Jump to content

Secure Boot/ru: Difference between revisions

From Official NixOS Wiki
← Older edit
VisualWikitext
Unabomberlive (talk | contribs)
trusted
1,173 edits
Created page with "Lanzaboote состоит из двух компонентов: <code>lzbt</code> and <code>stub</code>."
FuzzyBot (talk | contribs)
2,894 edits
Updating to match new version of source page
 
(18 intermediate revisions by 2 users not shown)
Line 5: Line 5:


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote].
[[Category:Security]]
</div>
[[Category:Booting]]
 
Lanzaboote состоит из двух компонентов:
<code>lzbt</code> and <code>stub</code>.
 
<div lang="en" dir="ltr" class="mw-content-ltr">
<code>lzbt</code> is the command line that signs and installs the boot files on the ESP.
</div> 
 
<div lang="en" dir="ltr" class="mw-content-ltr">
<code>stub</code> is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd-stub, see below to see precise differences.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
{{warning|Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.}}
</div>
 
<span id="Requirements"></span>
== Требования ==
 
<div lang="en" dir="ltr" class="mw-content-ltr">
The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled.  This can be checked by running <code>bootctl status</code>:
</div>
</div>


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
<syntaxHighlight lang=console>
== Checking Secure Boot status ==
The easiest way to check if your machine has Secure Boot enabled is through the use of [[Systemd]]'s <code>bootctl</code>. There is no need to be using [[Systemd/boot|systemd-boot]] as your bootloader for this command to work. <syntaxhighlight lang="console">
$ bootctl status
$ bootctl status
System:
System:
    Firmware: UEFI 2.70 (Lenovo 0.4720)
    Firmware: UEFI 2.80 (American Megatrends 5.25)
  Secure Boot: disabled (disabled)
    Firmware Arch: x64
TPM2 Support: yes
    Secure Boot: enabled (user)
Boot into FW: supported
    TPM2 Support: yes
</div>
    Measured UKI: yes
 
    Boot into FW: supported
<div lang="en" dir="ltr" class="mw-content-ltr">
Current Boot Loader:
      Product: systemd-boot 251.7
...
...
</syntaxHighlight>
</syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all.
</div>
If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below.
</div>  


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
== Enabling Secure Boot on NixOS ==
On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each.
</div>
</div>


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
== Setup ==
For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are:
</div>
</div>


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
Follow the instructions in the [https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md Quick Start guide].
# The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled.
</div>
# Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine.
# Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS.
</div>  


<div lang="en" dir="ltr" class="mw-content-ltr">
<div lang="en" dir="ltr" class="mw-content-ltr">
== Key management ==
== See Also ==
At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.
[https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs.
</div>
</div>  
 
<div lang="en" dir="ltr" class="mw-content-ltr">
In the future, Lanzaboote will offer two new signature backends: remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11-based signing (that is, bringing an HSM-like device, e.g. YubiKey, NitroKey, etc.).
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
{{Warning|Key management is a hard problem which is out of scope for Lanzaboote project, many recipes exist and there is no single perfect solution. Taking the time to learn how to key manage and figure out the right level of threat protection is crucial to achieve an effective boot protection.}}
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
== Differences with `systemd-stub` ==
systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.
</div>
 
<div lang="en" dir="ltr" class="mw-content-ltr">
Using `systemd-stub`, a kernel and an initrd has to be duplicated for '''each generation''', using Lanzaboote's stub, a kernel and initrd can be '''deduplicated''' without compromising on the security.
</div>


<div lang="en" dir="ltr" class="mw-content-ltr">
<references />
Tracking the feature parity with `systemd-stub` can be done in this issue: https://github.com/nix-community/lanzaboote/issues/94.
[[Category:Security]]
[[Category:Booting]]
</div>

Latest revision as of 23:16, 9 December 2025

Other languages:

Под безопасной загрузкой обычно подразумевается возможность встроенного программного обеспечения платформы проверять компоненты загрузки и гарантировать, что загрузится только ваша собственная операционная система.

Secure Boot имеет несколько реализаций, наиболее известная - UEFI Secure Boot, которая опирается на прошивку платформы UEFI, но во встраиваемых системах могут существовать и другие реализации.

Checking Secure Boot status

The easiest way to check if your machine has Secure Boot enabled is through the use of Systemd's bootctl. There is no need to be using systemd-boot as your bootloader for this command to work. 
$ bootctl status
System:
    Firmware: UEFI 2.80 (American Megatrends 5.25)
    Firmware Arch: x64
    Secure Boot: enabled (user)
    TPM2 Support: yes
    Measured UKI: yes
    Boot into FW: supported
...
The system above has secure boot enabled and enforced. Other values include disabled (setup) for Setup Mode, disabled (disabled) or disabled (unsupported). The unsupported tag only appears if your device firmware does not support Secure Boot at all.

If you see disabled (disabled), this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below.

Enabling Secure Boot on NixOS

On NixOS, there are currently two main ways to enable Secure Boot, Lanzaboote and Limine. See their respective wiki pages for step by step instructions on each.

For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are:

  1. The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled.
  2. Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine.
  3. Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.[1] However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS.

See Also

Arch Wiki/Secure Boot Extensive information on Secure Boot including using UKIs.

  1. https://habr.com/ru/articles/446238/
Retrieved from "https://wiki.nixos.org/w/index.php?title=Secure_Boot/ru&oldid=28968"