Dual Boot on a secure boot enabled system

Need Help!!!

I am fairly new to nixOS (/linux in general) can someone tell me how we can boot The nixOS on a secure boot enabled laptop.

I currently have windows and Fedora on my system but want to try and learn nixOS. So i was thinking of replacing my fedora system with nixOS.
I downloaded the latest stable ios of nixOS but secure boot doesn’t allow me to boot into the ios. I dont want to disable secure boot just to try nixOS so is there any workaround for this.

Ubuntu, fedora didn’t require me to disable secure boot to boot into the live ios for installation and worked fine.


Was looking through this link and few latest comments suggested that nixOS ios already works with secure boot system.

1 Like

NixOS does not support Secure Boot at this time. There are other projects like lanzaboote that can enable Secure Boot with NixOS but it’s not what you’re thinking. Lanzaboote is self-signed Secure Boot, while Windows, Ubuntu, and Fedora all worked for you because they’re Microsoft-signed. NixOS is a ways away from supporting self-signed Secure Boot upstream, and it’s a very far cry away from getting MS approval to be MS signed.

You can however still use Secure Boot if you reconfigure your machine for self-signing and enroll both your own keys and MS keys; that way you can only boot your own signed OS and MS signed OSes like Ubuntu. Whether or not your machine allows this depends on how lenient it is about Secure Boot. Sometimes machines just straight up won’t let you disable MS-only Secure Boot (this is rare). Sometimes they come with no Secure Boot enabled, but once configured, it can’t be disabled without the keys (don’t lose them!). But most of the time you can always just disable Secure Boot from the BIOS and reconfigure it however you want, no keys needed.

Point is, you can’t do it unless you want to start messing with keys, and in that case, it’s going to take some knowhow and you’re going to have to be careful.


I think the answer @ElvishJerricco provided here is now out of date. Lanzaboote is pretty darned easy to setup. Most motherboards allow you to add keys and enter it into setup mode.

Lanzaboote has TERRIFIC documentation including a quick start guide: https://github.com/nix-community/lanzaboote/blob/f2bc0af580f0bb6e6a2d0bcf0cfb237b357ffbbf/docs%2FQUICK_START.md

I had absolutely NO CLUE about secure boot or registering keys, or really anything about the boot process and was able to get my rig setup.with secure boot in no time including dual-booting with Windows 11.

No, my answer is not out of date. I specifically mentioned lanzaboote in my reply. You are messing with self-signing and the quickstart is the knowhow I was referring to. You should understand what you’re getting into with this, because it is possible to brick your system.

I do agree that it’s probably best to stay away for now if you aren’t very confident in your abilities and can’t comfortably replace the computer. If you want to experiment, use it on a device you don’t care about.

But in case anyone does manage to end up with a locked system, there’s https://bios-pw.org/. Most consumer motherboards can be unlocked pretty trivially.

Amusingly, this also makes secure boot entirely pointless on a lot of consumer devices (like my old laptop whose BIOS ate 6 characters of my 38 character password due to a hidden character limit, forcing me to learn how to circumvent secure boot just minutes after setting it up for the first time - the joys of shoddy firmware).

Not entirely true. Not if you use the TPM. The TPM will enable you to verify that Secure Boot was enabled as it should have been.

1 Like

On older hardware this wasn’t possible, I should figure it out on a newer platform sometime!