Enabling lanzaboote on initial installation

[Ten0]

Hello! I've been using this successfully for a few months, and I'd like to generalize its usage.

Readme specifies: https://github.com/nix-community/lanzaboote/blob/f5a3a7dff44d131807fc1a89fbd8576cd870334a/docs/QUICK_START.md?plain=1#L33-L35

I'd like to be able to apply a configuration with lanzaboote enabled as I run nixos-install, and not have to manually temporarily disable it from my config during the installation, then re-enable it after the installation.

Could you please expand on the limitations that prevent from running sbctl create-keys prior to installation, then applying the initial configuration with lanzaboote enabled right away? Thanks!

[arthsmn]

You can create your own ISO with your keys in it and a signed kernel. Then, you would only need to import the keys into the machine and copy the keys from the ISO to the installation.

[Ten0]

Hey, thanks for your answer. I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise). Thanks!

[arthsmn]

Hey, thanks for your answer. I didn't mean that I wanted secure boot to be enabled prior to installation. I meant that the guide seems to express that applying a configuration that has lanzaboote enabled instead of systemd boot during initial nixos-install wouldn't work, and I was wondering why creating keys in /mnt/etc/secureboot prior to installation wouldn't work (or if it would, why the guide seems to suggest otherwise). Thanks!

I think this is a misunderstanding of the guide, as I'm pretty sure I installed lanzaboote directly. As the module just replaces systemd-boot, in theory if it has everything in place it should work.

[RaitoBezarius]

Hi there, sbctl create-keys is frowned upon in activation because this is a side effect that creates private keys and private key creation in an activation script is a bit icky.

Nonetheless, as long as you copied the keys from another location, you can immediately use lanzaboote on the first nixos-install. Lanzaboote will not enforce Secure Boot if Secure Boot is disabled, as soon as you enroll the keys, Secure Boot will be enabled and your bootables will be signed according to the right keys, so it should work out fine in the end.

The guide is a bit conservative to avoid bad experiences, but it could indeed benefit from some clarification.