Limine: Difference between revisions
Support for Limine Secure Boot reached stable channel |
Added more detail to the Secure Boot section. Step by step instructions for setting up and enabling secure boot |
||
| Line 1: | Line 1: | ||
{{expand}} | {{expand}} | ||
[https://limine-bootloader.org/ Limine] is a modern, advanced, portable, | [https://limine-bootloader.org/ Limine] ([https://www.merriam-webster.com/dictionary/in%20limine lē-mi-ne]) is a modern, advanced, portable, multi-protocol bootloader and boot manager. It aims to be a more robust alternative to bootloaders like [[GNU GRUB]] and [[Systemd/boot|Systemd-boot]]. It can be configured using the NixOS options under | ||
[https://search.nixos.org/options?channel=unstable&show=boot.loader.limine. boot.loader.limine.] | [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine. boot.loader.limine.] | ||
== | == Secure Boot == | ||
Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options]. | Limine Secure Boot support is principally controlled by the [https://search.nixos.org/options?channel=unstable&show=boot.loader.limine.secureBoot.enable&query=boot.loader.limine.secureBoot.enable module options]. | ||
| Line 10: | Line 10: | ||
{{warning|Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.}} | {{warning|Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.}} | ||
=== Prerequisites === | |||
Before trying to set up secure boot, ensure that: | |||
# Limine is enabled as the current bootloader using <code>boot.loader.limine.enable = true</code>. You may find the existing [[Bootloader]] documentation helpful. | |||
# <code>sbctl</code> is installed as a system level package (using <code>environment.systemPackages</code>). | |||
Generate keys | === Generate Secure Boot Keys === | ||
<code>sbctl</code> is used to securely generate & store the Secure Boot keys. Generating the keys is as easy as:<syntaxhighlight lang="console"> | |||
$ sudo sbctl create-keys | |||
</syntaxhighlight>This stores your secure boot keys at <code>/var/lib/sbctl</code> and sets the permissions so that they can only be read by the root user. | |||
Enable Secure Boot Setup Mode | === Enable UEFI Secure Boot Setup Mode === | ||
This usually involves entering the UEFI firmware menu (BIOS) and enabling the relevant option under Secure Boot named "Reset to Setup Mode" or "Erase all Secure Boot settings". | |||
On some UEFI firmware implementations, there is not an explicit option to enter Setup Mode, instead the user must chose the option(s) to erase existing Secure Boot keys. | |||
{{Warning|</br>On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".</br> | |||
On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See [https://community.frame.work/t/cant-enable-secure-boot-setup-mode/57683/5 this] thread on the Framework forum.}} | |||
After entering Setup Mode or clearing the keys, reboot back into NixOS. | |||
=== Enroll Secure Boot Keys === | |||
Once in Setup Mode, your generated keys can be enrolled using <code>sbctl</code>. <syntaxhighlight lang="console"> | |||
$ sudo sbctl enroll-keys --microsoft --firmware-builtin | |||
</syntaxhighlight>The <code>--microsoft</code> option is required for some devices which have hardware OptionROMS signed by Microsoft keys. | |||
If this | If this is successful, you can now rebuild with <code>boot.loader.limine.secureBoot.enable</code> set to true and reboot. Secure Boot should be enabled after reboot, but some devices will require it to be re-enabled manually in the UEFI firmware. | ||
Once rebooted, you can verify the secure boot status using, <code>bootctl status</code>. | |||
<syntaxHighlight lang=console> | <syntaxHighlight lang=console> | ||
Revision as of 21:53, 8 December 2025
☶︎
This article or section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.
Limine (lē-mi-ne) is a modern, advanced, portable, multi-protocol bootloader and boot manager. It aims to be a more robust alternative to bootloaders like GNU GRUB and Systemd-boot. It can be configured using the NixOS options under boot.loader.limine.
Secure Boot
Limine Secure Boot support is principally controlled by the module options.
⚠︎
Warning: Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.
Prerequisites
Before trying to set up secure boot, ensure that:
- Limine is enabled as the current bootloader using
boot.loader.limine.enable = true. You may find the existing Bootloader documentation helpful. sbctlis installed as a system level package (usingenvironment.systemPackages).
Generate Secure Boot Keys
sbctl is used to securely generate & store the Secure Boot keys. Generating the keys is as easy as:
$ sudo sbctl create-keys
This stores your secure boot keys at /var/lib/sbctl and sets the permissions so that they can only be read by the root user.
Enable UEFI Secure Boot Setup Mode
This usually involves entering the UEFI firmware menu (BIOS) and enabling the relevant option under Secure Boot named "Reset to Setup Mode" or "Erase all Secure Boot settings".
On some UEFI firmware implementations, there is not an explicit option to enter Setup Mode, instead the user must chose the option(s) to erase existing Secure Boot keys.
⚠︎
Warning:
On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".
On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See this thread on the Framework forum.
On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".
On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See this thread on the Framework forum.
After entering Setup Mode or clearing the keys, reboot back into NixOS.
Enroll Secure Boot Keys
Once in Setup Mode, your generated keys can be enrolled using sbctl.
$ sudo sbctl enroll-keys --microsoft --firmware-builtin
The --microsoft option is required for some devices which have hardware OptionROMS signed by Microsoft keys.
If this is successful, you can now rebuild with boot.loader.limine.secureBoot.enable set to true and reboot. Secure Boot should be enabled after reboot, but some devices will require it to be re-enabled manually in the UEFI firmware.
Once rebooted, you can verify the secure boot status using, bootctl status.
$ bootctl status
systemd-boot not installed in ESP.
System:
Firmware: n/a (n/a)
Firmware Arch: x64
Secure Boot: enabled (user)
...