Jump to content

Secure Boot: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
No edit summary
Ardenet (talk | contribs)
1,019 edits
Marked this version for translation
Tags: Mobile edit Mobile web edit
 
(One intermediate revision by one other user not shown)
Line 7: Line 7:
Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems.  
Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems.  


There are at present two ways to enable Secure Boot for NixOS. The first is by using [[Limine]]. This has the advantage of being entirely in tree in nixpkgs.
<!--T:3-->
 
On NixOS, Secure Boot can be enabled via the project [https://github.com/nix-community/lanzaboote Lanzaboote].
Secondly, one can use the [https://github.com/nix-community/lanzaboote Lanzaboote] project.  
Alternatively, by using the [[Limine]] project.


<!--T:12-->
<!--T:12-->
It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
== Limine ==
Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options].
To enable Secure Boot, first switch to Limine as your bootloader. You may find the existing documentation for both [[Limine]] and [[Bootloader]] helpful.
Then
Add <code>sbctl</code> to you systems packages. It must be installed on a system level.
Generate keys with <core>sbctl create-keys</code>
Enable Secure Boot Setup Mode. This usually involves entering the BIOS and selecting an option to do so. On some BIOS implementations, there is not an explicit option to do so, but it will enter setup mode if one clears all Secure Boot keys.
Now, run <code>sbctl enroll-keys -m -f</code> to actually enroll your keys.
You can now rebuild with <code>boot.loader.limine.secureBoot.enable</true> set to true, and disable Secure Boot setup mode.
If this has been successful, you can check using <code>bootctl status</code>
<syntaxHighlight lang=console>
$ bootctl status
systemd-boot not installed in ESP.
System:
      Firmware: n/a (n/a)
Firmware Arch: x64
  Secure Boot: enabled (user)
...
</syntaxHighlight>


<!--T:4-->
<!--T:4-->

Latest revision as of 20:55, 7 October 2025

Other languages:

Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system to boot.

Secure Boot has multiple implementations, the most known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but others implementations can exist on embedded systems.

On NixOS, Secure Boot can be enabled via the project Lanzaboote. Alternatively, by using the Limine project.

It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.

Lanzaboote

Lanzaboote has two components: lzbt and stub.

lzbt is the command line that signs and installs the boot files on the ESP.

stub is a UEFI application that loads the kernel and initrd from the ESP, it's different from systemd-stub, see below to see precise differences.

⚠︎
Warning: Lanzaboote is still in development and requires some prerequisites and precautions. Currently it's only available for nixos-unstable. For more information, please see the GitHub repository or the Quick Start guide.

Requirements

The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running bootctl status: 

$ bootctl status
System:
     Firmware: UEFI 2.70 (Lenovo 0.4720)
  Secure Boot: disabled (disabled)
 TPM2 Support: yes
 Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 251.7
...


Setup

Follow the instructions in the Quick Start guide.

Key management

At the time of writing, Lanzaboote offers only local storage of the keyring, otherwise, it is not possible to rebuild the system and sign the new resulting files.

In the future, Lanzaboote will offer two new signature backends: remote signing (an HTTP server which receives signature requests and answers with signatures) and PKCS#11-based signing (that is, bringing an HSM-like device, e.g. YubiKey, NitroKey, etc.).

⚠︎
Warning: Key management is a hard problem which is out of scope for Lanzaboote project, many recipes exist and there is no single perfect solution. Taking the time to learn how to key manage and figure out the right level of threat protection is crucial to achieve an effective boot protection.

Differences with `systemd-stub`

systemd and distribution upstream have an existing solution called `systemd-stub` but this is not a realistic solution for NixOS as there's too many generations on a system.

Using `systemd-stub`, a kernel and an initrd has to be duplicated for each generation, using Lanzaboote's stub, a kernel and initrd can be deduplicated without compromising on the security.

Tracking the feature parity with `systemd-stub` can be done in this issue: https://github.com/nix-community/lanzaboote/issues/94.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Secure_Boot&oldid=26980"