mirror of
https://github.com/ItsDrike/nixdots
synced 2024-11-14 16:17:17 +00:00
Compare commits
No commits in common. "eefda2047d63ba701a59f290813a2ba0388f5883" and "d3d8ad15b33ba6983ebff8935ac00941637d56ca" have entirely different histories.
eefda2047d
...
d3d8ad15b3
|
@ -12,7 +12,7 @@ As a first step, you will want to confirm that you really are on a UEFI system.
|
||||||
this is very likely the case. Nevertheless, let's check and make sure:
|
this is very likely the case. Nevertheless, let's check and make sure:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
bootctl status
|
bootctl info
|
||||||
```
|
```
|
||||||
|
|
||||||
Make sure the `Firmware` is reported as `UEFI`.
|
Make sure the `Firmware` is reported as `UEFI`.
|
||||||
|
@ -36,9 +36,8 @@ boot.
|
||||||
> fact, if someone is able to get a hold of your machine, they can simply pull out the CMOS battery, which usually
|
> fact, if someone is able to get a hold of your machine, they can simply pull out the CMOS battery, which usually
|
||||||
> resets the UEFI. That means turning off Secure Boot, and getting rid of the BIOS password.
|
> resets the UEFI. That means turning off Secure Boot, and getting rid of the BIOS password.
|
||||||
>
|
>
|
||||||
> While Secure Boot is generally a good extra measure to have, it is by no means a reliable way to really prevent
|
> While UEFI is generally a good extra measure to have, it is by no means a reliable way to really prevent others from
|
||||||
> others from ever being able to boot untrusted systems, unless you use a specialized motherboard, which persists the
|
> ever being able to boot untrusted systems, unless you use a specialized motherboard, which persists the UEFI state.
|
||||||
> UEFI state.
|
|
||||||
|
|
||||||
## Create your keys
|
## Create your keys
|
||||||
|
|
||||||
|
@ -61,8 +60,8 @@ permissions of the secret key so that only root can read it.
|
||||||
|
|
||||||
## lanzaboote
|
## lanzaboote
|
||||||
|
|
||||||
`lanzaboote` is a tool to help you set up secure boot in NixOS. To install it, you can add it as an input for your
|
`lanzaboote` is a tool to help you set up secure boot in NixOS. To install it, you can add
|
||||||
flake:
|
it as an input for your flake:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
lanzaboote = {
|
lanzaboote = {
|
||||||
|
@ -111,8 +110,7 @@ Note that you shouldn't really need to use this.
|
||||||
|
|
||||||
## Enabling secure boot
|
## Enabling secure boot
|
||||||
|
|
||||||
Now that NixOS is ready for secure-boot, we will set up firmware. At the end of this section, Secure Boot will be
|
Now that NixOS is ready for secure-boot, we will set up firmware. At the end of this section, Secure Boot will be enabled on your system and your firmware will only boot binaries that are signed with your keys.
|
||||||
enabled on your system and your firmware will only boot binaries that are signed with your keys.
|
|
||||||
|
|
||||||
### Enter Setup mode
|
### Enter Setup mode
|
||||||
|
|
||||||
|
@ -139,18 +137,11 @@ You will now have to enroll your new keys to activate Secure Boot.
|
||||||
sudo sbctl enroll-keys -m
|
sudo sbctl enroll-keys -m
|
||||||
```
|
```
|
||||||
|
|
||||||
> [!WARNING]
|
> [!NOTE]
|
||||||
> The `-m` option (also known as `--microsoft`) will make sure to also include the Microsoft
|
> The `-m` option (also known as `--microsoft`) will make sure to also include the Microsoft
|
||||||
> signing keys. This is required by most motherboards, not using it could brick your device.
|
> signing keys. This is required by most motherboards, not using it could brick your device.
|
||||||
|
|
||||||
> [!NOTE]
|
This should automatically enable secure boot in user mode for you. You can now reboot the system.
|
||||||
> If you encounter "File is immutable" warnings after running sbctl, it should be safe to simply add the `-i` (or
|
|
||||||
> `--ignore-immutable`) flag, which will run `chattr` and remove the immutable flags from these files for you.
|
|
||||||
>
|
|
||||||
> If you still encounter errors even with this flag, it means you have probably done something wrong when entering the
|
|
||||||
> setup mode. Try looking for a option like "Reset keys" in your UEFI, then try this again.
|
|
||||||
|
|
||||||
This should automatically enable secure boot in user mode for you. You can now **reboot the system**.
|
|
||||||
|
|
||||||
### Make sure it worked
|
### Make sure it worked
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,6 @@
|
||||||
curl # CLI tool for transfering data with URLs
|
curl # CLI tool for transfering data with URLs
|
||||||
lm_sensors # tools for reading hw sensors
|
lm_sensors # tools for reading hw sensors
|
||||||
p7zip # 7zip fork with some improvements
|
p7zip # 7zip fork with some improvements
|
||||||
e2fsprogs # tools for creating and checking ext filesystems
|
|
||||||
|
|
||||||
# Rust replacements
|
# Rust replacements
|
||||||
procs # better ps
|
procs # better ps
|
||||||
|
|
Loading…
Reference in a new issue