secure boot for nixos ~ personal fork
Go to file
Jörg Thalheim a4ddbada50 deduplicate flakes
without this users end up with multiple copies of nixpkgs, which cannot
be overriden from the outside (follows only works on 1 level).
2022-12-08 20:40:40 +01:00
nix nix: switch everything to crane and drop naersk 2022-11-28 14:01:35 +01:00
pki nixos: add a lanzaboote module 2022-11-24 17:07:05 +01:00
rust lanzaboote: fix clippy issues 2022-11-28 13:38:01 +01:00
.envrc Initial import of Rust files 2022-11-21 12:31:23 +01:00
.gitignore .gitignore.nix: block result* in subdirectories too 2022-11-23 00:20:27 +01:00
LICENSE Add GPLv3 license 2022-11-26 03:12:24 +01:00
README.md doc: mention aarch64 support 2022-11-26 16:22:53 +01:00
flake.lock deduplicate flakes 2022-12-08 20:40:40 +01:00
flake.nix deduplicate flakes 2022-12-08 20:40:40 +01:00

README.md

Lanzaboote: Secure Boot for NixOS

Chat on Matrix GitHub branch checks state made-with-rust GitHub

🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

🪛 To Do 🪛

There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:

  • Overview documentation about the approach
  • Document a experimental setup for developers on how to use this repository
  • Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
  • Cleaning up flakes.nix for AArch64
  • Upstream nixpkgs work
    • Lanzatool
    • Lanzaboote (needs unstable Rust!)
    • NixOS boot loader installation etc.
  • Unit testing for Lanzatool
  • Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
  • Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
  • Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
  • Experimenting with fwupd / Green Checkmark in GNOME Device Security
  • Experimenting with TPM2 measurements
  • Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
  • ...

High-Level Boot Flow

flowchart LR
	systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]

	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

  • Migrations from non-SecureBoot machine (old generation files) ;
  • Alternative Nix stores paths ;
  • Key rotation support ;
  • Bootspec (abuse) cleanups ;
  • Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
  • NixOS specialisations support ;
  • Automatic removal of unused files relative to the configurationLimit option ;
  • os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

  • TPM measurements like systemd-stub does
  • Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.