Secure Boot
Secure Boot can be enabled on NixOS using the project Lanzaboote. Secure Boot is a UEFI feature that only allows trusted operating systems to boot. Lanzaboote has two components: lzbt
and stub
. lzbt
signs and installs the boot files on the ESP. stub
is a UEFI application that loads the kernel and initrd from the ESP.
Requirements
The Secure Boot implementation of Lanzaboote requires a system installed in UEFI mode together with systemd-boot enabled. This can be checked by running bootctl status
:
$ bootctl status
System:
Firmware: UEFI 2.70 (Lenovo 0.4720)
Secure Boot: disabled (disabled)
TPM2 Support: yes
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 251.7
...
It is recommended to enable a BIOS password and full disc encryption to prevent attacks against UEFI and Secure Boot.
Setup
First generate Secure Boot keys using sbctl
:
sudo nix run nixpkgs#sbctl create-keys
After that switch from lzbt
to bootspec
by adding following line to the system configuration:
/etc/nixos/configuration.nix
boot.bootspec.enable = true;