Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Indeed.

As soon as lanzaboote works with stable, I'll go back to stable (but I think that is not the case yet, sadly).

Lowkey plug for lanzaboote though. Getting secure boot working went pretty well for me thanks to it.





Does Secure Boot with NixOS even make sense? In an ordinary Secure Boot setup, you get the kernel/initrd/etc. with signatures from a trusted vendor, but with NixOS it is going to obviously sign everything locally. That means that you are not protected against bootkits and a root compromise is still just as bad as ever.

I suppose in combination with LUKS you could at least prevent evil maid attacks, to the extent that your machine's firmware is actually secure, but it seems like a lot of work for just that...

reply


To be honest, for me it boiled down to "I don't have to type in my LUKS password by hand" combined with some intellectual curiosity.

I didn't have some strong security-driven mindset behind it.

That said I did also lock down my BIOS with a password (to prevent disabling secure boot).

reply


+1.

I'm keen for secure boot and TPM FDE, and would like to see lanzaboote in nixpkgs.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: