fabianhauser/dotfiles
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
No description
22 commits 2 branches 0 tags 7.3 MiB
Find a file
Fabian Hauser 3bae7e8912 Add documentation and script for secure boot
2025-03-07 15:06:46 +02:00
.github/workflows Enable more formatters 2025-03-03 23:50:23 +02:00
home-configurations Add initial legacy configuration 2025-02-22 20:40:24 +02:00
home-modules zed: Switch to typos plugin 2025-03-05 16:20:06 +02:00
nixos-configurations Add anki 2025-03-04 14:27:25 +02:00
nixos-modules Update and clean up modules 2025-03-03 23:46:19 +02:00
packages/dotfiles-enroll-tpm Add documentation and script for secure boot 2025-03-07 15:06:46 +02:00
private@f2b5747476 Add initial legacy configuration 2025-02-22 20:40:24 +02:00
.envrc Add initial legacy configuration 2025-02-22 20:40:24 +02:00
.gitignore Add pre-commit fmt hook 2025-03-04 14:40:29 +02:00
.gitmodules Update private submodule url 2025-03-03 21:21:46 +02:00
flake.lock Add pre-commit fmt hook 2025-03-04 14:40:29 +02:00
flake.nix Add documentation and script for secure boot 2025-03-07 15:06:46 +02:00
README.md Add documentation and script for secure boot 2025-03-07 15:06:46 +02:00
renovate.json Enable more formatters 2025-03-03 23:50:23 +02:00

README.md

Fabian's Dotfiles

System Setup

🐈‍⬛

Secure Boot & TPM Disk Unlock

See lanzaboote documentation for more information on how to enable secure boot.

  1. Create secure boot keys before switching to the system configuration: sudo sbctl create-keys
  2. After applying the system configuration, verify signatures: sudo sbctl verify
    • /boot/EFI/nixos/kernel*.efi is not supposed to be signed.
  3. Activate enrollment of new Secure Boot key in the UEFI: systemctl reboot --firmware-setup
  4. Boot linux, run sudo sbctl enroll-keys --microsoft
    • Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
  5. Activate secure boot: systemctl reboot --firmware-setup
  6. Boot your system and verify that a secure boot worked with: bootctl status
  7. After enabling secure boot, enroll the boot PCR measurement based LUKS unlock: dotfiles-enroll-tpm
  • With nixos-rebuild {switch|boot}, new EFI files will be automatically signed.
  • In case your firmware or boot process changes, you need to insert the luks password manually.
    • After a successful boot, you can re-enroll with dotfiles-enroll-tpm.