Setting boot labels with system.nixos.label (systemd and Secure-boot)

fsbof · October 13, 2024, 5:18am

When I use ‘system.nixos.label = “My-Comment-One”’ it produces systemd boot entries like (ignoring the current generation labels that are shortened);

NixOS (testB) (Generation 9 NixOS Uakari My-Comment-One (Linux 6.6.51), built on 2024-10-10)

testB is my specialisation name in this case.

Of the above, 73 characters (plus any extra Generation digits above 1-9) are automatically populated.

This leaves me 27 visible characters for my comment and the name of the specialisation if I want characters on the right (the date) not to be truncated.

I found that I can (carefully!) modify the default entry in /boot/loader/entries to get some extra characters and/or completely change the layout.

However once secure boot is enabled using Lanzaboote this method no longer works and I am back to using the label and the layout of the entry changes again - the name of the specialisation seems to be removed or is perhaps truncated from view on the right side of the screen. This is what I see, which has some characters I would happily drop and some duplication.

NixOS Uakari My-Comment-Two (Linux 6.6.51) (Generation 10, Built on 2024-10-13) (nixos-generation-10
NixOS Uakari My-Comment-Two (Linux 6.6.51) (Generation 10, Built on 2024-10-13) (nixos-generation-10
NixOS Uakari My-Comment-Two (Linux 6.6.51) (Generation 10, Built on 2024-10-13) (nixos-generation-10

Are there any ways to get greater control over each boot entry?

fsbof · October 14, 2024, 2:37am

I ran a few tests this morning using system.nixos.label, system.nixos.tags and lib.mkForce. All to no avail. What I did discover though is that with lanzaboote and specialisations, is there is an attempt to show the specialisation name (at the end of each boot label it shows the filename in /boot/EFI/Linux which includes the specialisation name). Unfortunately this is cropped by the 100 character limit.

   NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8.efi)    
NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8-specialisat
NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (nixos-generation-8-specialisat

Things I’ve tried

I have enough screen real-estate to show more than 100 characters but have so far not found a way to increase that limit for systemd.
I have not found a way of changing the default filenames in /boot/EFI/Linux
I have not found a way of reducing the label content
I have asked a question on the lanzaboote section of github
I have been testing a rather messy workaround (see below) which I’m sure is not the right approach but seems to offer something more than I have at present. I’d be interested in any feedback on this.

Any other suggestions?

A rather messy workaround - I'm not sure I'd use this

I am currently testing this on a disposable virtual machine and it ‘appears’ to offer a rough work-around. I am guessing the filenames aren’t part of the actually signing process as I could still boot different generations and specialisations.

Notes

Each nixos-rebuild switch the original entries are regenerated and the folder needs to be tidied up by removing the duplicates… as I said messy…
The filenames are converted to all lowercase, not sure about any non A-Za-z characters yet.

I’m also not sure that I’m brave enough to try this outside a disposable VM just yet though! Be interested in any thoughts…

[root@lanza-vm:/boot/EFI/Linux]# ls
nixos-generation-10.efi                       nixos-generation-4.efi                       nixos-generation-6.efi                       nixos-generation-7-specialisation-testA.efi  nixos-generation-8-specialisation-testB.efi
nixos-generation-10-specialisation-testA.efi  nixos-generation-5.efi                       nixos-generation-6-specialisation-testA.efi  nixos-generation-7-specialisation-testB.efi  nixos-generation-9.efi
nixos-generation-10-specialisation-testB.efi  nixos-generation-5-specialisation-testA.efi  nixos-generation-6-specialisation-testB.efi  nixos-generation-8.efi                       nixos-generation-9-specialisation-testA.efi
nixos-generation-3.efi                        nixos-generation-5-specialisation-testB.efi  nixos-generation-7.efi                       nixos-generation-8-specialisation-testA.efi  nixos-generation-9-specialisation-testB.efi

[root@lanza-vm:/boot/EFI/Linux]# mv nixos-generation-3.efi 3.efi
mv nixos-generation-4.efi 4.efi
mv nixos-generation-5.efi 5.efi
mv nixos-generation-5-specialisation-testA.efi 5-testA.efi
mv nixos-generation-5-specialisation-testB.efi 5-testB.efi
mv nixos-generation-6.efi 6.efi
mv nixos-generation-6-specialisation-testA.efi 6-testA.efi
mv nixos-generation-6-specialisation-testB.efi 6-testB.efi
mv nixos-generation-7.efi 7.efi
mv nixos-generation-7-specialisation-testA.efi 7-testA.efi
mv nixos-generation-7-specialisation-testB.efi 7-testB.efi
mv nixos-generation-8.efi 8.efi
mv nixos-generation-8-specialisation-testA.efi 8-testA.efi
mv nixos-generation-8-specialisation-testB.efi 8-testB.efi
mv nixos-generation-9.efi 9.efi
mv nixos-generation-9-specialisation-testA.efi 9-testA.efi
mv nixos-generation-9-specialisation-testB.efi 9-testB.efi
mv nixos-generation-10.efi 10.efi
mv nixos-generation-10-specialisation-testA.efi 10-testA.efi
mv nixos-generation-10-specialisation-testB.efi 10-testB.efi

[root@lanza-vm:/boot/EFI/Linux]# ls
10.efi  10-testA.efi  10-testB.efi  3.efi  4.efi  5.efi  5-testA.efi  5-testB.efi  6.efi  6-testA.efi  6-testB.efi  7.efi  7-testA.efi  7-testB.efi  8.efi  8-testA.efi  8-testB.efi  9.efi  9-testA.efi  9-testB.efi

            NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10.efi)             
         NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10-testb.efi)          
         NixOS Uakari l (Linux 6.6.51) (Generation 10, Built on 2024-10-14) (10-testa.efi)          
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9.efi
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9-tes
NixOS Uakari testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 9, Built on 2024-10-14) (9-tes
            NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8.efi)            
         NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8-testb.efi)         
         NixOS Uakari main (Linux 6.6.51) (Generation 8, Built on 2024-10-14) (8-testa.efi)         
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
NixOS Uakari main-testA-24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 7, Built on 2024-10-14) (
  NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6.efi)   
NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6-testb.efi
NixOS Uakari 24.05.4974.8f7492cce289 (Linux 6.6.51) (Generation 6, Built on 2024-10-14) (6-testa.efi
           NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5.efi)            
        NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5-testb.efi)         
        NixOS Uakari testA (Linux 6.6.51) (Generation 5, Built on 2024-10-14) (5-testa.efi)         
   NixOS Uakari 12Oct24-1738-Secure_Boot_Verfied_-_Non_Secure_Boot_Entries_Removed (Linux 6.6.51)   
                    NixOS Uakari 12Oct24-1733-Secure_Boot_Enabled (Linux 6.6.51)                    
                                   Reboot Into Firmware Interface

Update : After testing garbage collection, rebuilds, renames this method has been surprisingly robust even though I still don’t like it. I managed to get 33 characters that must be split between the specilisation name(s) and the generation label. The {only} good side of this is now I can identify specialisations at boot.

     NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (29.efi)     
  NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (testb-29.efi)  
  NixOS Uakari 15:30-Change_Two (Linux 6.6.51) (Generation 29, Built on 2024-10-14) (testa-29.efi)  
  NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (28.efi)   
NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (testb-28.efi
NixOS Uakari 15:22-My_First_Change (Linux 6.6.51) (Generation 28, Built on 2024-10-14) (testa-28.efi
                                   Reboot Into Firmware Interface

fsbof · October 22, 2024, 12:25am

Not sure anyone is interested but FYI…

One other interesting thing regarding the messy workaround above… Please note I am still just testing these in a VM. I’m guessing this will all change at some point in the future so use at your own risk! This is all based on NixOS 24.05.

The default sort order is descending, so (within a generation) an EFI file which starts with the letter Z will display before an EFI file with the letter A and the default seems to always be the first file in the latest generation. This led to another crude workaround which allows a specialisation to be set as the default boot entry even with secure boot in use.

My current secure boot menu on my test VM looks like this, with the specialisation named ‘testA’ set as the default boot option. Note the moment specialisations are enabled, the default label changes from (Linux a.b.cc) to (Linux a.b.cc) (Generation d, Built on yyyy-mm-dd) {efi-filename). For the Generation 6 boot entry below, I manually appended the generation number and build date to the label. Even though the boot entries support whitespace, the nixos-system-label doesn’t, hence the underscores.

NixOS Uakari Enable_specialisations__ (Linux 6.6.51) (Generation 7, Built on 2024-10-18) (x_testa___
NixOS Uakari Enable_specialisations__ (Linux 6.6.51) (Generation 7, Built on 2024-10-18) (o_testabce
NixOS Uakari Enable_specialisations__ (Linux 6.6.51) (Generation 7, Built on 2024-10-18) (o_base____
NixOS Uakari No_specialisations_enabled__________________________Generation_6_18Oct24 (Linux 6.6.51)
                                   Reboot Into Firmware Interface

I have asked about a more formal solution on the lanzaboote section of github.