(How) should secure boot support be added to the limine nixos module?

programmerlexi · May 18, 2025, 11:50am

Hi, i would like to discuss, if and how secure boot support should be added to the limine nixos module.

My current idea of adding support would be to:

add a boot.loader.limine.enableSecureBoot option
check that enrollConfig & panicOnChecksumMismatch are set
sign the limine efi application if the option is set

This approach isn’t fully declarative and would require the user manually creating and enrolling the keys.
Creating the keys can’t really be avoided, but the keys could automatically be enrolled (if setup mode is active that is)

I need further thoughts and opinions on this.

arthsmn · May 18, 2025, 12:40pm

Maybe it’s better to start this conversation in lanzaboote, as there are plans to upstream it someday. Currently there’s just systemd-boot as a backend, but there were efforts to make it work with GRUB, so you can use it as a base. Also, there’s an issue requesting limine support already.

programmerlexi · May 18, 2025, 2:20pm

I would like to do this in nixpkgs.

arthsmn · May 18, 2025, 2:50pm

Currently, there’s no infraestructure to sign kernels in nixpkgs, this is what lanzaboote is trying to become.