Limine: Difference between revisions

(2 intermediate revisions by the same user not shown)

Line 1:

[https://limine-bootloader.org/ Limine] is a modern, advanced, portable, ~~multiprotocol~~ bootloader and boot manager. It aims to be more robust alternative to bootloaders like [[GNU GRUB]]. It can be configured ~~via~~ NixOS options under

[https://limine-bootloader.org/ '''Limine'''] ([https://www.merriam-webster.com/dictionary/in%20limine lē-mi-ne]) is a modern, advanced, portable, multi-protocol bootloader and boot manager. It aims to be a more robust alternative to bootloaders like [[GNU GRUB]] and [[Systemd/boot|Systemd-boot]]. It can be configured using the NixOS options under

[https://search.nixos.org/options?channel=unstable&show=boot.loader.limine. boot.loader.limine.]

== ~~SecureBoot~~ ==

== Secure Boot ==

Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options].

Line 10:

{{warning|Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.}}

~~To enable Secure Boot~~, ~~first switch to Limine as your bootloader. You may find the existing [[Bootloader]] documentation helpful.~~

=== Prerequisites ===

Before trying to set up secure boot, ensure that:

~~Then add~~ <code>sbctl</code> ~~to you systems packages. It must be~~ installed on a system level.

# Limine is enabled as the current bootloader using <code>boot.loader.limine.enable = true</code>. You may find the existing [[Bootloader]] documentation helpful.

# <code>sbctl</code> is installed as a system level package (using <code>environment.systemPackages</code>).

Generate keys ~~with~~ <code>sbctl create-keys</code>

=== Generate Secure Boot keys ===

<code>sbctl</code> is used to securely generate & store the Secure Boot keys. Generating the keys is as simple as:<syntaxhighlight lang="console">

$ sudo sbctl create-keys

</syntaxhighlight>This stores your secure boot keys at <code>/var/lib/sbctl</code> and sets the permissions so that they can only be read by the root user.

Enable Secure Boot Setup Mode. This usually involves entering the BIOS and ~~selecting an~~ option to ~~do so. On some BIOS implementations, there is not an explicit option to do so, but it will enter setup mode if one clears~~ all Secure Boot ~~keys~~.

=== Enable UEFI Secure Boot Setup Mode ===

This usually involves entering the UEFI firmware menu (BIOS) and enabling the relevant option under Secure Boot named "Reset to Setup Mode" or "Erase all Secure Boot settings".

~~Now~~, ~~run~~ <~~code~~>~~sbctl enroll~~-~~keys~~ -m -f</~~code> to actually enroll your~~ keys.

On some UEFI firmware implementations, there is not an explicit option to enter Setup Mode, instead the user must chose the option(s) to erase existing Secure Boot keys.

{{Warning|</br>On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".</br>

On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See [https://community.frame.work/t/cant-enable-secure-boot-setup-mode/57683/5 this] thread on the Framework forum.}}

After entering Setup Mode or clearing the keys, reboot back into NixOS.

~~You~~ can ~~now rebuild with~~ <code>~~boot~~.~~loader~~.~~limine.secureBoot.enable~~</code> ~~set to true, and disable Secure Boot setup mode~~.

=== Enroll Secure Boot keys ===

Once in Setup Mode, your generated keys can be enrolled using <code>sbctl</code> again. <syntaxhighlight lang="console">

$ sudo sbctl enroll-keys --microsoft --firmware-builtin

</syntaxhighlight>The <code>--microsoft</code> option is required for some devices which have hardware OptionROMS signed by Microsoft keys. The <code>--firmware-builtin</code> option ensures your OEM certificates are also installed.

If this ~~has been~~ successful, you can ~~check~~ using <code>bootctl status</code>

If this is successful, you can now rebuild with <code>boot.loader.limine.secureBoot.enable</code> set to true and reboot. Secure Boot should be enabled after reboot, but some devices will require it to be re-enabled manually in the UEFI firmware.

Once rebooted, you can verify the Secure Boot status using, <code>bootctl status</code>.

Line 33:

Line 47:

...

</syntaxHighlight>

== See Also ==

[[Secure Boot]]

[https://codeberg.org/Limine/Limine Limine Codeberg Repository]

[[Category:Booting]]

[[Category:Secure Boot]]

@@ Line 1: / Line 1: @@
 {{expand}}
-[https://limine-bootloader.org/ Limine] is a modern, advanced, portable, multiprotocol bootloader and boot manager. It aims to be more robust alternative to bootloaders like [[GNU GRUB]]. It can be configured via NixOS options under
+[https://limine-bootloader.org/ '''Limine'''] ([https://www.merriam-webster.com/dictionary/in%20limine lē-mi-ne]) is a modern, advanced, portable, multi-protocol bootloader and boot manager. It aims to be a more robust alternative to bootloaders like [[GNU GRUB]] and [[Systemd/boot|Systemd-boot]]. It can be configured using the NixOS options under
 [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine. boot.loader.limine.]
-== SecureBoot ==
+== Secure Boot ==
 Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options].
@@ Line 10: / Line 10: @@
 {{warning|Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.}}
-To enable Secure Boot, first switch to Limine as your bootloader. You may find the existing [[Bootloader]] documentation helpful.
+=== Prerequisites ===
+Before trying to set up secure boot, ensure that:
-Then add <code>sbctl</code> to you systems packages. It must be installed on a system level.
+# Limine is enabled as the current bootloader using <code>boot.loader.limine.enable = true</code>. You may find the existing [[Bootloader]] documentation helpful.
+# <code>sbctl</code> is installed as a system level package (using <code>environment.systemPackages</code>).
-Generate keys with <code>sbctl create-keys</code>
+=== Generate Secure Boot keys ===
+<code>sbctl</code> is used to securely generate & store the Secure Boot keys. Generating the keys is as simple as:<syntaxhighlight lang="console">
+$ sudo sbctl create-keys
+</syntaxhighlight>This stores your secure boot keys at <code>/var/lib/sbctl</code> and sets the permissions so that they can only be read by the root user.
-Enable Secure Boot Setup Mode. This usually involves entering the BIOS and selecting an option to do so. On some BIOS implementations, there is not an explicit option to do so, but it will enter setup mode if one clears all Secure Boot keys.
+=== Enable UEFI Secure Boot Setup Mode ===
+This usually involves entering the UEFI firmware menu (BIOS) and enabling the relevant option under Secure Boot named "Reset to Setup Mode" or "Erase all Secure Boot settings".
-Now, run <code>sbctl enroll-keys -m -f</code> to actually enroll your keys.
+On some UEFI firmware implementations, there is not an explicit option to enter Setup Mode, instead the user must chose the option(s) to erase existing Secure Boot keys.
+{{Warning|</br>On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".</br>
+On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See [https://community.frame.work/t/cant-enable-secure-boot-setup-mode/57683/5 this] thread on the Framework forum.}}
+After entering Setup Mode or clearing the keys, reboot back into NixOS.
-You can now rebuild with <code>boot.loader.limine.secureBoot.enable</code> set to true, and disable Secure Boot setup mode.
+=== Enroll Secure Boot keys ===
+Once in Setup Mode, your generated keys can be enrolled using <code>sbctl</code> again. <syntaxhighlight lang="console">
+$ sudo sbctl enroll-keys --microsoft --firmware-builtin
+</syntaxhighlight>The <code>--microsoft</code> option is required for some devices which have hardware OptionROMS signed by Microsoft keys. The <code>--firmware-builtin</code> option ensures your OEM certificates are also installed.
-If this has been successful, you can check using <code>bootctl status</code>
+If this is successful, you can now rebuild with <code>boot.loader.limine.secureBoot.enable</code> set to true and reboot. Secure Boot should be enabled after reboot, but some devices will require it to be re-enabled manually in the UEFI firmware.
+Once rebooted, you can verify the Secure Boot status using, <code>bootctl status</code>.
 <syntaxHighlight lang=console>
@@ Line 33: / Line 47: @@
 ...
 </syntaxHighlight>
+== See Also ==
+[[Secure Boot]]
+[https://codeberg.org/Limine/Limine Limine Codeberg Repository]
 [[Category:Booting]]
+[[Category:Secure Boot]]