Jump to content

Lanzaboote: Difference between revisions

From Official NixOS Wiki
← Older edit
VisualWikitext
Ben9986 (talk | contribs)
25 edits
m Correct redirect URL
Tags: Redirect target changed Visual edit
Ben9986 (talk | contribs)
25 edits
m Remove stray translation marker from previous page
 
(4 intermediate revisions by the same user not shown)
Line 1: Line 1:
#REDIRECT [[Secure Boot#Lanzaboote]]
<translate>


__INDEX__
The Lanzaboote project allows [[Secure Boot]] to be enabled on NixOS with relative ease.
 
It has two main components: <code>lzbt</code> and <code>stub</code>.
 
<code>lzbt</code> is the command line that signs and installs the boot files on the ESP.
 
<code>stub</code> is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd-stub, see [[Lanzaboote#Differences with `systemd-stub`|below]] to see precise differences.{{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}
 
=== Requirements ===
The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled.  This can be checked by running <code>bootctl status</code>:<syntaxhighlight lang="console">$ bootctl status
System:
    Firmware: UEFI 2.70 (Lenovo 0.4720)
  Secure Boot: disabled (disabled)
TPM2 Support: yes
Boot into FW: supported
 
Current Boot Loader:
      Product: systemd-boot 251.7
...</syntaxhighlight>
 
=== Setup ===
Follow the instructions in the [https://github.com/nix-community/lanzaboote/blob/master/docs/getting-started/prepare-your-system.md Quick Start guide].
 
=== Key management ===
At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.
 
In the future, Lanzaboote will offer two new signature backends: remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11-based signing (that is, bringing an HSM-like device, e.g. YubiKey, NitroKey, etc.).{{Warning|Key management is a hard problem which is out of scope for Lanzaboote project, many recipes exist and there is no single perfect solution. Taking the time to learn how to key manage and figure out the right level of threat protection is crucial to achieve an effective boot protection.}}
 
=== Differences with `systemd-stub` ===
systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.
 
Using `systemd-stub`, a kernel and an initrd has to be duplicated for '''each generation''', using Lanzaboote's stub, a kernel and initrd can be '''deduplicated''' without compromising on the security.
 
Tracking the feature parity with `systemd-stub` can be done in this issue: https://github.com/nix-community/lanzaboote/issues/94.
</translate>

Latest revision as of 22:24, 9 December 2025

The Lanzaboote project allows Secure Boot to be enabled on NixOS with relative ease.

It has two main components: lzbt and stub.

lzbt is the command line that signs and installs the boot files on the ESP.

stub is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd-stub, see below to see precise differences.

⚠︎
Warning: Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.

Requirements

The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running bootctl status:

$ bootctl status
System:
     Firmware: UEFI 2.70 (Lenovo 0.4720)
  Secure Boot: disabled (disabled)
 TPM2 Support: yes
 Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 251.7
...

Setup

Follow the instructions in the Quick Start guide.

Key management

At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.

In the future, Lanzaboote will offer two new signature backends: remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11-based signing (that is, bringing an HSM-like device, e.g. YubiKey, NitroKey, etc.).

⚠︎
Warning: Key management is a hard problem which is out of scope for Lanzaboote project, many recipes exist and there is no single perfect solution. Taking the time to learn how to key manage and figure out the right level of threat protection is crucial to achieve an effective boot protection.

Differences with `systemd-stub`

systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.

Using `systemd-stub`, a kernel and an initrd has to be duplicated for each generation, using Lanzaboote's stub, a kernel and initrd can be deduplicated without compromising on the security.

Tracking the feature parity with `systemd-stub` can be done in this issue: https://github.com/nix-community/lanzaboote/issues/94.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Lanzaboote&oldid=28945"