Safe Boot has four goals to improve the safety of booting Linux on normal laptops:
- Booting only code that is authorized by the system owner (by installing a hardware protected platform key for the kernel and initrd)
- Streamlining the encrypted disk boot process (by storing keys in the TPM, and only unsealing them if the firmware and configuration is unmodified)
- Reducing the attack surface (by enabling Linux kernel features to enable hardware protection features and to de-priviledge the root account)
- Protecting the runtime system integrity (by optionaly booting from a read-only root with dm-verity and signed root hash)
The slightly more secure Heads firmware (built with coreboot) is a better choice for user freedom since it replaces the proprietary firmware with open source, while Safe Boot's objective is to work with existing commodity hardware and UEFI SecureBoot mechanisms, as well as relatively stock Linux distributions.
For more details, see the docs directory, which is processed with mkdocs-material to produce the https://safeboot.dev/ website.
mkdir debian ; cd debian
git clone https://github.com/osresearch/safeboot
cd safeboot
sudo make requirements
make package
Please create issues on github if you run into problems and pull requests to solve problems or add features are welcome! Please review the contributors guidelines and code of conduct for more details on contributing.