blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fin secureboot support

Browse Source
This commit is contained in:
blake
2025-11-11 16:29:31 -06:00
parent 2ea0b96230
commit 51c3ae6d1e
2 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
modules/system/secure_boot/default.nix
View File

@@ -14,17 +14,27 @@ in {
imports = [inputs.lanzaboote.nixosModules.lanzaboote];
config = lib.mkIf cfg.enable {
# install userspace secureboot tools
environment.systemPackages = with pkgs; [
sbctl
e2fsprogs
];
# force disable systemd-boot so lanzaboote can be used
boot.loader.systemd-boot.enable = lib.mkForce false;
# make sure the keys are generated and in the pkiBundle path
# with `nix-shell -p --run "sbctl create-keys"`
/*
this uses the project lanzaboote for secureboot (fork of systemd)
setup guide can be found here: https://github.com/nix-community/lanzaboote/blob/master/docs/QUICK_START.md
tldr:
while currently using systemd-boot
generate keys with `nix-shell -p --run "sudo sbctl create-keys"`
rebuild with this module enabled then check `sudo sbctl verify`
reboot and enable secureboot setup mode in bios
check that setup mode is enabled with `sudo sbctl status`
enroll keys with `sudo sbctl enroll-keys` use the `--microsoft` flag to incude their keys for compatibality
reboot (disable secureboot setup mode if not done automatically) then check secure boot status with `sudo bootctl status`
*/
boot.lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";