Description
Big thanks already for all the work done here :).
My setup:
- Surface Laptop 5
- Dualboot between nixos (24.05) and Windows 11
Currently able to load bootloader in secure boot, but not able to boot any generation that I select (the auto detected windows 11 entry does boot). If I select a nixos generation, screen goes black for a few seconds, then the boot menu comes up again.
Information below, anything else you want me to add in terms of logs?
Steps I've taken:
- Installed sbctl & lanzaboote using flake config
- Created secure boot keys
- sbctl verify confirms that generations are signed
[timo@timo-surface-nixos:/etc/secureboot]$ sudo sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/Boot/bootx64.efi is signed
✓ /boot/EFI/Linux/nixos-generation-10-wumc6ylmxlhx7im3apihtmnydw2x2sdghlomigvyr42v3umwezyq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-8-wumc6ylmxlhx7im3apihtmnydw2x2sdghlomigvyr42v3umwezyq.efi is signed
✓ /boot/EFI/Linux/nixos-generation-9-zo32rkvn3qlm7jecflnpcbqotqht3dpissvzpam7eth3dw7zop7q.efi is signed
✗ /boot/EFI/nixos/kernel-6.10.5-s5opuy4efv6pb4ba33mwigy3sm3h6gn2qfnhtvdzkbkq6ns67leq.efi is not signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
-
According to instructions, you then need to enable secureboot first before enrolling the keys. I tried this and enabled secureboot in surface uefi but then linux bootloader did not load at all, it went directly to windows boot manager (I checked the boot order to confirm linux boot manager is first).
-
Rebooted with secure boot disabled and enrolled the keys
[timo@timo-surface-nixos:/etc/secureboot]$ sudo sbctl status
Installed: ✓ sbctl is installed
Owner GUID: <REDACTED>
Setup Mode: ✗ Enabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft
-
This enables secure boot because after enrolling the keys and booting directly in the surface uefi, it says that secure boot is enabled with "custom key configuration" (an option you can't select directly from the UEFI menu)
-
Bootloader now shows up in secure boot, but no generations can boot.
Bootctl status output:
[timo@timo-surface-nixos:/etc/secureboot]$ bootctl status
System:
Firmware: UEFI 2.70 (EDK II 1.00)
Firmware Arch: x64
Secure Boot: disabled (setup)
TPM2 Support: yes
Measured UKI: yes
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 255.9
Features: ✓ Boot counting
✓ Menu timeout control
✓ One-shot menu timeout control
✓ Default entry control
✓ One-shot entry control
✓ Support for XBOOTLDR partition
✓ Support for passing random seed to OS
✓ Load drop-in drivers
✓ Support Type #1 sort-key field
✓ Support @saved pseudo-entry
✓ Support Type #1 devicetree field
✓ Enroll SecureBoot keys
✓ Retain SHIM protocols
✓ Menu can be disabled
✓ Boot loader sets ESP information
Stub: lanzastub 0.4.1
Features: ✓ Stub sets ESP information
✗ Picks up credentials from boot partition
✗ Picks up system extension images from boot partition
✗ Measures kernel+command line+sysexts
✗ Support for passing random seed to OS
✗ Pick up .cmdline from addons
✗ Pick up .cmdline from SMBIOS Type 11
✗ Pick up .dtb from addons
ESP: /dev/disk/by-partuuid/38ec6b10-0153-42ca-bec6-81bcc55aec93
File: └─/EFI/systemd/systemd-bootx64.efi
Random Seed:
System Token: set
Exists: yes
Available Boot Loaders on ESP:
ESP: /boot (/dev/disk/by-partuuid/38ec6b10-0153-42ca-bec6-81bcc55aec93)
File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 255.9)
└─/EFI/BOOT/bootx64.efi (systemd-boot 255.9)
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0005
Status: active, boot-order
Partition: /dev/disk/by-partuuid/38ec6b10-0153-42ca-bec6-81bcc55aec93
File: └─/EFI/systemd/systemd-bootx64.efi
Title: Windows Boot Manager
ID: 0x0004
Status: active, boot-order
Partition: /dev/disk/by-partuuid/38ec6b10-0153-42ca-bec6-81bcc55aec93
File: └─/EFI/Microsoft/Boot/bootmgfw.efi
Boot Loader Entries:
$BOOT: /boot (/dev/disk/by-partuuid/38ec6b10-0153-42ca-bec6-81bcc55aec93)