dotfiles/README.md

Fabian's Dotfiles

System Setup

🐈‍⬛

Secure Boot & TPM Disk Unlock

See lanzaboote documentation for more information on how to enable secure boot.

1. Create secure boot keys before switching to the system configuration: sudo sbctl create-keys
2. After applying the system configuration, verify signatures: sudo sbctl verify
   • /boot/EFI/nixos/kernel*.efi is not supposed to be signed.
3. Activate enrollment of new Secure Boot key in the UEFI: systemctl reboot --firmware-setup
   • Depends on vendor, see lanzaboote docs
4. Boot linux, run sudo sbctl enroll-keys --microsoft
   • Keeps microsoft keys - some vendor firmware and Windows dual boot require this.
5. Activate secure boot: systemctl reboot --firmware-setup
6. Boot your system and verify that a secure boot worked with: bootctl status
7. After enabling secure boot, enroll the boot PCR measurement based LUKS unlock: dotfiles-enroll-tpm
   • See source for details.

• With nixos-rebuild {switch|boot}, new EFI files will be automatically signed.
• In case your firmware or boot process changes, you need to insert the luks password manually.
  • After a successful boot, you can re-enroll with dotfiles-enroll-tpm.