Skip to content

Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support

License

Notifications You must be signed in to change notification settings

osresearch/safeboot

Folders and files

NameName
Last commit message
Last commit date

Latest commit

fd0aef4 · Nov 16, 2021
Jun 22, 2021
Jul 23, 2021
May 26, 2020
May 6, 2021
Nov 15, 2021
May 9, 2020
Oct 11, 2021
Jul 23, 2021
Jul 23, 2021
Oct 26, 2021
Aug 14, 2020
May 19, 2020
Jul 23, 2021
Oct 12, 2021
Oct 7, 2021
May 18, 2020
Oct 7, 2021
Jul 23, 2021
Jul 23, 2021
May 12, 2020
May 12, 2020
May 12, 2020
Oct 7, 2021
May 19, 2020
Oct 12, 2021
Jul 28, 2021
May 10, 2020
May 23, 2020
Jul 28, 2021
Oct 14, 2021
May 23, 2020

Repository files navigation

Safe Boot: Booting Linux Safely

Safe Boot has four goals to improve the safety of booting Linux on normal laptops:

  • Booting only code that is authorized by the system owner (by installing a hardware protected platform key for the kernel and initrd)
  • Streamlining the encrypted disk boot process (by storing keys in the TPM, and only unsealing them if the firmware and configuration is unmodified)
  • Reducing the attack surface (by enabling Linux kernel features to enable hardware protection features and to de-priviledge the root account)
  • Protecting the runtime system integrity (by optionaly booting from a read-only root with dm-verity and signed root hash)

The slightly more secure Heads firmware (built with coreboot) is a better choice for user freedom since it replaces the proprietary firmware with open source, while Safe Boot's objective is to work with existing commodity hardware and UEFI SecureBoot mechanisms, as well as relatively stock Linux distributions.

For more details, see the docs directory, which is processed with mkdocs-material to produce the https://safeboot.dev/ website.


Building debian package

mkdir debian ; cd debian
git clone https://github.com/osresearch/safeboot
cd safeboot
sudo make requirements
make package

Build Debian package on ubuntu 20.04

Publish mkdocs via GitHub Pages

Contributing to safeboot

Please create issues on github if you run into problems and pull requests to solve problems or add features are welcome! Please review the contributors guidelines and code of conduct for more details on contributing.