Skip to content
Ghaf

Secure Boot

This section describes Secure Boot and how to create secure keys.

The reader is expected to know the fundamentals of UEFI and have a basic understanding of Secure Boot UEFI specification.

Enabling Secure Boot

Section titled “Enabling Secure Boot”

TODO: This needs to be filled later with UKI description.

Creating Secure Boot Keys

Section titled “Creating Secure Boot Keys”

Secure Boot keys can be created with sbctl, a Secure Boot Manager. sbctl is available in Nixpkgs as pkgs.sbctl.

After you installed sbctl or entered a Nix shell, use the following command to create your Secure Boot keys:

Terminal window
sudo sbctl create-keys

Using “sudo sbctl create-keys” command user can create secure keys on the trusted system.

Current Implementation

Section titled “Current Implementation”

For demonstration purposes, we use pre-generated secure keys which are unsecure as whoever has keys can break into the system. Currently, the Secure Boot feature is enabled in debug builds only, since secure key creation requires sudo rights.

Secure Boot Verification

Section titled “Secure Boot Verification”
  • TODO: this needs to be filled.