Lanzaboote is a Rust-based tool that enables UEFI Secure Boot on NixOS by signing boot components and managing Unified Kernel Images for secure and trusted system booting.
Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur]
This tool is used to implement and manage UEFI Secure Boot on NixOS systems, ensuring that only cryptographically verified kernels, bootloaders, and initrds are executed during boot. It is primarily targeted at NixOS users and maintainers who want to enhance endpoint security by establishing a secure boot chain of trust.
To effectively use Lanzaboote, ensure your system firmware supports UEFI Secure Boot and is kept up-to-date. A BIOS password or similar restriction is recommended to prevent unauthorized changes to Secure Boot policies. Additionally, the booted system should have integrity protection mechanisms in place. The tool is still under active development and not yet upstreamed into nixpkgs, so involvement and coordination via the Matrix room or GitHub issues is encouraged.
Refer to the QUICK_START.md document in the docs directory for detailed setup instructions
Ensure your platform supports UEFI Secure Boot
Use the lzbt command line tool to sign and prepare boot components
Coordinate via the Matrix room or GitHub issues for contributions or troubleshootinglzbt <bootspec>
Signs relevant boot files, creates a Unified Kernel Image, and installs it along with other required files to the EFI System Partition based on a NixOS bootspec document.
lzbt-systemd
A backend for lzbt that integrates with systemd for managing Secure Boot signing and installation.