Runtime NixOS Closure Verification
Ensure whole-system security with verified boot for NixOS configurations
Verified boot technologies like "Secure Boot" enforce system security by requiring the booted operating system to be trusted by the system administrator or hardware vendor, but existing approaches for NixOS and other general-purpose Linux distributions only validate the kernel and the "stage 1" software used in early boot. This project addresses this large remaining attack surface by extending the validation to cover the entire "stage 2" system configuration, utilizing NixOS's declarative whole-system configuration approach and Linux kernel technologies like overlayfs and fs-verity. This will enable users to greatly enhance the security of all kinds of NixOS systems, including desktops, servers, and special-purpose appliances.
This project was funded through the NGI Fediversity Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, as a pilot programme under the aegis of DG Communications Networks, Content and Technology. NGI Fediversity is part of the Horizon Europe research and innovation programme under grant agreement No. 101136078.
