GoKawiilSecure Boot protects a system from an attacker that compromises the boot flow. For example, without Secure Boot it is easy to replace the code that reads your disk encryption password and store it somewhere where the attacker can pick it up later. So ideally you want Secure Boot to be enabled to limit the code that runs on your system to what is supposed to run there.
Unfortunately, NixOS, the Linux distro I use as a daily driver, does not have Secure Boot support. Something had to be done. On an island. 🌴
While attending the Ocean Sprint, a Nix-focussed hackathon, I chose to team up with nikstur and raitobezarius to work on Secure Boot for NixOS!
The sprint was an amazing opportunity to network with seasoned Nix veterans and also great fun in general. Many thanks to zupo and Domen for organising it!
Secure Boot with systemd-boot
Maybe some background first. As other distros, NixOS boots via systemd-boot on UEFI systems. For Secure Boot to work, systemd-boot demands UKIs. UKI is a format that is intended to wrap a Linux kernel, its command line and the initrd into a EFI application. This EFI application is then signed.
For UKI, the boot flow looks like this.
UEFI verifies and loads systemd-boot. systemd-boot looks for UKIs and the user can select one to boot. systemd-boot loads and starts the UKI. The UKI boots the Linux kernel and intrd that it finds embedded in itself.
The chain of trust of Secure Boot is maintained by UEFI. All components use LoadImage to load files and LoadImage verifies the embedded signatures.
It’s an elegant design that avoids duplicating crypto in the boot loader and shoves all of this to UEFI.
... continue reading