diff --git a/README.md b/README.md index 99c713db..949b30fa 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,8 @@ Completed ToDo List [here](docs/complete.md) --- # Lanzaboote / SecureBoot * Instructions here - [Link](https://git.sysctl.io/Mirrors/lanzaboote/src/branch/master/docs/QUICK_START.md) + +## Generic Instructions: 1. Create your keys: `sbctl create-keys` 2. Verify your machine is ready for SecureBoot: `sbctl verify` - Everything except `*-bzImage.efi` are signed 3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10) @@ -120,6 +122,10 @@ Completed ToDo List [here](docs/complete.md) * If you wish, you can select `--tpm-eventlog`, but checksums will change later (ie, at a kernel rebuild) 5. Reboot and verify you are activated: `bootctl status` +## Framework Specific: +1. Change boot import from `boot.nix` to `secureboot.nix` +2. Reboot into EUFI and set SecureBoot to "" + # Manual: GPG Keys 1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc` 2. Mark it as trusted: `gpg --edit-key albert@sysctl.io`, then type `trust`, then `5` diff --git a/nixos/hosts/nixos-framework/default.nix b/nixos/hosts/nixos-framework/default.nix index f66415e8..92845a71 100644 --- a/nixos/hosts/nixos-framework/default.nix +++ b/nixos/hosts/nixos-framework/default.nix @@ -4,8 +4,8 @@ (modulesPath + "/installer/scan/not-detected.nix") ./disks.nix ../../common/services/tailscale-autoconnect.nix - # ../../common/modules/secureboot.nix - ../../common/modules/boot.nix + ../../common/modules/secureboot.nix + # ../../common/modules/boot.nix ../../common/modules/udev-rules.nix ../../common/services/podman.nix ];