I enabled secureboot using lanzaboote
As shown on start guide, following is just as expected.
$ sudo sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/nixos-generation-1-specialisation-normal.efi is signed
✓ /boot/EFI/Linux/nixos-generation-1.efi is signed
✗ /boot/EFI/nixos/c2hrmh8j2xrqd641zydkqw7zbjjgjp8a-linux-6.1.74-bzImage.efi is not signed
✗ /boot/EFI/nixos/r2akw86b5k2xdkin5i563f38kqm9i9xc-linux-6.1.74-bzImage.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
$ sudo bootctl status
# ...snip...
Secure Boot: enabled (user)
TPM2 Support: yes
Boot into FW: supported
# ...snip...
But ‘sbctl verify’ doesn’t show anything about *-initrd.efi
$ sudo tree /boot
/boot
├── EFI
│ ├── BOOT
│ │ └── BOOTX64.EFI
│ ├── Linux
│ │ ├── nixos-generation-1.efi
│ │ └── nixos-generation-1-specialisation-normal.efi
│ ├── nixos
│ │ ├── c2hrmh8j2xrqd641zydkqw7zbjjgjp8a-linux-6.1.74-bzImage.efi
│ │ ├── j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi
│ │ ├── khp65ghjphy0pkj206slmpng9qmv6w71-initrd-linux-6.1.74-initrd.efi
│ │ └── r2akw86b5k2xdkin5i563f38kqm9i9xc-linux-6.1.74-bzImage.efi
│ └── systemd
│ └── systemd-bootx64.efi
└── loader
└── loader.conf
$ sudo sbctl verify /boot/EFI/nixos/j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi
/boot/EFI/nixos/j3z3q5xlj5lny4w0a4r7dv7k1wmx18xz-initrd-linux-6.1.74-initrd.efi is not a valid EFI binary
I deleted all generations manually and cleared /boot before switching to lanzaboote. I am on 23.11 and using flakes.
I am a noob to linux in general, and don’t know much about secure boot. So please help me understand this.
- Is *-initrd.efi signed/hashed?
- Or if not, can it be tampered without my knowledge?
- Am I doing something wrong here or misunderstanding something?
I apologise if this is not the right place to ask.
Btw thanks to the devs, it was very easy to setup