Comments (7)
Do you get this message when you call sbctl verify
? The kernel is not supposed to be signed because it could otherwise be used by a sort of downgrade attack where someone with access to your disks could add a systemd-boot type 1 entry and just boot your separately signed kernel.
In short: it is expected that the kernel is not signed. sbctl, however has no way of knowing that we're still booting securely.
from lanzaboote.
Do you get this message when you call
sbctl verify
? The kernel is not supposed to be signed because it could otherwise be used by a sort of downgrade attack where someone with access to your disks could add a systemd-boot type 1 entry and just boot your separately signed kernel.In short: it is expected that the kernel is not signed. sbctl, however has no way of knowing that we're still booting securely.
Which is why I was surprised - it wasn't signed on my other machine either, and it was fine. But this machine, when I enable secure boot, it fails to boot with a message (not the above exactly just something like it, but specifically mentioning the bzImage) saying that piece isn't signed properly, the message highlighted in red.
from lanzaboote.
Can you check if you have any old entries in /boot/loader/entries
?
from lanzaboote.
I found the issue. My ESP partition was corrupted, I fixed it and redid everything and it resolved it!
from lanzaboote.
Awesome! We actually had a similar situation recently where the ESP was corrupt and systemd-boot just showed no entries because all the kernels and initrds vanished. This would be solved if NixOS would use systemd's automounts where fsck is run on each access. Maybe we just need to add a fsck to lzbt or at least mention it in the docs.
Edit: Awesome that you fixed it, not that the ESP was corrupted :D
from lanzaboote.
We really need to add lzbt fsck
yes
from lanzaboote.
We actually had a similar situation recently where the ESP was corrupt and systemd-boot just showed no entries because all the kernels and initrds vanished.
I said that USB keys were not an appropriate medium for NixOS systems :DDDDDDD
FAT32 on USB keys on non-live systems := let's test how non-journaled systems fail in horrible ways :)
from lanzaboote.
Related Issues (20)
- Unable to boot surface go after error free install - 'secure boot fail' HOT 1
- Hard-coded generation path in UKI module failed in non-testing environments HOT 4
- tpm2 based systemd-cryptenroll HOT 1
- Using with Grub? HOT 1
- Using Lanzaboote without Flakes or Niv HOT 6
- Nvidia support? HOT 2
- Nothing is verified HOT 2
- Support for xbootldr HOT 1
- Backup keys and other stuff HOT 3
- Change bootloader font size? HOT 1
- Long loader phase during boot HOT 1
- Make a latest release tracking branch for automation nixos-config HOT 3
- Not displaying characters with tones in systemd boot menu properly HOT 7
- Lanzaboote is failing to builld HOT 1
- Support for Measured boot with TPM
- boot.loader.systemd-boot.sortKey has no effect
- Pin lanzaboote at specific commit? HOT 1
- Deprecation warning from crane HOT 1
- Parsed PE file is not a UKI warning message HOT 2
- error: Stable 1.78.0 is not available | v0.4.0 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lanzaboote.