Secure boot protects against evil maid attacks, but no one would ever need use an evil maid attack on a NixOS user because anyone can merge whatever they want to NixOS without signature or review, particularly given that any maintainer can merge their own commits from their own pseudonyms.
NixOS is always one compromised Github API token away from a backdoor into everything built with NixOS.
I cannot imagine a threat model that would need secure boot yet accept the risks of NixOS.
pkulak 6 hours ago [-]
> without signature or review
What are you on about now? I got _one_ of my projects accepted into NixPkgs a couple years ago and have never done it since due to the huge PITA it was to find someone with contributor rights to sign off on it. If I want to update it, same hassle. Now I prefer to just throw a flake in the root of the project and call it good, which actually works really well.
Wait until you find out that Arch has both secure boot and the AUR.
c0balt 21 hours ago [-]
Lanzaboote is great, I've been using it for almost a year now in a dual boot with Windows 11 for full secure boot on my desktop. It is quite stable (notably was set and forget) and the initial setup was relatively easy.
e12e 6 hours ago [-]
Does it play well with bitkeeper full disk encryption?
Previous attempts at dual booting windows 11 on a laptop - I had issues when Linux updated boot alternatives - windows would demand bitkeeper recovery key input.
pyrophane 22 hours ago [-]
Huh, as a Lanaboote user I’m surprised to see this on the front page. I use this in combination with sbctl for key generation. I’m mostly using it because I wanted to set up full disk encryption with TPM2 auth.
13 hours ago [-]
krautsauer 20 hours ago [-]
This needs a (2022).
digdugdirk 10 hours ago [-]
That looks like a really nice hackathon! That said, the fact that they probably had a majority of the best NixOS developers in the world under one roof and they weren't solely focused on NixOS error messages is borderline criminal...
evilmonkey19 4 days ago [-]
Browsing the internet about secure boot and NixOS, I found the article of one of the creators
aiscoming 14 hours ago [-]
this is how Microsoft wins the war against general computing
you must not join it, refuse to lockdown your computer
irusensei 13 hours ago [-]
Secure boot and TPM are good technologies. You can roll your own keys and Microsoft won't have anything on it.
Do people still think you need to have your boot program signed by Microsoft in order to use it?
I also wonder if this sentiment is what stalled development in other more traditional projects like BSD derivatives. I'd love to have FreeBSD with secure boot and loading ZFS keys from the TPM.
weightedreply 7 hours ago [-]
Microsoft's certification states that OEM's must allow the user to configure secure boot to trust other bootloader's.
Interesting. I had a 705 G4 (or 74 g5? Idk the one with the Ryzen 2400Ge) and the firmware supported putting the machine secure boot system on setup mode.
Probably integrating something like sbctl (https://github.com/Foxboron/sbctl#sbctl---secure-boot-manage...) would do the trick, it's making the whole signing and key management dance easy.
Seems to already work together with limine on NixOS too: https://search.nixos.org/options?channel=25.11&query=sbctl#s...
NixOS is always one compromised Github API token away from a backdoor into everything built with NixOS.
I cannot imagine a threat model that would need secure boot yet accept the risks of NixOS.
What are you on about now? I got _one_ of my projects accepted into NixPkgs a couple years ago and have never done it since due to the huge PITA it was to find someone with contributor rights to sign off on it. If I want to update it, same hassle. Now I prefer to just throw a flake in the root of the project and call it good, which actually works really well.
Wait until you find out that Arch has both secure boot and the AUR.
Previous attempts at dual booting windows 11 on a laptop - I had issues when Linux updated boot alternatives - windows would demand bitkeeper recovery key input.
you must not join it, refuse to lockdown your computer
Do people still think you need to have your boot program signed by Microsoft in order to use it?
I also wonder if this sentiment is what stalled development in other more traditional projects like BSD derivatives. I'd love to have FreeBSD with secure boot and loading ZFS keys from the TPM.
https://learn.microsoft.com/en-us/windows/security/operating...
However OEM's like HP are ignoring the certification requirements:
https://h30434.www3.hp.com/t5/Notebook-Operating-System-and-...
https://h30434.www3.hp.com/t5/Notebook-Boot-and-Lockup/How-t...