot Flow

flowchart LR
	systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]

	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

Migrations from non-SecureBoot machine (old generation files) ;
Alternative Nix stores paths ;
Key rotation support ;
Bootspec (abuse) cleanups ;
Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
NixOS specialisations support ;
Automatic removal of unused files relative to the configurationLimit option ;
os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

TPM measurements like systemd-stub does
Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.