Skip to content

Instantly share code, notes, and snippets.

@JohnRTitor

JohnRTitor/refind-nixos.md

Last active March 15, 2025 15:33
Show Gist options
  • Save JohnRTitor/6705ef9d2ce3a18fdea3407f235d1922 to your computer and use it in GitHub Desktop.
Save JohnRTitor/6705ef9d2ce3a18fdea3407f235d1922 to your computer and use it in GitHub Desktop.
Download ZIP
reFINd install on NixOS Secureboot
Raw
refind-nixos.md

Refind is a beautiful and customisable boot manager. It can be installed easily on NixOS by a simple command.

Regular users

Run the following commands to get a shell with required components.

nix-shell -p refind efibootmgr sbsigntool

Now you can run refind-install to install the boot manager on to your EFI. The script needs to be run as root. You can start a root shell using sudo -i or prepend sudo itself.

For secureboot on NixOS:

If you have a secureboot setup on NixOS using Lanzaboote, you are not likely using Shim and you'd need a shimx64.efi for this to work.

You can extract it from Ubuntu's shim-signed deb file, which you can download from here.

  1. Extract the deb file, if you are having trouble, you can simply rename it to .zip.
  2. The files we need are in data.tar.xz. Extract the file or browse, you'll find them in /./usr/lib/shim/.
  3. We need shimx64.efi.signed.latest and mmx64.efi. Copy both to a folder you can access easily. Rename shimx64.efi.signed.latest to shimx64.efi.
  4. Run refind-install --shim /your/shimx64efi/location --localkeys
  5. The --localkeys option is needed unless you want to create the keys yourself, or already generated keys.
  6. You might want to pass --encryptkeys, it'll encrypt your keys by asking you for a paraphrase.
  7. Congrats! Refind is now installed into your efi, usually in /boot/EFI/refind or /efi/EFI/refind.

Post installation steps

  1. Copy the MOK utility (mmx64.efi too), to refind installation folder in your EFI partition, if not already.
  2. You can run something like sudo cp /your/mmx64.efi/location /boot/EFI/refind/
  3. Then reboot
  4. After rebooting, you'll show a blue shim screen where you can configure your user defined secure boot keys.
  5. Choose Enroll keys from disk
  6. Then choose the efi key .cer file and enroll it. The key should be in your EFI partition and in directory /EFI/refind/keys.
  7. Then reboot.
  8. Congrats, refind has been installed on your system. You've done a great job.

Customisation

  1. You can edit refind.conf in your refind installation folder on your EFI partition, to customise your refind experience. Things like custom banner, fonts can be easily configured.

References

  1. https://www.rodsbooks.com/refind/installing.html#installsh
@JohnRTitor
Copy link
Author

Correct, you can definitely sign refind's EFI using the existing keys and that will work flawlessly.
Though I am still in favor of keeping a "mokmanager" EFI, for enrolling third party signatures.

And yes, signatures do "stack"!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment