this is my next hurdle and it seems i cant figure out the correct steps even i am checking multiple times nixOS wiki, secure boot wiki and lanzaboot wiki and guides i seem to be stuck. Before i now continue figuring this out i am now set sbctl and lon to configuration.nix and rebuild. i have also generated the keys with sbctl.
what is next steps do i need to init lon? or just add the lon add github nix-community/lanzaboote -r v1.0.0 --frozen? this is the parts where i get mostly confused and i guess doing something wrong so some pointing guide helping me to setup this would be really nice. then i can pretty much say i have base setup done and working
If you’re not so set on using Lanzaboote, there’s an easier way using Limine that’s already in nixpkgs. There’s already a Wiki page for it: Limine - Official NixOS Wiki
I’ve switched from Lanzaboote to Limine and I find it way better.
Any idea which one is going to be so called default in future or are there multiple choices that user can use. As I read lanzaboote is recommended way on nixwiki.
I don’t really understand calling the limine secure boot implementation easier or way better. It’s basically the same. You have to manually set up and enroll keys with sbctl or something, a nixos module uses them to sign stuff in the installBootLoader phase, and you end up with a fixed and self-signed kernel / initrd / cmdline. Personally I like lanzaboote better, since every generation is a bootable UEFI app, and since it’s not using a fixed config meaning systemd-boot can still boot other things on the ESP as long as they’re signed.
Long term, it’s hard to say what exactly might eventually be made the “default”. Certainly it won’t be limine, since the goal is to eventually have Microsoft-signed secure boot, which requires using shim, which requires using either grub or systemd-boot. Whether lanzaboote is a part of that long term story, or whether we’ll have improved features of systemd-stub or something, is a more complicated question.
I have no idea. It’s possible everything will be handled by systemd-boot and/or GRUB in the future, but for now the only 2 working solutions on NixOS are Lanzaboote (external module) and Limine (in nixpkgs).
Limine is easier in the way that it’s already packaged in nixpkgs and it’s a few lines in the configuration. You don’t have to pull and sync an external dependency with whichever tool is the current standard (I’ve seen it go through a few recommended tools for downloading it).
Yes, they currently require manual intervention, but it’s super easy and requires a single intervention from the user in the form of installing the signing keys. It’s indeed the same for Lanzaboote and Limine.
thank you for everyone for helping and pushing me to go more and more and i finally got my secure boot enabled and working. i guess or assume in someday we will need to remove the –freeze from lanzaboot, but now still frozen to stable 1.0
❯ sudo sbctl verify
[sudo] password for phatle:
Verifying file database and EFI images in /boot...
âś“ One-shot entry control
âś“ Support for XBOOTLDR partition
âś“ Support for passing random seed to OS
âś“ Load drop-in drivers
âś“ Support Type #1 sort-key field
âś“ Support @saved pseudo-entry
âś“ Support Type #1 devicetree field
âś“ Enroll SecureBoot keys
âś“ Retain SHIM protocols
âś“ Menu can be disabled
âś“ Multi-Profile UKIs are supported
âś“ Loader reports network boot URL
âś“ Support Type #1 uki field
âś“ Support Type #1 uki-url field
âś“ Loader reports TPM2 active PCR banks
Partition: /dev/disk/by-partuuid/74e24d70-37dd-4e2b-a554-6ace42cdf5de
Loader: └─/boot//EFI/systemd/systemd-bootx64.efi
Current Entry: nixos-generation-41-xfvczlu5uboimknknobadujqzmgohomwprsuh7kxngtgwfkt7dtq.efi
Default Entry: aeon-6.15.6-1-default-4.conf
Current Stub:
Product: lanzastub 1.0.0
Features: âś“ Stub reports loader partition information
âś— Stub reports stub partition information
âś— Stub reports network boot URL
âś— Picks up credentials from boot partition
âś— Picks up system extension images from boot partition
âś— Picks up configuration extension images from boot partition
âś— Measures kernel+command line+sysexts
âś— Support for passing random seed to OS
âś— Pick up .cmdline from addons
âś— Pick up .cmdline from SMBIOS Type 11
âś— Pick up .dtb from addons
âś— Stub understands profile selector
Random Seed:
System Token: set
Exists: Can't access /boot/loader/random-seed (Permission denied)
Available Boot Loaders on ESP:
ESP: /boot (/dev/disk/by-partuuid/74e24d70-37dd-4e2b-a554-6ace42cdf5de)
File: (can't access /boot: Permission denied)
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0001
Status: active, boot-order
Partition: /dev/disk/by-partuuid/74e24d70-37dd-4e2b-a554-6ace42cdf5de
File: └─/boot//EFI/systemd/systemd-bootx64.efi
Title: UEFI RST Samsung SSD 990 PRO 2TB S7DNNU0X450895H
ID: 0x0002
Status: active, boot-order
Partition: /dev/disk/by-partuuid/74e24d70-37dd-4e2b-a554-6ace42cdf5de
File: └─/boot//EFI/Boot/BootX64.efi