Official NixOS Wiki

Limine

Revision as of 22:48, 8 December 2025 by Ben9986 (talk | contribs) (Grammar and wording improvements)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
☶︎
This article or section needs to be expanded. Further information may be found in the related discussion page. Please consult the pedia article metapage for guidelines on contributing.

Limine (lē-mi-ne) is a modern, advanced, portable, multi-protocol bootloader and boot manager. It aims to be a more robust alternative to bootloaders like GNU GRUB and Systemd-boot. It can be configured using the NixOS options under boot.loader.limine.

Secure Boot

Limine Secure Boot support is principally controlled by the module options.

⚠︎
Warning: Limine SecureBoot is still in development and requires some prerequisites and precautions. For more information, please see the Limine GitHub repository and documentation.

Prerequisites

Before trying to set up secure boot, ensure that:

  1. Limine is enabled as the current bootloader using boot.loader.limine.enable = true. You may find the existing Bootloader documentation helpful.
  2. sbctl is installed as a system level package (using environment.systemPackages).

Generate Secure Boot keys

sbctl is used to securely generate & store the Secure Boot keys. Generating the keys is as simple as:

$ sudo sbctl create-keys

This stores your secure boot keys at /var/lib/sbctl and sets the permissions so that they can only be read by the root user.

Enable UEFI Secure Boot Setup Mode

This usually involves entering the UEFI firmware menu (BIOS) and enabling the relevant option under Secure Boot named "Reset to Setup Mode" or "Erase all Secure Boot settings".

On some UEFI firmware implementations, there is not an explicit option to enter Setup Mode, instead the user must chose the option(s) to erase existing Secure Boot keys.

⚠︎
Warning:
On Thinkpad devices, do not select "Clear All Secure Boot Keys" as it will drop the Forbidden Signature Database (dbx). Make sure to only select "Reset to Setup Mode".
On the Framework 13 Core Ultra Series 1, do not select "Erase all Secure Boot Settings" in the firmware. This firmware is bugged, instead delete all keys from the "PK", "KEK" and "DB" sections manually. See this thread on the Framework forum.

After entering Setup Mode or clearing the keys, reboot back into NixOS.

Enroll Secure Boot keys

Once in Setup Mode, your generated keys can be enrolled using sbctl again. 

$ sudo sbctl enroll-keys --microsoft --firmware-builtin

The --microsoft option is required for some devices which have hardware OptionROMS signed by Microsoft keys. The --firmware-builtin option ensures your OEM certificates are also installed.

If this is successful, you can now rebuild with boot.loader.limine.secureBoot.enable set to true and reboot. Secure Boot should be enabled after reboot, but some devices will require it to be re-enabled manually in the UEFI firmware.

Once rebooted, you can verify the Secure Boot status using, bootctl status. 

$ bootctl status
systemd-boot not installed in ESP.
System:
      Firmware: n/a (n/a)
 Firmware Arch: x64
   Secure Boot: enabled (user)
...

See Also

Secure Boot

Limine Codeberg Repository

Retrieved from "https://wiki.nixos.org/w/index.php?title=Limine&oldid=28886"