Distro: NixOS
Laptop: Intel Ultra
BIOS version 03.01
Trying to follow this guide to set up secure boot with NixOS but I can’t get it to enter setup mode.
I’ve tried restarting with “Erase all Secure Boot Settings”, “Restore Secure Boot to Factory Settings”, and both “Erase” and “Restore” set to enabled in the BIOS menu, but on booting and running sbctl status it shows setup mode as disabled.
I’m also not convinced that the restore to factory default settings option is actually doing anything, since it says it will enable secure boot if I use that option, but my OS is able to boot after setting that, despite it failing to boot due to secure boot if I manually set secure boot as enabled with the “Enforce Secure Boot” option.
Having Secure Boot enabled and enabling “Erase all Secure Boot Settings” (and exiting after saving the settings with F10) should put it into Setup mode, at least it does on Arch on the AMD version.
What happens if you reboot directly after changing the setting? Does it remain the same or is it changed? And just to be sure: what is the output of bootctl status?
I can’t reliably figure out how to even get secure boot enabled.
Firmware Arch: x64
Secure Boot: disabled
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 256.4
Features: ✓ Boot counting
✓ Menu timeout control
✓ One-shot menu timeout control
✓ Default entry control
✓ One-shot entry control
✓ Support for XBOOTLDR partition
✓ Support for passing random seed to OS
✓ Load drop-in drivers
✓ Support Type #1 sort-key field
✓ Support @saved pseudo-entry
✓ Support Type #1 devicetree field
✓ Enroll SecureBoot keys
✓ Retain SHIM protocols
✓ Menu can be disabled
✓ Boot loader sets ESP information
ESP: /dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13
File: └─/EFI/systemd/systemd-bootx64.efi
Random Seed:
System Token: set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbb>
File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.4)
└─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.4)
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0006
Status: active, boot-order
Partition: /dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13
File: └─/EFI/systemd/systemd-bootx64.efi
Title: Windows Boot Manager
ID: 0x0004
Status: active
Partition: /dev/disk/by-partuuid/b1cdafa7-ec4f-4420-b6f9-8eab2b5c2503
I’ve tried toggling “erase all” and “restore” by themselves, and together. It will sometimes show secure boot as enabled, but most of the time it won’t. I can’t see any pattern for when it will show secure boot as even enabled after a reboot.
Whenever I do erase all settings, bootctl status changes to
System:
Firmware: n/a (n/a)
Firmware Arch: x64
Secure Boot: disabled (unsupported)
TPM2 Support: yes
Measured UKI: no
Boot into FW: not supported
Current Boot Loader:
Product: n/a
Features: ✗ Boot counting
✗ Menu timeout control
✗ One-shot menu timeout control
✗ Default entry control
✗ One-shot entry control
✗ Support for XBOOTLDR partition
✗ Support for passing random seed to OS
✗ Load drop-in drivers
✗ Support Type #1 sort-key field
✗ Support @saved pseudo-entry
✗ Support Type #1 devicetree field
✗ Enroll SecureBoot keys
✗ Retain SHIM protocols
✗ Menu can be disabled
✗ Boot loader sets ESP information
ESP: n/a
File: └─n/a
Random Seed:
System Token: not set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13)
File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.4)
└─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.4)
No boot loaders listed in EFI Variables.
Boot Loader Entries:
$BOOT: /boot (/dev/disk/by-partuuid/2c881739-d2ed-4fc0-a84b-0bbce9cbbe13)
token: nixos
Default Boot Loader Entry:
type: Boot Loader Specification Type #2 (.efi)
title: NixOS Vicuna 24.11.20240911.4f807e8 (Linux 6.10.9) (Generation 10, 2024-09-15)
id: nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
source: /boot//EFI/Linux/nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
sort-key: lanza
version: Generation 10, 2024-09-15
linux: /boot//EFI/Linux/nixos-generation-10-r2sdpj5imjqpdr5rmn2eofvonngxtpa64bhxbbc4ridqoo7xmliq.efi
options: init=/nix/store/97flahsna916i40wi871siw36nfkqpbc-nixos-system-icarus-24.11.20240911.4f807e8/init loglevel=4
And the reset to factory makes it show the boot loader again, but that doesn’t put it in setup mode.
I’m wondering if this is an Intel issue or me doing something dumb.
OK, I figured it out. If you do the erase all secure boot settings, it erases the DBX options. At least for lanzaboote, this breaks things. Instead I had to go in and manually delete all the PK, KEK, and DB options but leave the DBX options there. On rebooting, it was in setup mode. I could then set up secure boot.
I’m not knowledgeable enough about secure boot to know if this is an issue with the UI in the BIOS or an issue with how Lanzaboote deals with secure boot or what, but I got it working.