|
|
| (19 intermediate revisions by 11 users not shown) |
| Line 1: |
Line 1: |
| Secure Boot can be enabled on NixOS using the project [https://github.com/nix-community/lanzaboote Lanzaboote]. Secure Boot is a UEFI feature that only allows trusted operating systems to boot. Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>. <code>lzbt</code> signs and installs the boot files on the ESP. <code>stub</code> is a UEFI application that loads the kernel and initrd from the ESP.
| | <languages/> |
| | <translate> |
| | <!--T:1--> |
| | Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system is allowed to boot. |
|
| |
|
| {{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}
| | <!--T:2--> |
| | Secure Boot has multiple implementations, the most well known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but other implementations can exist on embedded systems. |
|
| |
|
| == Requirements ==
| | <!--T:21--> |
| | [[Category:Security]] |
| | [[Category:Booting]] |
|
| |
|
| The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running <code>bootctl status</code>: | | <!--T:22--> |
| | | == Checking Secure Boot status == |
| <syntaxHighlight> | | The easiest way to check if your machine has Secure Boot enabled is through the use of [[Systemd]]'s <code>bootctl</code>. There is no need to be using [[Systemd/boot|systemd-boot]] as your bootloader for this command to work. <syntaxhighlight lang="console"> |
| $ bootctl status | | $ bootctl status |
| System: | | System: |
| Firmware: UEFI 2.70 (Lenovo 0.4720)
| | Firmware: UEFI 2.80 (American Megatrends 5.25) |
| Secure Boot: disabled (disabled)
| | Firmware Arch: x64 |
| TPM2 Support: yes
| | Secure Boot: enabled (user) |
| Boot into FW: supported
| | TPM2 Support: yes |
| | | Measured UKI: yes |
| Current Boot Loader:
| | Boot into FW: supported |
| Product: systemd-boot 251.7
| |
| ... | | ... |
| </syntaxHighlight> | | </syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all. |
| | | If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below. |
| It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
| |
| | |
| == Setup ==
| |
| | |
| First generate Secure Boot keys using <code>sbctl</code>:
| |
| | |
| <syntaxHighlight lang="bash">
| |
| sudo nix run nixpkgs#sbctl create-keys
| |
| </syntaxHighlight>
| |
| | |
| After that switch from <code>lzbt</code> to <code>bootspec</code> by adding following line to the system configuration:
| |
| | |
| {{file|/etc/nixos/configuration.nix|nix|<nowiki>
| |
| boot.bootspec.enable = true;
| |
| </nowiki>}}
| |
| | |
| Rebuild the system and reboot. When everything is working, you can garbage collect your old non-bootspec generations:
| |
| | |
| <syntaxHighlight lang="bash"> | |
| sudo nix-collect-garbage -d.
| |
| </syntaxHighlight> | |
| | |
| Adjust the following in your flake-enabled system flake.nix configuration by adding the input and adding the lanzaboote nixos module:
| |
| | |
| {{file|/etc/nixos/flake.nix|nix|<nowiki>
| |
| [...]
| |
| inputs = {
| |
| nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
| |
| lanzaboote.url = "github:nix-community/lanzaboote";
| |
| };
| |
| [...]
| |
| outputs = { self, nixpkgs, lanzaboote, ...}: {
| |
| nixosConfigurations = {
| |
| yourHost = nixpkgs.lib.nixosSystem {
| |
| system = "x86_64-linux";
| |
| | |
| modules = [
| |
| # This is not a complete NixOS configuration and you need to reference
| |
| # your normal configuration here.
| |
| | |
| lanzaboote.nixosModules.lanzaboote
| |
| [...]
| |
| </nowiki>}}
| |
| | |
| In your system configuration explicitly disable <code>systemd-boot</code> and replace it by enabling <code>lanzaboote</code>:
| |
| | |
| {{file|/etc/nixos/configuration.nix|nix|<nowiki>
| |
| boot = {
| |
| loader.systemd-boot.enable = lib.mkForce false;
| |
| lanzaboote = {
| |
| enable = true;
| |
| pkiBundle = "/etc/secureboot";
| |
| };
| |
| };
| |
| </nowiki>}}
| |
| | |
| After you rebuild your system, check <code>sbctl verify</code> output:
| |
| | |
| <syntaxHighlight lang="bash">
| |
| $ sudo nix run nixpkgs#sbctl verify
| |
| Verifying file database and EFI images in /boot...
| |
| ✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
| |
| ✓ /boot/EFI/Linux/nixos-generation-355.efi is signed
| |
| ✓ /boot/EFI/Linux/nixos-generation-356.efi is signed
| |
| ✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed
| |
| ✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
| |
| </syntaxHighlight>
| |
| | |
| It is expected that the files ending with bzImage.efi are not signed.
| |
| | |
| For the last step, your UEFI firmware needs to be set to <code>Setup Mode</code> to allow enrolling Secure Boot keys. This varies depending on your vendor and notebookt model.
| |
| | |
| On a Thinkpad enter the BIOS menu using the "Reboot into Firmware" entry in the systemd-boot boot menu. Once you are in the BIOS menu:
| |
| | |
| 1) Select the "Security" tab.
| |
| 2) Select the "Secure Boot" entry.
| |
| 3) Set "Secure Boot" to enabled.
| |
| 4) Select "Reset to Setup Mode".
| |
| 5) Select "Clear All Secure Boot Keys".
| |
|
| |
|
| When you are done, press F10 to save and exit.
| | <!--T:23--> |
| | == Enabling Secure Boot on NixOS == |
| | On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each. |
|
| |
|
| After reboot enroll your keys to enable Secure Boot. Microsoft keys are used to avoid any booting issues.
| | <!--T:24--> |
| | For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are: |
|
| |
|
| <syntaxHighlight lang="bash"> | | <!--T:25--> |
| $ sudo nix run nixpkgs#sbctl enroll-keys -- --microsoft
| | # The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled. |
| Enrolling keys to EFI variables...
| | # Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine. |
| With vendor keys from microsoft...✓
| | # Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS. |
| Enrolled keys to the EFI variables!
| |
| </syntaxHighlight> | |
|
| |
|
| You can now reboot your system. After you've booted, Secure Boot is activated:
| | <!--T:26--> |
| | == See Also == |
| | [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs. |
| | </translate> |
|
| |
|
| <syntaxHighlight lang="bash"> | | <references /> |
| $ bootctl status
| |
| System:
| |
| Firmware: UEFI 2.70 (Lenovo 0.4720)
| |
| Firmware Arch: x64
| |
| Secure Boot: enabled (user)
| |
| TPM2 Support: yes
| |
| Boot into FW: supported
| |
| </syntaxHighlight>
| |