Secure Boot: Difference between revisions

(14 intermediate revisions by 7 users not shown)

Line 1:

Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system to boot.

Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system is allowed to boot.

Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but ~~others~~ implementations can exist on embedded systems.

Secure Boot has multiple implementations, the most well known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but other implementations can exist on embedded systems.

~~On NixOS, Secure Boot can be enabled via the project~~ [~~https~~:~~//github.com/nix-community/lanzaboote Lanzaboote~~].

[[Category:Security]]

~~Lanzaboote has two components~~: ~~<code>lzbt</code> and <code>stub</code>.~~

[[Category:Booting]]

~~<code>lzbt</code> is the command line that signs and installs the boot files on the ESP.~~

<~~code>stub</code> is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd~~-~~stub, see below to see precise differences.~~

== Checking Secure Boot status ==

~~{{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos~~-~~unstable. For more information, please see the GitHub repository or the Quick Start guide.}}~~

The easiest way to check if your machine has Secure Boot enabled is through the use of [[Systemd]]'s <code>bootctl</code>. There is no need to be using [[Systemd/boot|systemd-boot]] as your bootloader for this command to work. <syntaxhighlight lang="console">

== ~~Requirements~~ ==

The Secure Boot ~~implementation~~ of ~~Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running~~ <code>bootctl ~~status~~</code>:

<~~syntaxHighlight~~ lang=console>

$ bootctl status

System:

Firmware: UEFI 2.70 (~~Lenovo 0~~.~~4720~~)

Firmware: UEFI 2.80 (American Megatrends 5.25)

Secure Boot: ~~disabled~~ (~~disabled~~)

Firmware Arch: x64

TPM2 Support: yes

Secure Boot: enabled (user)

Boot into FW: supported

TPM2 Support: yes

Measured UKI: yes

~~Current Boot Loader:~~

Boot into FW: supported

~~Product: systemd-boot 251.7~~

...

</~~syntaxHighlight~~>

</syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all.

If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below.

~~It is recommended~~ to enable ~~a BIOS password and full disc encryption to prevent attacks against UEFI and~~ Secure Boot.

~~== Setup ==~~

~~Follow the instructions~~ in the ~~[https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md Quick Start guide]~~.

== ~~Key management~~ ==

~~At the time of writing~~, Lanzaboote ~~offers only local storage of the keyring, otherwise, it is not possible to rebuild the system~~ and ~~sign the new resulting files~~.

== Enabling Secure Boot on NixOS ==

On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each.

~~In the future, Lanzaboote will offer two new signature backends~~: ~~remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11~~-~~based signing (that is, bringing an HSM~~-~~like device~~, ~~e.g. YubiKey, NitroKey, etc.)~~.

For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are:

~~{{Warning|Key management~~ is a ~~hard problem which~~ is ~~out~~ of ~~scope~~ for ~~Lanzaboote project~~, ~~many recipes exist and there is no single perfect solution~~. ~~Taking the time~~ to ~~learn how to key manage and figure out~~ the ~~right level of threat protection is crucial to achieve an effective boot protection~~.}}

# The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled.

# Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine.

# Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS.

== ~~Differences with `systemd-stub`~~ ==

~~systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations~~ on ~~a system~~.

== See Also ==

[https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs.

</translate>

Using `systemd-stub`, a kernel and an initrd has to be duplicated for '''each generation''', using Lanzaboote's stub, a kernel and initrd can be '''deduplicated''' without compromising on the security.

~~Tracking the feature parity with `systemd-stub` can be done in this issue: https:~~/~~/github.com/nix-community/lanzaboote/issues/94.~~

~~[[Category:Security]]~~

~~[[Category:System]]~~

@@ Line 1: / Line 1: @@
-Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system to boot.
+<languages/>
+<translate>
+<!--T:1-->
+Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system is allowed to boot.
-Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems.
+<!--T:2-->
+Secure Boot has multiple implementations, the most well known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but other implementations can exist on embedded systems.
-On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote].
+<!--T:21-->
+[[Category:Security]]
-Lanzaboote has two components: <code>lzbt</code> and <code>stub</code>.
+[[Category:Booting]]
-<code>lzbt</code> is the command line that signs and installs the boot files on the ESP.
-<code>stub</code> is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd-stub, see below to see precise differences.
+<!--T:22-->
+== Checking Secure Boot status ==
-{{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}
+The easiest way to check if your machine has Secure Boot enabled is through the use of [[Systemd]]'s <code>bootctl</code>. There is no need to be using [[Systemd/boot|systemd-boot]] as your bootloader for this command to work. <syntaxhighlight lang="console">
-== Requirements ==
-The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled.  This can be checked by running <code>bootctl status</code>:
-<syntaxHighlight lang=console>
 $ bootctl status
 System:
-     Firmware: UEFI 2.70 (Lenovo 0.4720)
+    Firmware: UEFI 2.80 (American Megatrends 5.25)
-  Secure Boot: disabled (disabled)
+    Firmware Arch: x64
- TPM2 Support: yes
+    Secure Boot: enabled (user)
- Boot into FW: supported
+    TPM2 Support: yes
+    Measured UKI: yes
-Current Boot Loader:
+    Boot into FW: supported
-      Product: systemd-boot 251.7
 ...
-</syntaxHighlight>
+</syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all.
+If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below.
-It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
-== Setup ==
-Follow the instructions in the [https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md Quick Start guide].
-== Key management ==
+<!--T:23-->
-At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.
+== Enabling Secure Boot on NixOS ==
+On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each.
-In the future, Lanzaboote will offer two new signature backends: remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11-based signing (that is, bringing an HSM-like device, e.g. YubiKey, NitroKey, etc.).
+<!--T:24-->
+For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are:
-{{Warning|Key management is a hard problem which is out of scope for Lanzaboote project, many recipes exist and there is no single perfect solution. Taking the time to learn how to key manage and figure out the right level of threat protection is crucial to achieve an effective boot protection.}}
+<!--T:25-->
+# The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled.
+# Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine.
+# Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS.
-== Differences with `systemd-stub` ==
+<!--T:26-->
-systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.
+== See Also ==
+[https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs.
+</translate>
-Using `systemd-stub`, a kernel and an initrd has to be duplicated for '''each generation''', using Lanzaboote's stub, a kernel and initrd can be '''deduplicated''' without compromising on the security.
+<references />
-Tracking the feature parity with `systemd-stub` can be done in this issue: https://github.com/nix-community/lanzaboote/issues/94.
-[[Category:Security]]
-[[Category:System]]