Lanzaboote – NixOS Secure Boot (opens in new tab)

(x86.lol)

86 pointsevilmonkey1916d ago8 comments

8 comments

> We plan on streamlining this as much as possible, but so far this has not happened yet.

Probably integrating something like sbctl (https://github.com/Foxboron/sbctl#sbctl---secure-boot-manage...) would do the trick, it's making the whole signing and key management dance easy.

Seems to already work together with limine on NixOS too: https://search.nixos.org/options?channel=25.11&query=sbctl#s...

krautsauer13d ago

sbctl is recommended these days: https://github.com/nix-community/lanzaboote/blob/master/docs...

c0balt13d ago

Lanzaboote is great, I've been using it for almost a year now in a dual boot with Windows 11 for full secure boot on my desktop. It is quite stable (notably was set and forget) and the initial setup was relatively easy.

aiscoming12d ago

this is how Microsoft wins the war against general computing

you must not join it, refuse to lockdown your computer

irusensei12d ago

Secure boot and TPM are good technologies. You can roll your own keys and Microsoft won't have anything on it.

Do people still think you need to have your boot program signed by Microsoft in order to use it?

I also wonder if this sentiment is what stalled development in other more traditional projects like BSD derivatives. I'd love to have FreeBSD with secure boot and loading ZFS keys from the TPM.

weightedreply12d ago

Microsoft's certification states that OEM's must allow the user to configure secure boot to trust other bootloader's.

https://learn.microsoft.com/en-us/windows/security/operating...

However OEM's like HP are ignoring the certification requirements:

https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-...

https://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/How-t...

ChocolateGod11d ago

Some cases OEMs ignore the requirement the other way round, e.g. the MSI boards that perform zero signature checking with secure boot on.

irusensei12d ago

Interesting. I had a 705 G4 (or 74 g5? Idk the one with the Ryzen 2400Ge) and the firmware supported putting the machine secure boot system on setup mode.

pyrophane13d ago

Huh, as a Lanaboote user I’m surprised to see this on the front page. I use this in combination with sbctl for key generation. I’m mostly using it because I wanted to set up full disk encryption with TPM2 auth.

krautsauer13d ago

This needs a (2022).

evilmonkey19OP16d ago

Browsing the internet about secure boot and NixOS, I found the article of one of the creators

j / k navigate · click thread line to collapse

8 comments

embedding-shape13d ago

> We plan on streamlining this as much as possible, but so far this has not happened yet.

Probably integrating something like sbctl (https://github.com/Foxboron/sbctl#sbctl---secure-boot-manage...) would do the trick, it's making the whole signing and key management dance easy.

Seems to already work together with limine on NixOS too: https://search.nixos.org/options?channel=25.11&query=sbctl#s...

krautsauer13d ago

sbctl is recommended these days: https://github.com/nix-community/lanzaboote/blob/master/docs...

c0balt13d ago

aiscoming12d ago

this is how Microsoft wins the war against general computing

you must not join it, refuse to lockdown your computer

irusensei12d ago

Secure boot and TPM are good technologies. You can roll your own keys and Microsoft won't have anything on it.

Do people still think you need to have your boot program signed by Microsoft in order to use it?

I also wonder if this sentiment is what stalled development in other more traditional projects like BSD derivatives. I'd love to have FreeBSD with secure boot and loading ZFS keys from the TPM.

weightedreply12d ago

Microsoft's certification states that OEM's must allow the user to configure secure boot to trust other bootloader's.

https://learn.microsoft.com/en-us/windows/security/operating...

However OEM's like HP are ignoring the certification requirements:

https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-...

https://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/How-t...

ChocolateGod11d ago

Some cases OEMs ignore the requirement the other way round, e.g. the MSI boards that perform zero signature checking with secure boot on.

irusensei12d ago

Interesting. I had a 705 G4 (or 74 g5? Idk the one with the Ryzen 2400Ge) and the firmware supported putting the machine secure boot system on setup mode.

pyrophane13d ago

krautsauer13d ago

This needs a (2022).

evilmonkey19OP16d ago

Browsing the internet about secure boot and NixOS, I found the article of one of the creators

j / k navigate · click thread line to collapse