clan/clan-core
12
4
Fork 19
Code Issues 108 Pull Requests 2 Actions Packages Projects 1 Releases Wiki Activity

Ask linuxhackermann about shim keys #1239

New Issue
Closed
opened 2024-04-17 11:10:38 +00:00 by Qubasa · 0 comments
Qubasa commented 2024-04-17 11:10:38 +00:00
Owner
Copy Link
  • The goal is to have a shim signed that trusts their vendor keys, which will allow them to sign necessary parts for an installer.
  • This installer would then be able to generate and apply Machine Owner Keys (MOKs) and sign systems with lanzaboote, enabling user-configured setups to boot.
  • The project is largely completed as per their GitHub repository https://github.com/raitobezarius/nixos-shim, but they are still missing:
    1. A signing infrastructure where the vendor key is secured in a hardware token.
    2. The completion and submission of a shim-review application, which is partly dependent on setting up the signing infrastructure.
    3. Implementation of the MOK-related features, intended as a project for a second funding round that has not yet been successful.
  • Hackerman expressed a lack of motivation due to financial constraints and broader challenges within the Nix community.
- The goal is to have a shim signed that trusts their vendor keys, which will allow them to sign necessary parts for an installer. - This installer would then be able to generate and apply Machine Owner Keys (MOKs) and sign systems with lanzaboote, enabling user-configured setups to boot. - The project is largely completed as per their GitHub repository https://github.com/raitobezarius/nixos-shim, but they are still missing: 1. A signing infrastructure where the vendor key is secured in a hardware token. 2. The completion and submission of a shim-review application, which is partly dependent on setting up the signing infrastructure. 3. Implementation of the MOK-related features, intended as a project for a second funding round that has not yet been successful. - Hackerman expressed a lack of motivation due to financial constraints and broader challenges within the Nix community.
Qubasa self-assigned this 2024-04-17 11:10:38 +00:00
lassulus was assigned by Qubasa 2024-04-17 11:10:38 +00:00
Qubasa added this to the Clan_Kanban_Board project 2024-04-17 11:10:38 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
backups

   
blog

   
bootstrapping

Issues regarding bootstrapping, or onboarding

  
bug

Something is not working.

  
changes-requested

Please fix this.

  
cli

   
documentation

   
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
facts

Issues regarding facts and secrets setting and generation

  
help wanted

Need some help

  
invalid

Something is wrong

  
Inventory

Inventory

  
low_prio

   
manager

   
modules

   
needs-review

This PR needs to be reviewed. Use the request-changes label to request changes

  
networking

   
packaging

   
question

More information is needed

  
secrets

   
template

Issues regarding templates.

  
test

Issues regarding testing

  
tooling

Issues regarding internal devtools

  
user-testing

Issues that cristallised after hands on user testing.

  
vm

Issues regarding virtual machines.

  
wontfix

This won't be fixed

No Label
backups
blog
bootstrapping
bug
changes-requested
cli
documentation
duplicate
enhancement
facts
help wanted
invalid
Inventory
low_prio
manager
modules
needs-review
networking
packaging
question
secrets
template
test
tooling
user-testing
vm
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Clan_Kanban_Board
Assignees
Clear assignees
No Assignees
Qubasa
lassulus
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: clan/clan-core#1239
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?