Secure Boot: Difference between revisions
imported>Onny mNo edit summary |
imported>IgorM m Fixed syntax highlighting |
||
Line 7: | Line 7: | ||
The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running <code>bootctl status</code>: | The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running <code>bootctl status</code>: | ||
<syntaxHighlight> | <syntaxHighlight lang=console> | ||
$ bootctl status | $ bootctl status | ||
System: | System: | ||
Line 26: | Line 26: | ||
First generate Secure Boot keys using <code>sbctl</code>: | First generate Secure Boot keys using <code>sbctl</code>: | ||
<syntaxHighlight lang=" | <syntaxHighlight lang="console"> | ||
sudo nix run nixpkgs#sbctl create-keys | $ sudo nix run nixpkgs#sbctl create-keys | ||
</syntaxHighlight> | </syntaxHighlight> | ||
Line 38: | Line 38: | ||
Rebuild the system and reboot. When everything is working, you can garbage collect your old non-bootspec generations: | Rebuild the system and reboot. When everything is working, you can garbage collect your old non-bootspec generations: | ||
<syntaxHighlight lang=" | <syntaxHighlight lang="console"> | ||
sudo nix-collect-garbage -d. | $ sudo nix-collect-garbage -d. | ||
</syntaxHighlight> | </syntaxHighlight> | ||
Line 78: | Line 78: | ||
After you rebuild your system, check <code>sbctl verify</code> output: | After you rebuild your system, check <code>sbctl verify</code> output: | ||
<syntaxHighlight lang=" | <syntaxHighlight lang="console"> | ||
$ sudo nix run nixpkgs#sbctl verify | $ sudo nix run nixpkgs#sbctl verify | ||
Verifying file database and EFI images in /boot... | Verifying file database and EFI images in /boot... | ||
Line 104: | Line 104: | ||
After reboot enroll your keys to enable Secure Boot. Microsoft keys are used to avoid any booting issues. | After reboot enroll your keys to enable Secure Boot. Microsoft keys are used to avoid any booting issues. | ||
<syntaxHighlight lang=" | <syntaxHighlight lang="console"> | ||
$ sudo nix run nixpkgs#sbctl enroll-keys -- --microsoft | $ sudo nix run nixpkgs#sbctl enroll-keys -- --microsoft | ||
Enrolling keys to EFI variables... | Enrolling keys to EFI variables... | ||
Line 113: | Line 113: | ||
You can now reboot your system. After you've booted, Secure Boot is activated: | You can now reboot your system. After you've booted, Secure Boot is activated: | ||
<syntaxHighlight lang=" | <syntaxHighlight lang="console"> | ||
$ bootctl status | $ bootctl status | ||
System: | System: |