reFINd install on NixOS Secureboot

refind-nixos.md

Refind is a beautiful and customisable boot manager. It can be installed easily on NixOS by a simple command.

Regular users

Run the following commands to get a shell with required components.

nix-shell -p refind efibootmgr sbsigntool

Now you can run refind-install to install the boot manager on to your EFI. The script needs to be run as root. You can start a root shell using sudo -i or prepend sudo itself.

For secureboot on NixOS:

If you have a secureboot setup on NixOS using Lanzaboote, you are not likely using Shim and you'd need a shimx64.efi for this to work.

You can extract it from Ubuntu's shim-signed deb file, which you can download from here.

1. Extract the deb file, if you are having trouble, you can simply rename it to .zip.
2. The files we need are in data.tar.xz. Extract the file or browse, you'll find them in /./usr/lib/shim/.
3. We need shimx64.efi.signed.latest and mmx64.efi. Copy both to a folder you can access easily. Rename shimx64.efi.signed.latest to shimx64.efi.
4. Run refind-install --shim /your/shimx64efi/location --localkeys
5. The --localkeys option is needed unless you want to create the keys yourself, or already generated keys.
6. You might want to pass --encryptkeys, it'll encrypt your keys by asking you for a paraphrase.
7. Congrats! Refind is now installed into your efi, usually in /boot/EFI/refind or /efi/EFI/refind.

Post installation steps

9. Copy the MOK utility (mmx64.efi too), to refind installation folder in your EFI partition, if not already.
10. You can run something like sudo cp /your/mmx64.efi/location /boot/EFI/refind/
11. Then reboot
12. After rebooting, you'll show a blue shim screen where you can configure your user defined secure boot keys.
13. Choose Enroll keys from disk
14. Then choose the efi key .cer file and enroll it. The key should be in your EFI partition and in directory /EFI/refind/keys.
15. Then reboot.
16. Congrats, refind has been installed on your system. You've done a great job.

Customisation

17. You can edit refind.conf in your refind installation folder on your EFI partition, to customise your refind experience. Things like custom banner, fonts can be easily configured.

References

1. https://www.rodsbooks.com/refind/installing.html#installsh

Hi, thanks for the guide! I managed to install rEFInd with Secure Boot but without a shim/mok! Since I needed to generate and enroll my own keys during Lanzaboote setup anyway, I figured why not reuse those keys?

So I just ran refind-install as if "regular user" and then used sbctl to sign the rEFInd efi: sudo sbctl sign -s /boot/EFI/refind/refind_x64.efi.
I had to confirm that I'm sure about a shim missing during installation.

This way, rEFInd can be booted directly. Only downside is that rEFInd needs to be resigned each time its EFI is updated, but I figured this doesn't happen that often.

Also, I'm unsure about whether the --localkeys option is still recommended. My thinking is that by signing with sbctl I'm overriding any previous signature, so it doesn't matter if the --localkeys option was used or not. But maybe signatures "stack"? I'm not knowledgeable enough in that regard.

Maybe this is useful to some as you don't need to fiddle around with shim and MOKs.

Correct, you can definitely sign refind's EFI using the existing keys and that will work flawlessly.
Though I am still in favor of keeping a "mokmanager" EFI, for enrolling third party signatures.

And yes, signatures do "stack"!