This is a pretty small module to enable SecureBoot for my NixOS workstations.
{
lib,
config,
pkgs,
inputs,
...
}:
let
cfg = config.mjm.secureboot;
in
{
imports = [
(import inputs.lanzaboote { }).nixosModules.lanzaboote
];
options.mjm.secureboot = {
enable = lib.mkEnableOption "SecureBoot with Lanzaboote";
};
config = lib.mkIf cfg.enable {
<<config>>
};
}This module must be enabled explicitly by setting mjm.secureboot.enable to true.
boot.loader.systemd-boot.enable = false;
A SecureBoot machine still uses systemd-boot, but not directly through the official NixOS module, so that needs to be disabled.
boot.lanzaboote.enable = true; boot.lanzaboote.pkiBundle = lib.mkDefault "/var/lib/secureboot";
SecureBoot for NixOS is implemented with the Lanzaboote project. It's not really feasible for NixOS machines to have kernels that are signed by official Microsoft keys, so setting up SecureBoot involves generating and enrolling custom keys on the machine. Those keys need to be used to sign kernels when a new generation is activated and the boot loader configuration is updated. I believe Lanzaboote defaults to wanting to put these keys in /etc/secureboot, but since some of my machines don't persist /etc as a whole, it's more convenient to just move this to /var/lib/secureboot, since /var is always persisted in my setups.
boot.lanzaboote.configurationLimit = 8;
boot.lanzaboote.measuredBoot = {
enable = lib.mkDefault true;
pcrs = [
0
1
2
3
4
7
];
};Measured boot is a more recent addition to Lanzaboote. I believe it's protecting a different part of the boot process. My understanding is that it predicts the measurements of certain PCRs, and then generates a policy file that specifies what valid measurements should be. You can then set up your LUKS disk unlocking to use that policy to automatically unlock the disk as long as the PCR values are correct.
I've enabled this for my machines to try it out. It seems to be working fine on uranus. On persephone, it started failing at activation, and I haven't had a chance to figure out why. I may end up disabling it on persephone anyway, since it's not using LUKS and so doesn't have an easy way to consume the policy anyway.
environment.systemPackages = [ pkgs.sbctl ];
sbctl is the tool used to create and enroll SecureBoot keys, so it's needed for the initial setup.
text/gemini;lang=en-USThis content has been proxied by September (UNKNO).