Can't enable secure boot setup mode

Distro: NixOS
Laptop: Intel Ultra
BIOS version 03.01

Trying to follow this guide to set up secure boot with NixOS but I can’t get it to enter setup mode.

I’ve tried restarting with “Erase all Secure Boot Settings”, “Restore Secure Boot to Factory Settings”, and both “Erase” and “Restore” set to enabled in the BIOS menu, but on booting and running sbctl status it shows setup mode as disabled.

I’m also not convinced that the restore to factory default settings option is actually doing anything, since it says it will enable secure boot if I use that option, but my OS is able to boot after setting that, despite it failing to boot due to secure boot if I manually set secure boot as enabled with the “Enforce Secure Boot” option.

Having Secure Boot enabled and enabling “Erase all Secure Boot Settings” (and exiting after saving the settings with F10) should put it into Setup mode, at least it does on Arch on the AMD version.

What happens if you reboot directly after changing the setting? Does it remain the same or is it changed? And just to be sure: what is the output of bootctl status?

I can’t reliably figure out how to even get secure boot enabled.

 Firmware Arch: x64
   Secure Boot: disabled
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 256.4
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Boot loader sets ESP information
          ESP: /dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13
         File: └─/EFI/systemd/systemd-bootx64.efi

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbb>
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.4)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.4)

Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x0006
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Windows Boot Manager
           ID: 0x0004
       Status: active
    Partition: /dev/disk/by-partuuid/b1cdafa7-ec4f-4420-b6f9-8eab2b5c2503


I’ve tried toggling “erase all” and “restore” by themselves, and together. It will sometimes show secure boot as enabled, but most of the time it won’t. I can’t see any pattern for when it will show secure boot as even enabled after a reboot.

I just setup my new CachyOS (arch) install yesterday and secure boot and setup mode worked fine.

Force secure boot → disabled
and then erase settings worked atleast on my AMD FW

Whenever I do erase all settings, bootctl status changes to

System:
      Firmware: n/a (n/a)
 Firmware Arch: x64
   Secure Boot: disabled (unsupported)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: not supported

Current Boot Loader:
      Product: n/a
     Features: ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✗ Enroll SecureBoot keys
               ✗ Retain SHIM protocols
               ✗ Menu can be disabled
               ✗ Boot loader sets ESP information
          ESP: n/a
         File: └─n/a

Random Seed:
 System Token: not set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.4)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.4)

No boot loaders listed in EFI Variables.

Boot Loader Entries:
        $BOOT: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13)
        token: nixos

Default Boot Loader Entry:
         type: Boot Loader Specification Type #2 (.efi)
        title: NixOS Vicuna 24.11.20240911.4f807e8 (Linux 6.10.9) (Generation 10, 2024-09-15)
           id: nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
       source: /boot//EFI/Linux/nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
     sort-key: lanza
      version: Generation 10, 2024-09-15
        linux: /boot//EFI/Linux/nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
      options: init=/nix/store/97flahsna916i40wi871siw36nfkqpbc-nixos-system-icarus-24.11.20240911.4f807e8/init loglevel=4

And the reset to factory makes it show the boot loader again, but that doesn’t put it in setup mode.

I’m wondering if this is an Intel issue or me doing something dumb.

OK, I figured it out. If you do the erase all secure boot settings, it erases the DBX options. At least for lanzaboote, this breaks things. Instead I had to go in and manually delete all the PK, KEK, and DB options but leave the DBX options there. On rebooting, it was in setup mode. I could then set up secure boot.

I’m not knowledgeable enough about secure boot to know if this is an issue with the UI in the BIOS or an issue with how Lanzaboote deals with secure boot or what, but I got it working.