diff --git a/README.md b/README.md index f7ba0c1..722cd72 100644 --- a/README.md +++ b/README.md @@ -2,24 +2,44 @@ ## System Setup -🐈‍⬛ +> 🐈‍⬛ This is how the process should be, not how it has been done... yet 😉 + +1. `systemctl reboot --firmware-setup`: Activate enrollment of new Secure Boot key in the UEFI + - Depends on vendor, see [lanzaboote docs](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#part-2-enabling-secure-boot) +1. Boot into NixOS Live system +1. TODOs at this point: + - sops secrets encryption stuff. + - LUKS HDD encryption with sops stuff + - `sudo sbctl create-keys` with sops stuff. + - See [qo.is docs](https://git.qo.is/qo.is/infrastructure/src/branch/main/nixos-configurations/setup.md) for inspiration + - Configure attic cache substitution in nixos installer +1. ```bash + nixos-anywhere --copy-host-keys --build-on-remote \ + --generate-hardware-config nixos-facter ./nixos-configurations/$REMOTE_HOST/facter.json + --extra-files ... \ + --chown ... \ + --disk-encryption-keys ... \ + --flake .#$REMOTE_HOSTNAME + root@$REMOTE_IP + ``` + - TODO: + - with the secrets from above + - don't do nixos-anywhere phase reboot (secure boot keys not enrolled yet) +1. `sudo sbctl enroll-keys --microsoft`: Enroll our keys in UEFI + - Keeps microsoft keys - some vendor firmware and Windows dual boot require this. +1. `sudo sbctl verify`: Verify Secure Boot signatures. + - `/boot/EFI/nixos/kernel*.efi` is not supposed to be signed. +1. `systemctl reboot`: Boot into your new, signed system. +1. `bootctl status`: Verify that a secure boot worked. + - If not, activate secure boot and try again: `systemctl reboot --firmware-setup` +1. `dotfiles-enroll-tpm`: Enroll the boot PCR measurement based LUKS unlock: + - [See source for details](./packages/dotfiles-enroll-tpm). ### Secure Boot & TPM Disk Unlock See [lanzaboote documentation](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md) for more information on how to enable secure boot. -1. Create secure boot keys before switching to the system configuration: `sudo sbctl create-keys` -1. After applying the system configuration, verify signatures: `sudo sbctl verify` - - `/boot/EFI/nixos/kernel*.efi` is not supposed to be signed. -1. Activate enrollment of new Secure Boot key in the UEFI: `systemctl reboot --firmware-setup` - - Depends on vendor, see [lanzaboote docs](https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md#part-2-enabling-secure-boot) -1. Boot linux, run `sudo sbctl enroll-keys --microsoft` - - Keeps microsoft keys - some vendor firmware and Windows dual boot require this. -1. Activate secure boot: `systemctl reboot --firmware-setup` -1. Boot your system and verify that a secure boot worked with: `bootctl status` -1. After enabling secure boot, enroll the boot PCR measurement based LUKS unlock: `dotfiles-enroll-tpm` - - [See source for details](./packages/dotfiles-enroll-tpm). - - With `nixos-rebuild {switch|boot}`, new EFI files will be automatically signed. - In case your firmware or boot process changes, you need to insert the luks password manually. - - After a successful boot, you can re-enroll with `dotfiles-enroll-tpm`. + - This should **not** happen just because of kernel updates (but might with boot param changes.) + - After a successful boot, you can re-enroll the new secure state with `dotfiles-enroll-tpm`.