- Notifications
You must be signed in to change notification settings - Fork28
Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support
License
osresearch/safeboot
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Safe Boot has four goals to improve the safety of booting Linuxon normal laptops:
- Booting only code that is authorized by the system owner (by installing a hardware protected platform key for the kernel and initrd)
- Streamlining the encrypted disk boot process (by storing keys in the TPM, and only unsealing them if the firmware and configuration is unmodified)
- Reducing the attack surface (by enabling Linux kernel features to enable hardware protection features and to de-priviledge the root account)
- Protecting the runtime system integrity (by optionaly booting from a read-only root with dm-verity and signed root hash)
Theslightly more secure Heads firmware(built withcoreboot)is a better choice for user freedom since it replaces the proprietary firmwarewith open source, while Safe Boot's objective is to work with existingcommodity hardware and UEFI SecureBoot mechanisms, as well as relativelystock Linux distributions.
For more details, seethe docs directory, which isprocessed withmkdocs-materialto produce thehttps://safeboot.dev/ website.
mkdir debian ; cd debiangit clone https://github.com/osresearch/safebootcd safebootsudo make requirementsmake package
Please createissues on githubif you run into problems and pull requests to solve problems or addfeatures are welcome!Please review thecontributors guidelines andcode of conduct for more details on contributing.
About
Scripts to slightly improve the security of the Linux boot process with UEFI Secure Boot and TPM support