aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom
nixcfg-own-knot / modules / nixos / programs / lanzaboote /
at 2d18c0c0950715202d4ec54b93b271309510829f 2 files
README.md
default.nix
README.md

Secure Boot + Automatic LUKS decryption#

  1. Generate secure boot keys:

    sudo nix run nixpkgs#sbctl create-keys

  2. Include nixos-programs-lanzaboote or manually enable lanzaboote in NixOS host configuration:

    boot = {
  initrd.systemd.enable = true; # For automatic decryption with TPM.
  loader.systemd-boot.enable = lib.mkForce false; # Interferes with lanzaboote and must be force-disabled.

  lanzaboote = {
    enable = true;
    pkiBundle = "/var/lib/sbctl";
  };
};

  3. In UEFI, set secure boot to "setup mode" or erase platform keys.

  4. Enroll your secure boot keys:

    sudo nix run nixpkgs#sbctl -- enroll-keys --microsoft

  5. Reboot, make sure secure boot is enabled in UEFI.

  6. Check secure boot status with bootctl status:

    System:
      Firmware: UEFI 2.70 (American Megatrends 5.17)
Firmware Arch: x64
  Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported

  7. If your root drive is encrypted with LUKS, you can have the TPM automatically decrypt it on boot:

    sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 /dev/nvme0n1p2

    Replace /dev/nvme0n1p2 with your root partition. Check the Linux TPM PCR Registry for more details.

    NOTE: This requires a TPM2 module, devices with prior versions will not work.