Secure Boot/fr: Difference between revisions
Updating to match new version of source page |
Updating to match new version of source page |
||
| Line 3: | Line 3: | ||
Le démarrage sécurisé est implémenté de multiple façons. La plus connue est le démarrage sécurisé UEFI qui repose sur le micrologiciel de plateforme UEFI, mais d'autres implémentations existent sur les systèmes embarqués. | Le démarrage sécurisé est implémenté de multiple façons. La plus connue est le démarrage sécurisé UEFI qui repose sur le micrologiciel de plateforme UEFI, mais d'autres implémentations existent sur les systèmes embarqués. | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | <div lang="en" dir="ltr" class="mw-content-ltr"> | ||
| Line 26: | Line 22: | ||
... | ... | ||
</syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all. | </syntaxhighlight>The system above has secure boot enabled and enforced. Other values include <code>disabled (setup)</code> for Setup Mode, <code>disabled (disabled)</code> or <code>disabled (unsupported)</code>. The unsupported tag only appears if your device firmware does not support Secure Boot at all. | ||
If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined | If you see <code>disabled (disabled)</code>, this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below. | ||
</div> | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | |||
== Enabling Secure Boot on NixOS == | |||
On NixOS, there are currently two main ways to enable Secure Boot, [[Lanzaboote]] and [[Limine]]. See their respective wiki pages for step by step instructions on each. | |||
</div> | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | |||
For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are: | |||
</div> | </div> | ||
<div lang="en" dir="ltr" class="mw-content-ltr"> | |||
# The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled. | |||
# Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine. | |||
# Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.<ref>https://habr.com/ru/articles/446238/</ref> However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS. | |||
</div> | |||
<div lang="en" dir="ltr" class="mw-content-ltr"> | |||
== See Also == | |||
[https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot Arch Wiki/Secure Boot] Extensive information on Secure Boot including using UKIs. | |||
</div> | |||
<references /> | |||
Latest revision as of 23:16, 9 December 2025
Le démarrage sécurisé est habituellement associé à la capacité d'un micrologiciel de plateforme de vérifier les composants de démarrage et de s'assurer que seul votre propre système peut démarrer.
Le démarrage sécurisé est implémenté de multiple façons. La plus connue est le démarrage sécurisé UEFI qui repose sur le micrologiciel de plateforme UEFI, mais d'autres implémentations existent sur les systèmes embarqués.
Checking Secure Boot status
bootctl. There is no need to be using systemd-boot as your bootloader for this command to work. $ bootctl status
System:
Firmware: UEFI 2.80 (American Megatrends 5.25)
Firmware Arch: x64
Secure Boot: enabled (user)
TPM2 Support: yes
Measured UKI: yes
Boot into FW: supported
...
disabled (setup) for Setup Mode, disabled (disabled) or disabled (unsupported). The unsupported tag only appears if your device firmware does not support Secure Boot at all.
If you see disabled (disabled), this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined below.
Enabling Secure Boot on NixOS
On NixOS, there are currently two main ways to enable Secure Boot, Lanzaboote and Limine. See their respective wiki pages for step by step instructions on each.
For Secure Boot to be most effective, there are certain conditions which should also be met. The most important are:
- The UEFI firmware is protected by a strong password to prevent an untrusted drive from being booted or Secure Boot being disabled.
- Full disk encryption is enabled so that your drive cannot simply be read by putting it another another machine.
- Ideally, default OEM/third party keys are not in use as these have been shown to weaken the security of Secure Boot significantly.[1] However, this may brick some devices which use Microsoft-signed OpROMS for certain hardware during the boot process, particularly some laptops, so you must be certain before removing them. It may be impossible to fix if, for example, the GPU relies on these OpROMS.
See Also
Arch Wiki/Secure Boot Extensive information on Secure Boot including using UKIs.