Secure Boot: Difference between revisions
imported>Onny Add setup section |
imported>Onny Append to setup section |
||
| Line 35: | Line 35: | ||
boot.bootspec.enable = true; | boot.bootspec.enable = true; | ||
</nowiki>}} | </nowiki>}} | ||
Rebuild the system and reboot. When everything is working, you can garbage collect your old non-bootspec generations: | |||
<syntaxHighlight lang="bash"> | |||
sudo nix-collect-garbage -d. | |||
</syntaxHighlight> | |||
Adjust the following in your flake-enabled system flake.nix configuration by adding the input and adding the lanzaboote nixos module: | |||
{{file|/etc/nixos/flake.nix|nix|<nowiki> | |||
[...] | |||
inputs = { | |||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; | |||
lanzaboote.url = "github:nix-community/lanzaboote"; | |||
}; | |||
[...] | |||
outputs = { self, nixpkgs, lanzaboote, ...}: { | |||
nixosConfigurations = { | |||
yourHost = nixpkgs.lib.nixosSystem { | |||
system = "x86_64-linux"; | |||
modules = [ | |||
# This is not a complete NixOS configuration and you need to reference | |||
# your normal configuration here. | |||
lanzaboote.nixosModules.lanzaboote | |||
[...] | |||
</nowiki>}} | |||
In your system configuration explicitly disable <code>systemd-boot</code> and replace it by enabling <code>lanzaboote</code>: | |||
{{file|/etc/nixos/configuration.nix|nix|<nowiki> | |||
boot = { | |||
loader.systemd-boot.enable = lib.mkForce false; | |||
lanzaboote = { | |||
enable = true; | |||
pkiBundle = "/etc/secureboot"; | |||
}; | |||
}; | |||
</nowiki>}} | |||
After you rebuild your system, check <code>sbctl verify</code> output: | |||
<syntaxHighlight lang="bash"> | |||
$ sudo sbctl verify | |||
Verifying file database and EFI images in /boot... | |||
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed | |||
✓ /boot/EFI/Linux/nixos-generation-355.efi is signed | |||
✓ /boot/EFI/Linux/nixos-generation-356.efi is signed | |||
✗ /boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed | |||
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed | |||
</syntaxHighlight> | |||
It is expected that the files ending with bzImage.efi are not signed. In case any of the nixos-generation-*.efi files are not signed, you have hit a bug ([https://github.com/nix-community/lanzaboote/issues/39 #39]). This issue will prevent the system from booting successfully when Secure Boot is enabled. The way to solve this is deleting the unsigned files indicated by sbctl and switching to the configuration again. This will copy and sign the missing files. | |||
For the last step, your UEFI firmware needs to be set to <code>Setup Mode</code> to allow enrolling Secure Boot keys. This varies depending on your vendor and notebookt model. | |||
On a Thinkpad enter the BIOS menu using the "Reboot into Firmware" entry in the systemd-boot boot menu. Once you are in the BIOS menu: | |||
1) Select the "Security" tab. | |||
2) Select the "Secure Boot" entry. | |||
3) Set "Secure Boot" to enabled. | |||
4) Select "Reset to Setup Mode". | |||
5) Select "Clear All Secure Boot Keys". | |||
When you are done, press F10 to save and exit. | |||
After reboot enroll your keys to enable Secure Boot. Microsoft keys are used to avoid any booting issues. | |||
<syntaxHighlight lang="bash"> | |||
$ sudo nix run nixpkgs#sbctl enroll-keys --microsoft | |||
Enrolling keys to EFI variables... | |||
With vendor keys from microsoft...✓ | |||
Enrolled keys to the EFI variables! | |||
</syntaxHighlight> | |||
You can now reboot your system. After you've booted, Secure Boot is activated: | |||
<syntaxHighlight lang="bash"> | |||
$ bootctl status | |||
System: | |||
Firmware: UEFI 2.70 (Lenovo 0.4720) | |||
Firmware Arch: x64 | |||
Secure Boot: enabled (user) | |||
TPM2 Support: yes | |||
Boot into FW: supported | |||
</syntaxHighlight> | |||