Secure Boot
This section describes Secure Boot and how to create secure keys.
The reader is expected to know the fundamentals of UEFI and have a basic understanding of Secure Boot UEFI specification.
Enabling Secure Boot
Section titled “Enabling Secure Boot”Secure Boot enrollment is performed during installation when the installer is
run with the -s flag. The installer expects the system firmware to be in
Setup Mode (PK cleared). If PK is present, enrollment will be skipped and you
must clear PK in firmware settings before retrying.
Creating Secure Boot Keys
Section titled “Creating Secure Boot Keys”Secure Boot keys can be created with sbctl, a Secure Boot Manager. sbctl is available in Nixpkgs as pkgs.sbctl.
After you installed sbctl or entered a Nix shell, use the following command to create your Secure Boot keys:
sudo sbctl create-keysUsing “sudo sbctl create-keys” command user can create secure keys on the trusted system.
Current Implementation
Section titled “Current Implementation”For demonstration purposes, we use pre-generated secure keys which are unsecure as whoever has keys can break into the system.
Secure Boot enrollment is performed by the installer when invoked with -s. The
installer uses the key material staged at /etc/ghaf/secureboot/keys and enrolls
PK/KEK/db using EFI authentication files (.auth).
Secure Boot Verification
Section titled “Secure Boot Verification”After installation, verify the enrolled keys from the host:
efi-readvar -v PKefi-readvar -v KEKefi-readvar -v db