Install UEFI Secure Boot on your NixOS machine

Event start: 1 year ago // Event Information

Install UEFI Secure Boot on your NixOS machine
Typ
Village Event
Time
Aug. 17, 2023, 4 p.m. - Aug. 17, 2023, 5:30 p.m.
Speakers
No Speakers publicated yet
Language
English
Room
NixOS Tent
Host
NixOS

In this workshop you will install UEFI secure boot for nixos on your own machine with Lanzaboote. Presenter and Guide for this session is RaitoBezarius aka. Ryan Lahfa

In this workshop you will install UEFI secure boot for nixos on your own machine with Lanzaboote. Presenter and Guide for this session is RaitoBezarius aka. Ryan Lahfa

Secure Boot 🔗

The goal of UEFI Secure Boot is to allow only trusted operating systems to boot on a system. This can be used to defend against certain classes of attacks that compromise the boot flow of a system. For example, an attacker will have difficulty replacing the Linux kernel that boots a system when Secure Boot is active.

UEFI Secure Boot works by digitally signing all drivers, bootloaders, the Linux kernel and its initrd. This establishes a chain of trust where one trusted component only hands off control to the next part of the boot flow when the integrity of the chain is cryptographically validated.

Caveats 🔗

There are some additional steps that are required to make UEFI Secure Boot effective:

There must be a BIOS password or a similar restriction that prevents unauthorized changes to the Secure Boot policy.
The booted system must have some form of integrity protection.
The firmware must be kept up-to-date.

These steps will not be covered here.

lzbt, the Lanzaboote tool 🔗

At the moment, boot loaders, kernels and initrds on NixOS are signed on the current system. These then need to be prepared as Unified Kernel Images (UKI) and placed on the EFI System Partition (ESP).

lzbt is a Linux command line application that takes care of this flow. It takes a NixOS bootspec document, signs the relevant files, creates a UKI using the stub (see below) and installs the UKI along with other required files to the ESP. lzbt is also aware of multiple NixOS generations and will sign all configurations that should be



recommendations