End-to-end NixOS boot security
Ensure whole-system security with verified boot for NixOS configurations
Trusted boot technologies like Secure Boot and TPM measured boot enhance system security by requiring the booted operating system to be trusted by the system administrator or hardware vendor. This project will implement trusted boot for NixOS using a new design for signing within Nix builds, focusing on readiness for official Secure Boot requirements while preserving reproducibility and maximizing user freedom and flexibility. We will also take advantage of NixOS's declarative whole-system approach and Linux technologies like overlayfs and fs-verity to provide trust for the entire system configuration, addressing the large remaining "stage 2" attack surface. This will allow greatly enhancing the security of all kinds of NixOS systems, including servers, desktops, and special-purpose appliances.
This project was funded through the NGI Fediversity Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, as a pilot programme under the aegis of DG Communications Networks, Content and Technology. NGI Fediversity is part of the Horizon Europe research and innovation programme under grant agreement No. 101136078.
