This commit is contained in:
iFargle 2024-02-10 10:39:17 +09:00
parent 91a44c646e
commit 84e08f8c8e
2 changed files with 8 additions and 2 deletions

View file

@ -112,6 +112,8 @@ Completed ToDo List [here](docs/complete.md)
--- ---
# Lanzaboote / SecureBoot # Lanzaboote / SecureBoot
* Instructions here - [Link](https://git.sysctl.io/Mirrors/lanzaboote/src/branch/master/docs/QUICK_START.md) * Instructions here - [Link](https://git.sysctl.io/Mirrors/lanzaboote/src/branch/master/docs/QUICK_START.md)
## Generic Instructions:
1. Create your keys: `sbctl create-keys` 1. Create your keys: `sbctl create-keys`
2. Verify your machine is ready for SecureBoot: `sbctl verify` - Everything except `*-bzImage.efi` are signed 2. Verify your machine is ready for SecureBoot: `sbctl verify` - Everything except `*-bzImage.efi` are signed
3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10) 3. Enter Secureboot Setup mode in your EFI Settings on the motherboard (F10)
@ -120,6 +122,10 @@ Completed ToDo List [here](docs/complete.md)
* If you wish, you can select `--tpm-eventlog`, but checksums will change later (ie, at a kernel rebuild) * If you wish, you can select `--tpm-eventlog`, but checksums will change later (ie, at a kernel rebuild)
5. Reboot and verify you are activated: `bootctl status` 5. Reboot and verify you are activated: `bootctl status`
## Framework Specific:
1. Change boot import from `boot.nix` to `secureboot.nix`
2. Reboot into EUFI and set SecureBoot to ""
# Manual: GPG Keys # Manual: GPG Keys
1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc` 1. Import the user private key: `gpg --import gpg/users/albert/privkey.asc`
2. Mark it as trusted: `gpg --edit-key albert@sysctl.io`, then type `trust`, then `5` 2. Mark it as trusted: `gpg --edit-key albert@sysctl.io`, then type `trust`, then `5`

View file

@ -4,8 +4,8 @@
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
./disks.nix ./disks.nix
../../common/services/tailscale-autoconnect.nix ../../common/services/tailscale-autoconnect.nix
# ../../common/modules/secureboot.nix ../../common/modules/secureboot.nix
../../common/modules/boot.nix # ../../common/modules/boot.nix
../../common/modules/udev-rules.nix ../../common/modules/udev-rules.nix
../../common/services/podman.nix ../../common/services/podman.nix
]; ];