Secure Boot: Difference between revisions

(3 intermediate revisions by 2 users not shown)

Line 1:

Line 7:

Line 8:

On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote].

Alternatively, by using the [[Limine]] project.

It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.

== Lanzaboote ==

Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>.

Line 21:

Line 27:

{{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}

== Requirements ==

=== Requirements ===

Line 41:

Line 47:

</syntaxHighlight>

~~~~

~~It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.~~

== Setup ==

=== Setup ===

Line 50:

Line 55:

== Key management ==

=== Key management ===

At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.

Line 60:

Line 65:

== Differences with `systemd-stub` ==

=== Differences with `systemd-stub` ===

systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.

@@ Line 1: / Line 1: @@
+<languages/>
 <translate>
 <!--T:1-->
@@ Line 7: / Line 8: @@
 <!--T:3-->
 On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote].
+Alternatively, by using the [[Limine]] project.
+<!--T:12-->
+It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
+== Lanzaboote ==
 <!--T:4-->
 Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>.
@@ Line 21: / Line 27: @@
 {{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}
-== Requirements == <!--T:8-->
+=== Requirements === <!--T:8-->
 <!--T:9-->
@@ Line 41: / Line 47: @@
 </syntaxHighlight>
-<!--T:12-->
-It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
-== Setup == <!--T:13-->
+=== Setup === <!--T:13-->
 <!--T:14-->
@@ Line 50: / Line 55: @@
 <!--T:15-->
-== Key management ==
+=== Key management ===
 At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.
@@ Line 60: / Line 65: @@
 <!--T:18-->
-== Differences with `systemd-stub` ==
+=== Differences with `systemd-stub` ===
 systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.