Official NixOS Wiki

Secure Boot

Revision as of 22:22, 9 December 2025 by Ben9986 (talk | contribs) (Marked this version for translation)
Other languages:

Secure Boot usually refers to a platform firmware capability to verify the boot components and ensure that only your own operating system is allowed to boot.

Secure Boot has multiple implementations, the most well known one is UEFI Secure Boot, which relies on the UEFI platform firmware, but other implementations can exist on embedded systems.

On NixOS, Secure Boot can be enabled using the Lanzaboote or Limine projects.

It is recommended to set a BIOS password and enable full disc encryption to prevent attacks which can bypass Secure Boot.

Checking Secure Boot status

The easiest way to check if your machine has Secure Boot enabled is through the use of Systemd's bootctl. There is no need to be using systemd-boot as your bootloader for this command to work. 

$ bootctl status
System:
    Firmware: UEFI 2.80 (American Megatrends 5.25)
    Firmware Arch: x64
    Secure Boot: enabled (user)
    TPM2 Support: yes
    Measured UKI: yes
    Boot into FW: supported
...

The system above has secure boot enabled and enforced. Other values include disabled (setup) for Setup Mode, disabled (disabled) or disabled (unsupported). The unsupported tag only appears if your device firmware does not support Secure Boot at all.

If you see disabled (disabled), this means you will need to enable Secure Boot in your UEFI firmware settings before proceeding to use one of the projects outlined here.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Secure_Boot&oldid=28937"