-
-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enabling lanzaboote on initial installation #397
Comments
You can create your own ISO with your keys in it and a signed kernel. Then, you would only need to import the keys into the machine and copy the keys from the ISO to the installation. |
Hey, thanks for your answer. |
I think this is a misunderstanding of the guide, as I'm pretty sure I installed lanzaboote directly. As the module just replaces systemd-boot, in theory if it has everything in place it should work. |
Hi there, Nonetheless, as long as you copied the keys from another location, you can immediately use lanzaboote on the first nixos-install. Lanzaboote will not enforce Secure Boot if Secure Boot is disabled, as soon as you enroll the keys, Secure Boot will be enabled and your bootables will be signed according to the right keys, so it should work out fine in the end. The guide is a bit conservative to avoid bad experiences, but it could indeed benefit from some clarification. |
This is the whole point of #384. This subject is kinda controversial with the maintainers/developers of the repository as seen in the comments of the PR. |
As far as I'm concerned I'm fine with needing to run one or two extra commands as part of my install. That is already scripted anyway for all partitioning, encryption, git clone, hardware config generation, etc. So I don't mind that it doesn't run At this point I'm rather reassured by #397 (comment) but I haven't tested it yet. |
I can assure you it works. I already did that. |
Thanks! Then this issue only tracks documentation update that this works I guess. |
Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.
Readme specifies:
lanzaboote/docs/QUICK_START.md
Lines 33 to 35 in f5a3a7d
I'd like to be able to apply a configuration with lanzaboote enabled as I run
nixos-install
, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.Could you please expand on the limitations that prevent from running
sbctl create-keys
prior to installation, then applying the initial configuration with lanzaboote enabled right away?Thanks!
The text was updated successfully, but these errors were encountered: