Hi. I am new to NixOS and haven’t fully switched yet. I just want to make sure everything works before fully switching over. Currently, I am focused on the first thing that happens when I turn on my device: boot.
I’ve been searching on https://search.nixos.org/options for any options related to secureboot or UKI but I could not find anything useful. Using a general search engine, I did find https://wiki.nixos.org/wiki/Secure_Boot and https://github.com/nix-community/lanzaboote, which might be what I want.
To be honest, my “switching to NixOS” trial has been going for a long time, and the last time I looked into it, I think it was a requirement to use unstable NixOS for Lanzaboote. Is this still the case? I don’t remember where I read that and I can’t find any information on the GitHub page about version requirements.
I do see that it is using unstable nixpkgs
in the Flakes configuration.
Speaking of configuration, I am not sure how to include modules into my configuration. I am not using Flakes. I do see that the Quick Start for Lanzaboote recommends using niv
, but I am not sure what problem that solves exactly. Can I not just do something like:
let
lanzaboote = import (fetchTarball https://github.com/nix-community/lanzaboote/archive/refs/tags/v0.4.2.tar.gz);
in
{
imports = [
lanzaboote.nixosModules.lanzaboote
];
}
Do I need Lanzaboote in the first place? I am okay with having kernel and initrd into a signed UKI for every generation. My /boot
is a gigabyte, and if we take an extreme estimate of 40 megabytes per generation, I can have more than 20 generations… And if we assume one rebuild per week, that is more than 4 months. I am sure I can safely delete >4 month old generations…
Finally, can Lanzaboote continue to boot my other OS, like my Gentoo UKI or Windows Boot Manager? I already have my keys enrolled (along with Microsof’s) so I can already boot my Gentoo UKI with secureboot and Windows Boot Manager using systemd-boot.