Secure Boot: Difference between revisions
Add "Enabling Secure Boot on NixOS" section |
Marked this version for translation |
||
| Line 26: | Line 26: | ||
If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below. | If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below. | ||
<!--T:23--> | |||
== Enabling Secure Boot on NixOS == | == Enabling Secure Boot on NixOS == | ||
On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each. | On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each. | ||
<!--T:24--> | |||
For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are: | For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are: | ||
<!--T:25--> | |||
# The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled. | # The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled. | ||
# Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine. | # Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine. | ||
# Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS. | # Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS. | ||
<!--T:26--> | |||
== See Also == | == See Also == | ||
[https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs. | [https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs. | ||