Skip to content

Commit

Permalink
Merge pull request #93 from nix-community/quick-start-updates
Browse files Browse the repository at this point in the history
Update Sharp Edges in Quickstart Docs
  • Loading branch information
blitz authored Feb 3, 2023
2 parents 37ccc5d + cc2af0a commit cb315d5
Showing 1 changed file with 22 additions and 13 deletions.
35 changes: 22 additions & 13 deletions docs/QUICK_START.md
Original file line number Diff line number Diff line change
Expand Up @@ -167,18 +167,20 @@ Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/nixos-generation-355.efi is signed
✓ /boot/EFI/Linux/nixos-generation-356.efi is signed
/boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is signed
/boot/EFI/nixos/0n01vj3mq06pc31i2yhxndvhv4kwl2vp-linux-6.1.3-bzImage.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
```

🔪 **Sharp edge:** 🔪 In case something is **not** signed in the
`sbctl verify` output, you have hit a bug
([#39](https://github.com/nix-community/lanzaboote/issues/39)). You
**have to fix this** to avoid ending up with an unbootable system
([#58](https://github.com/nix-community/lanzaboote/issues/58)). The
way to solve this is **deleting** the unsigned files indicated by
`sbctl` and switching to the configuration again. This will copy and
sign the missing files.
It is expected that the files ending with `bzImage.efi` are _not_
signed.

🔪 **Sharp edge:** 🔪 In case any of the `nixos-generation-*.efi`
files are not signed, you have hit a bug
([#39](https://github.com/nix-community/lanzaboote/issues/39)). This
issue will prevent the system from booting successfully when Secure
Boot is enabled. The way to solve this is **deleting** the unsigned
files indicated by `sbctl` and switching to the configuration
again. This will copy and sign the missing files.

## Part 2: Enabling Secure Boot

Expand Down Expand Up @@ -236,12 +238,19 @@ System:

That's all! 🥳

## Troubleshooting

If your system doesn't boot with Secure Boot enabled, the most likely
issue is that Lanzaboote could not verify a cryptographic hash. To
recover from this, disable Secure Boot in your firmware
settings. Please file a bug, if you hit this issue.

## Disabling Secure Boot and Lanzaboote

When you want to get back to a system without the Secure Boot stack,
**first** disable Secure Boot in your firmware settings. Then you can
disable the Lanzaboote related settings in the NixOS configuration and
rebuild.
When you want to permanently get back to a system without the Secure
Boot stack, **first** disable Secure Boot in your firmware
settings. Then you can disable the Lanzaboote related settings in the
NixOS configuration and rebuild.

You may need to clean up the `EFI/Linux` directory in the ESP manually
to get rid of stale boot entries. **Please backup your ESP, before you
Expand Down

0 comments on commit cb315d5

Please sign in to comment.