secure boot for nixos ~ personal fork
Go to file
Raito Bezarius c38e155d3c documentation: add a simple quick start 2022-12-25 18:16:14 +01:00
docs documentation: add a simple quick start 2022-12-25 18:16:14 +01:00
nix nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-25 18:05:07 +01:00
pki nixos: add a lanzaboote module 2022-11-24 17:07:05 +01:00
rust lanzatool: appease clippy by removing borrow 2022-12-25 18:05:07 +01:00
.envrc Initial import of Rust files 2022-11-21 12:31:23 +01:00
.gitignore .gitignore.nix: block result* in subdirectories too 2022-11-23 00:20:27 +01:00
LICENSE Add GPLv3 license 2022-11-26 03:12:24 +01:00
README.md Merge pull request #26 from nix-community/upstream-bootspec 2022-12-25 18:11:28 +01:00
flake.lock nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-25 18:05:07 +01:00
flake.nix nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-25 18:05:07 +01:00

README.md

Lanzaboote: Secure Boot for NixOS

Chat on Matrix GitHub branch checks state made-with-rust GitHub

🚧🚧🚧 This is not ready for non-developer usage. 🚧🚧🚧

This repository contains experimental tooling for Secure Boot on NixOS.

🪛 To Do 🪛

There is a bunch of work to do. Please coordinate in the Matrix room, if you want to take something up:

  • Overview documentation about the approach
  • Document a experimental setup for developers on how to use this repository
  • Coordinate with bootspec RFC stakeholders to communicate a experience report on the bootspec usage
  • Cleaning up flakes.nix for AArch64
  • Upstream nixpkgs work
    • Lanzatool
    • Lanzaboote (needs unstable Rust!)
    • NixOS boot loader installation etc.
  • Unit testing for Lanzatool
  • Investigating how this can fit into systemd-boot theory about sysexts for initrds while keeping NixOS semantics
  • Threat modelling explanations: "bring your own PKI", "share your PKI with MSFT CA", "bring rhboot shim with MOK", etc.
  • Ensuring 99 % of the paths are "happy paths" : protecting user against bricking their machines, identifying sources of risk, communicating intent and detecting risks
  • Experimenting with fwupd / Green Checkmark in GNOME Device Security
  • Experimenting with TPM2 measurements
  • Support bootspec with no initrd
  • Studying the initrd secrets feature in NixOS wrt SecureBoot & TPM2
  • ...

High-Level Boot Flow

flowchart LR
	systemd[systemd-boot]
	lanzaboote[lanzaboote]
	kernel[Linux Kernel]

	systemd --> lanzaboote
	lanzaboote --> kernel

lanzatool

lanzatool is a Linux command line application that takes a bootspec document and installs the boot files into the UEFI ESP.

To make systemd-boot recognize a new boot target, lanzatool builds a UKI image. To avoid having to embed kernel and initrd, we use a custom stub lanzaboote (see below) that loads kernel and initrd from the ESP.

Remaining items to implement are:

  • Migrations from non-SecureBoot machine (old generation files) ;
  • Alternative Nix stores paths ;
  • Key rotation support ;
  • Bootspec (abuse) cleanups ;
  • Automatic synchronization policies for changing PKI (rotating keys, re-enrolling them, etc.) ;
  • NixOS specialisations support ;
  • Automatic removal of unused files relative to the configurationLimit option ;
  • os-release patch so systemd-boot shows pretty names with generation number

lanzaboote

lanzaboote is the stub that lanzatool uses to form an UKI. It loads a Linux kernel and initrd without breaking the Secure Boot chain of trust. Instead of rolling our own crypto, lanzaboote re-uses the signature verification that is built-in to UEFI.

Remaining items to implement are:

  • TPM measurements like systemd-stub does
  • Better error management

Relevant Nixpkgs Work

This project depends on upstream nixpkgs work:

You can find everything integrated as PoC here.

Funding

Logo of NLnet Foundation     Logo of NGI Assure

This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Applications are still open, you can apply today.

If your organization wants to support the project with extra funding in order to add support for more architectures, PKCS#11 workflows or integration, please contact one of the maintainers.