nix-community/lanzaboote

Doesn't boot NixOS bootloader with Secure Boot

manmathew opened this issue · 2 comments

Hardware: Surface Pro 8
Software: Windows 11 & NixOS 23.05 (GNOME) Dual Boot

All the checks work fine with bootctl and sbctl (only exception is non-nixos files don't pass but the microsoft and unused ubuntu files don't raise any red flags).

The issue is that after I enable secure boot for Microsoft and 3rd Parties, it boots into windows and cannot boot the NixOS bootloader even when it's the only option available.

I've tried enrolling the keys and setting an admin password for UEFI doesn't change the end result.

Please let me know what the troubleshooting steps are to hopefully make this work. I want to encrypt both nixos and windows.

Mmh. That sounds weird. Can you share your NixOS config and relevant sbctl and bootctl output? sbctl list-files would be interesting.

We would need a dump of:

cat /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f > /tmp/db # upload this in a binary paste or something
cat /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c > /tmp/PK # same
cat /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c > /tmp/KEK # same

too.