Secureboot on Stable? Do I need Lanzaboote?

muno · June 12, 2025, 4:58pm

Hi. I am new to NixOS and haven’t fully switched yet. I just want to make sure everything works before fully switching over. Currently, I am focused on the first thing that happens when I turn on my device: boot.

I’ve been searching on https://search.nixos.org/options for any options related to secureboot or UKI but I could not find anything useful. Using a general search engine, I did find https://wiki.nixos.org/wiki/Secure_Boot and https://github.com/nix-community/lanzaboote, which might be what I want.

To be honest, my “switching to NixOS” trial has been going for a long time, and the last time I looked into it, I think it was a requirement to use unstable NixOS for Lanzaboote. Is this still the case? I don’t remember where I read that and I can’t find any information on the GitHub page about version requirements.

I do see that it is using unstable nixpkgs in the Flakes configuration.

Speaking of configuration, I am not sure how to include modules into my configuration. I am not using Flakes. I do see that the Quick Start for Lanzaboote recommends using niv, but I am not sure what problem that solves exactly. Can I not just do something like:

let
  lanzaboote = import (fetchTarball https://github.com/nix-community/lanzaboote/archive/refs/tags/v0.4.2.tar.gz);
in
{
  imports = [
    lanzaboote.nixosModules.lanzaboote
  ];
}

Do I need Lanzaboote in the first place? I am okay with having kernel and initrd into a signed UKI for every generation. My /boot is a gigabyte, and if we take an extreme estimate of 40 megabytes per generation, I can have more than 20 generations… And if we assume one rebuild per week, that is more than 4 months. I am sure I can safely delete >4 month old generations…

Finally, can Lanzaboote continue to boot my other OS, like my Gentoo UKI or Windows Boot Manager? I already have my keys enrolled (along with Microsof’s) so I can already boot my Gentoo UKI with secureboot and Windows Boot Manager using systemd-boot.

TLATER · June 12, 2025, 5:34pm

AFAIK, no, the bootspec thing that lanzaboote uses to figure out how to build your UKIs is in stable now.

Hm, fair, npins is generally recommended as an alternative these days. If nothing else, it’s a tad more actively maintained.

muno:

but I am not sure what problem that solves exactly. Can I not just do something like:
let
  lanzaboote = import (fetchTarball https://github.com/nix-community/lanzaboote/archive/refs/tags/v0.4.2.tar.gz);
in
{
  imports = [
    lanzaboote.nixosModules.lanzaboote
  ];
}

Well, that’d work, and is almost the same as what these tools do, but you’ve already fallen for the first footgun involved in doing this. Since you’re using one of the fetchers with optional hashes, and not specifying a hash, nix will download a new version of that tarball every two hours or so.

Usually at least this won’t cause a rebuild since you’re specifying a specific ref, but even then github archives created without the appropriate fetchers are not stable, so this will cause random rebuilds occasionally. Your system is no longer reproducible. It’ll also annoy you by doing a big ol’ download first practically every time you evaluate your config.

Use npins or niv, they do it correctly for you, and give you a convenient command for updating so anything you depend on isn’t locked at whatever version it was at when you first wrote your config. Plus you don’t need to go around manually computing nix-style hashes or evaluating your config twice.

Also, if you’re far enough along on your journey to understand nix this well, switch from channels to one of these while you’re at it, and stop using the nix-channel command (+ delete your channels, and use nix.channel.enable = false, setting your nixPath up like this instead - don’t forget to set nixos-config while you’re at it). You’ll stop running into so many weird edge cases, especially as a newbie, and be back to one command to update them all.

You do, NixOS doesn’t currently build UKIs. NixOS doesn’t use dracut for various reasons, providing UKIs is nontrivial (though I forget why), and even if they were provided, signing the resulting UKI still needs to be done downstream, so can’t be part of a nix build.

Lanzaboote does this final step of converting your kernel + initrd into a UKI and signing it outside of the nix build context, which allows it to actually sign stuff without leaking the key to the whole internet or forcing you to build kernels.

It’s not bit-for-bit reproducible, but that’s kind of the point of asymmetric key encryption, and it certainly introduces the least reproducibility holes possible.

Caveat emptor: I have not tried this, @RaitoBezarius will likely swoop in and tell me how far off I am

AIUI the other keys are not wiped, so if nothing else, you can always still boot those with the UEFI boot selection (which is separate from the UEFI settings interface).

There seems to be an option to include windows in the UI, but not through systemd-boot, and I guess this doesn’t apply to other distros: Windows dual boot documentation? · Issue #427 · nix-community/lanzaboote · GitHub

So… I think so, but the UI for it isn’t clean yet? Worst case, trying it out shouldn’t be too bad, as long as you have an easy way to reinstall your gentoo keys, UEFI menus have an option to reinstall the windows keys, and you can always turn off secure boot to recover.

RaitoBezarius · June 12, 2025, 5:50pm

I can confirm that if you keep the others keys you use to sign your Gentoo UKI or your Windows Boot Manager, Secure Boot will keep working for them.

NixOS / Lanzaboote does not take responsibility for resigning any foreign operating systems, it only take cares of NixOS’ bootables files.