Setting boot labels with system.nixos.label (systemd and Secure-boot)

Help
2

I ran a few tests this morning using system.nixos.label, system.nixos.tags and lib.mkForce. All to no avail. What I did discover though is that with lanzaboote and specialisations, is there is an attempt to show the specialisation name (at the end of each boot label it shows the filename in /boot/EFI/Linux which includes the specialisation name). Unfortunately this is cropped by the 100 character limit.

   NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8.efi)    
NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8-specialisat
NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8-specialisat

Things I’ve tried

  • I have enough screen real-estate to show more than 100 characters but have so far not found a way to increase that limit for systemd.
  • I have not found a way of changing the default filenames in /boot/EFI/Linux
  • I have not found a way of reducing the label content
  • I have asked a question on the lanzaboote section of github
  • I have been testing a rather messy workaround (see below) which I’m sure is not the right approach but seems to offer something more than I have at present. I’d be interested in any feedback on this.

Any other suggestions?

A rather messy workaround - I'm not sure I'd use this

I am currently testing this on a disposable virtual machine and it ‘appears’ to offer a rough work-around. I am guessing the filenames aren’t part of the actually signing process as I could still boot different generations and specialisations.

Notes

  • Each nixos-rebuild switch the original entries are regenerated and the folder needs to be tidied up by removing the duplicates… as I said messy…
  • The filenames are converted to all lowercase, not sure about any non A-Za-z characters yet.

I’m also not sure that I’m brave enough to try this outside a disposable VM just yet though! Be interested in any thoughts…

[root@lanza-vm:/boot/EFI/Linux]# ls
nixos-generation-10.efi                       nixos-generation-4.efi                       nixos-generation-6.efi                       nixos-generation-7-specialisation-testA.efi  nixos-generation-8-specialisation-testB.efi
nixos-generation-10-specialisation-testA.efi  nixos-generation-5.efi                       nixos-generation-6-specialisation-testA.efi  nixos-generation-7-specialisation-testB.efi  nixos-generation-9.efi
nixos-generation-10-specialisation-testB.efi  nixos-generation-5-specialisation-testA.efi  nixos-generation-6-specialisation-testB.efi  nixos-generation-8.efi                       nixos-generation-9-specialisation-testA.efi
nixos-generation-3.efi                        nixos-generation-5-specialisation-testB.efi  nixos-generation-7.efi                       nixos-generation-8-specialisation-testA.efi  nixos-generation-9-specialisation-testB.efi

[root@lanza-vm:/boot/EFI/Linux]# mv nixos-generation-3.efi 3.efi
mv nixos-generation-4.efi 4.efi
mv nixos-generation-5.efi 5.efi
mv nixos-generation-5-specialisation-testA.efi 5-testA.efi
mv nixos-generation-5-specialisation-testB.efi 5-testB.efi
mv nixos-generation-6.efi 6.efi
mv nixos-generation-6-specialisation-testA.efi 6-testA.efi
mv nixos-generation-6-specialisation-testB.efi 6-testB.efi
mv nixos-generation-7.efi 7.efi
mv nixos-generation-7-specialisation-testA.efi 7-testA.efi
mv nixos-generation-7-specialisation-testB.efi 7-testB.efi
mv nixos-generation-8.efi 8.efi
mv nixos-generation-8-specialisation-testA.efi 8-testA.efi
mv nixos-generation-8-specialisation-testB.efi 8-testB.efi
mv nixos-generation-9.efi 9.efi
mv nixos-generation-9-specialisation-testA.efi 9-testA.efi
mv nixos-generation-9-specialisation-testB.efi 9-testB.efi
mv nixos-generation-10.efi 10.efi
mv nixos-generation-10-specialisation-testA.efi 10-testA.efi
mv nixos-generation-10-specialisation-testB.efi 10-testB.efi

[root@lanza-vm:/boot/EFI/Linux]# ls
10.efi  10-testA.efi  10-testB.efi  3.efi  4.efi  5.efi  5-testA.efi  5-testB.efi  6.efi  6-testA.efi  6-testB.efi  7.efi  7-testA.efi  7-testB.efi  8.efi  8-testA.efi  8-testB.efi  9.efi  9-testA.efi  9-testB.efi

            NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10.efi)             
         NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10-testb.efi)          
         NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10-testa.efi)          
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9.efi
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9-tes
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9-tes
            NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8.efi)            
         NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8-testb.efi)         
         NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8-testa.efi)         
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
  NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6.efi)   
NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6-testb.efi
NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6-testa.efi
           NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5.efi)            
        NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5-testb.efi)         
        NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5-testa.efi)         
   NixOS Uakari 12Oct24-1738-Secure_Boot_Verfied_-_Non_Secure_Boot_Entries_Removed (Linux 6.6.51)   
                    NixOS Uakari 12Oct24-1733-Secure_Boot_Enabled (Linux 6.6.51)                    
                                   Reboot Into Firmware Interface

Update : After testing garbage collection, rebuilds, renames this method has been surprisingly robust even though I still don’t like it. I managed to get 33 characters that must be split between the specilisation name(s) and the generation label. The {only} good side of this is now I can identify specialisations at boot. :man_shrugging:

     NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (29.efi)     
  NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (testb-29.efi)  
  NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (testa-29.efi)  
  NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (28.efi)   
NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (testb-28.efi
NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (testa-28.efi
                                   Reboot Into Firmware Interface