sign bootloader to make it compatible with UEFI secure boot?

The [install guide](https://nixos.wiki/wiki/NixOS_Installation_Guide) states:
> **UEFI boot**
> The EFI bootloader of the installation media is not signed and is not using a signed shim to boot. This means that Secure Boot will need to be disabled to boot.

I have a work machine I would like to use NixOS on.

Unfortunately, it uses secure boot, forcing me to choose between disabling secure boot (-> can boot from arbitrary USBs but can't use hard drive), or leaving it (can use hard drive but no NixOS).

It would be nice if NixOS were compatible with secure boot.

It [seems](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance) this involves signing the bootloader with some Microsoft key. This makes me wonder, would this be possible, or would there be drawbacks to this?

(As a workaround, it seems one can also [add a signing key to the UEFI firmware](https://www.howtogeek.com/175641/how-to-boot-and-install-linux-on-a-uefi-pc-with-secure-boot/). However, if the NixOS bootloader is not signed yet I presume this does not apply yet.)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

sign bootloader to make it compatible with UEFI secure boot? #42127

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

sign bootloader to make it compatible with UEFI secure boot? #42127

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions