Secureboot with Shim

[JohnRTitor]

SecureBoot support on a Linux distribution requires a shim binary signed by Microsoft to be loaded before boot, and there was some efforts to make it happen on NixOS.

• https://github.com/lheckemann/shim-review
• https://github.com/RaitoBezarius/nixos-shim

A lot has changed since then, both above mentioned people are not actively participating in Nixpkgs, and we have an entirely new management structure with the SC.

Could the SC move forward with this? I believe it's not something a random contributor like us, can move it to the finish line. A security contact from the foundation/organisation is needed.

We can argue over and over about how SecureBoot setup benefits Microsoft, and the UX design is just bad, but it has undoubtedly been adopted by all modern hardware vendors.

Currently, to install NixOS, one needs to disable SecureBoot, which just ends up painting the bad picture, unlike Fedora or Ubuntu, which installs fine from the ISO out of the box. Disabling SecureBoot is not something good for security, even though it has its caveats.

Sure, we can reuse the shim binary that are provided by Ubuntu or Fedora, but again reusing things from other distros is not a good idea. We'd not have any control over the builds, and those distros can just stop making those builds publicly accessible.

---

It's time we actually address this issue.

[JohnRTitor]

CC @zimbatm @Mic92 @Lassulus @infinisil and others (I honestly don't know who else to ping)

[infinisil]

Cross-referencing the discussion on Matrix: https://matrix.to/#/!kjdutkOsheZdjqYmqp:nixos.org/$Q-frAR48XsHN25KMe_Rc_Lx5BittuR7kfWAVA53YAN0?via=nixos.org&via=matrix.org&via=tchncs.de

[zimbatm]

That sounds good to me! Ultimately, it's up to the SC to decide if they are OK supporting this project. But overall, if there are no significant objections, the main question I see is who is going to drive this effort. If you are, I'm happy to help you by giving you access to the necessary resources and connections.

[JohnRTitor]

As discussed in yesterday's meeting on matrix,

• We need a proper SecureBoot and signing implementation first. Lanzaboote in Nixpkgs is the first step towards that.

• Kernels and initrd have to be signed (by our key) as well, we need to do this with our current system and in a reproducible manner

• Then we can move on to removing the blockers from the Org/Foundation side

• For initially making an NixOS ISO with SecureBoot support built in, we can get a signed kernel and initrd (from Debian/Ubuntu for example), and package it with signed shim and grub. We can test how it goes from there.

Relevant PRs: NixOS/nixpkgs#353052

[7c6f434c]

Is there a tracking Nixpkgs issue to link here? Hopefully the ability for users to build their own boot images with modified/unsigned kernels stays, so an option to sign should probably be mergeable without intervention from SC, and its development is better tracked in a Nixpkgs tracking issue linking the PRs in that direction.

[JohnRTitor]

There is NixOS/nixpkgs#42127, I haven't found any recent issues.