This talk gives an overview about the state of Lanzaboote, a set of tools that enable Secure Boot for NixOS.

UEFI Secure Boot is a firmware security feature that prevents untrusted code from booting on a system. Users can utilize this technology to prevent certain kinds of attacks that involve booting malicious code on their computers. Unfortunately, NixOS has no support for Secure Boot yet.

The talk will give a short background of Secure Boot, go through NixOS-specific challenges, and explain the strategy we took for enabling Secure Boot in NixOS. We will highlight the newly developed components, such as a custom UEFI boot stub and companion Linux userspace tool, which are both written in Rust. Finally, we will explain the current state of upstreaming Secure Boot support in NixOS.