|
|
| (One intermediate revision by one other user not shown) |
| Line 7: |
Line 7: |
| Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems. | | Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems. |
|
| |
|
| There are at present two ways to enable Secure Boot for NixOS. The first is by using [[Limine]]. This has the advantage of being entirely in tree in nixpkgs.
| | <!--T:3--> |
| | | On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote]. |
| Secondly, one can use the [https://github.com/nix-community/lanzaboote Lanzaboote] project.
| | Alternatively, by using the [[Limine]] project. |
|
| |
|
| <!--T:12--> | | <!--T:12--> |
| It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot. | | It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot. |
|
| |
|
| == Limine == | | == Lanzaboote == |
| Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options].
| |
| | |
| To enable Secure Boot, first switch to Limine as your bootloader. You may find the existing documentation for both [[Limine]] and [[Bootloader]] helpful.
| |
| | |
| Then
| |
| | |
| Add <code>sbctl</code> to you systems packages. It must be installed on a system level.
| |
| | |
| Generate keys with <core>sbctl create-keys</code>
| |
| | |
| Enable Secure Boot Setup Mode. This usually involves entering the BIOS and selecting an option to do so. On some BIOS implementations, there is not an explicit option to do so, but it will enter setup mode if one clears all Secure Boot keys.
| |
| | |
| Now, run <code>sbctl enroll-keys -m -f.</code> to actually enroll your keys.
| |
| | |
| You can now rebuild with <code>boot.loader.limine.secureBoot.enable</true> set to true, and disable Secure Boot setup mode.
| |
| | |
| If this has been successful, you can check using <code>bootctl status</code>
| |
| | |
| <syntaxHighlight lang=console>
| |
| $ bootctl status
| |
| systemd-boot not installed in ESP.
| |
| System:
| |
| Firmware: n/a (n/a)
| |
| Firmware Arch: x64
| |
| Secure Boot: enabled (user)
| |
| ...
| |
| </syntaxHighlight>
| |
| | |
| | |
| <!--T:4--> | | <!--T:4--> |
| == Lanzaboote ==
| |
| Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>. | | Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>. |
|
| |
|