Hacker NewsMay 13

Lanzaboote – NixOS Secure Boot

https://x86.lol/generic/2022/11/26/lanzaboote.html

#HackerNews #Lanzaboote #NixOS #Secure #Boot #SecureBoot #NixOS #LinuxTech

Lanzaboote: Towards Secure Boot for NixOS

Secure Boot protects a system from an attacker that compromises the boot flow. For example, without Secure Boot it is easy to replace the code that reads your disk encryption password and store it somewhere where the attacker can pick it up later. So ideally you want Secure Boot to be enabled to limit the code that runs on your system to what is supposed to run there.

x86.lol
Juan C NunoNov 25, 2025
I enabled #Lanzaboote. This was the scariest #NixOS thing I have done yet. https://github.com/juancnuno/nixos/commit/5177dbb1c753ca428aa6fcc3712e498cbe26a334
Show thread🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Oct 23, 2025

Tho... via Limine it doesn't seem to use UKI according to bootctl? How tf does it work then???

I imagine this is less safe than Lanzaboote then, since Lanzaboote makes measured UKIs, is it not possible to use UKI with Limine?

(terminal window is ssh to my NAS with lanzaboote, vscodium is my PC with Limine)

#Limine #NixOS #SecureBoot #Lanzaboote

heywoodlhSep 18, 2024

Finally dug into secure boot and automated LUKS decryption with TPM: https://github.com/heywoodlh/nixos-configs/commit/0a64ac98de72cce48df9088e5be3f51110c7b65d

#nixos #secureboot #tpm #linux #lanzaboote

secure boot with lanzaboot, tpm2 and automated decryption with system… · heywoodlh/nixos-configs@0a64ac9

…d-cryptenroll on XPS

GitHub
AlexanderJun 16, 2024
Just finished setting up #lanzaboote on my #nixos machine. Worked flawlessly. Nice to see how far we've come in easy secure boot support!
Show threadMichael MacleanJun 14, 2024
Got around to installing #Lanzaboote on #NixOS for secure boot, and it worked fine! Everything went precisely as the quick start guide described
Emerald  Mar 13, 2024
I'm considering putting #NixOS on my desktop as well, but for silly windows dualboot/nvidia driver related reasons I would prefer if I could have secure boot enabled. I saw that there's a community project available for enabling secure boot but i was wondering if anyone here had experience actually using #Lanzaboote before I begin the doubtless long and tedious process of getting everything to work
MynacolJul 27, 2023

Today I set up Secure Boot on one of my #NixOS machines. After I found the reason for the beloved `error: infinite recursion encountered` issue (I forgot to add lanzaboote as an argument via specialArgs), it – just worked.

Then I continued to set up LUKS unlocking via a #TPM sealed key. Also really easy.

I'm amazed.

On one machine I would like to set up #SecureBoot. I use grub as it offers redundant bootloaders via the mirroredBoots options, which makes it incompatible with #Lanzaboote.

Raito BezariusJun 17, 2023

Today, I learned to be thankful for Rust in low-level contexts such as #UEFI as I am working on https://github.com/systemd/systemd/pull/28057 for #NixOS so we can support SecureBoot without #lanzaboote special tricks (i.e. not respecting upstream and creating fake "thin" UKIs).

I have been recompiling EDK2 too many times, thank myself for enabling a lot of debugging knobs in our EDK2 build in #nixos.

I have a nice development setup:

boot: load addons from systemd-boot Type 1 entries by RaitoBezarius · Pull Request #28057 · systemd/systemd

This PR introduces a way to load addons from systemd-boot Type 1 entries using the add-on stanza (which can be repeated as much time as you want and is sensitive to order). It also pick up those ad...

GitHub
hexa-Jan 31, 2023
Exciting times. I finally got around to setting up Secure Boot with user enrolled keys on #NixOS using #lanzaboote and #sbctl. 🥳