Skip to content

Instantly share code, notes, and snippets.

@JohnRTitor

JohnRTitor/refind-nixos.md

Last active May 13, 2025 08:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save JohnRTitor/6705ef9d2ce3a18fdea3407f235d1922 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save JohnRTitor/6705ef9d2ce3a18fdea3407f235d1922 to your computer and use it in GitHub Desktop.
Download ZIP
reFINd install on NixOS Secureboot
Raw
refind-nixos.md

Refind is a beautiful and customisable boot manager. It can be installed easily on NixOS by a simple command.

Regular users

Run the following commands to get a shell with required components.

nix-shell -p refind efibootmgr sbsigntool

Now you can run refind-install to install the boot manager on to your EFI. The script needs to be run as root. You can start a root shell using sudo -i or prepend sudo itself.

For secureboot on NixOS:

If you have a secureboot setup on NixOS using Lanzaboote, you are not likely using Shim and you'd need a shimx64.efi for this to work.

You can extract it from Ubuntu's shim-signed deb file, which you can download from here.

  1. Extract the deb file, if you are having trouble, you can simply rename it to .zip.
  2. The files we need are in data.tar.xz. Extract the file or browse, you'll find them in /./usr/lib/shim/.
  3. We need shimx64.efi.signed.latest and mmx64.efi. Copy both to a folder you can access easily. Rename shimx64.efi.signed.latest to shimx64.efi.
  4. Run refind-install --shim /your/shimx64efi/location --localkeys
  5. The --localkeys option is needed unless you want to create the keys yourself, or already generated keys.
  6. You might want to pass --encryptkeys, it'll encrypt your keys by asking you for a paraphrase.
  7. Congrats! Refind is now installed into your efi, usually in /boot/EFI/refind or /efi/EFI/refind.

Post installation steps

  1. Copy the MOK utility (mmx64.efi too), to refind installation folder in your EFI partition, if not already.
  2. You can run something like sudo cp /your/mmx64.efi/location /boot/EFI/refind/
  3. Then reboot
  4. After rebooting, you'll show a blue shim screen where you can configure your user defined secure boot keys.
  5. Choose Enroll keys from disk
  6. Then choose the efi key .cer file and enroll it. The key should be in your EFI partition and in directory /EFI/refind/keys.
  7. Then reboot.
  8. Congrats, refind has been installed on your system. You've done a great job.

Customisation

  1. You can edit refind.conf in your refind installation folder on your EFI partition, to customise your refind experience. Things like custom banner, fonts can be easily configured.

References

  1. https://www.rodsbooks.com/refind/installing.html#installsh
@derkalaender
Copy link

derkalaender commented Dec 23, 2024

Hi, thanks for the guide! I managed to install rEFInd with Secure Boot but without a shim/mok! Since I needed to generate and enroll my own keys during Lanzaboote setup anyway, I figured why not reuse those keys?

So I just ran refind-install as if "regular user" and then used sbctl to sign the rEFInd efi: sudo sbctl sign -s /boot/EFI/refind/refind_x64.efi.
I had to confirm that I'm sure about a shim missing during installation.

This way, rEFInd can be booted directly. Only downside is that rEFInd needs to be resigned each time its EFI is updated, but I figured this doesn't happen that often.

Also, I'm unsure about whether the --localkeys option is still recommended. My thinking is that by signing with sbctl I'm overriding any previous signature, so it doesn't matter if the --localkeys option was used or not. But maybe signatures "stack"? I'm not knowledgeable enough in that regard.

Maybe this is useful to some as you don't need to fiddle around with shim and MOKs.

@JohnRTitor
Copy link
Author

JohnRTitor commented Mar 15, 2025

Correct, you can definitely sign refind's EFI using the existing keys and that will work flawlessly.
Though I am still in favor of keeping a "mokmanager" EFI, for enrolling third party signatures.

And yes, signatures do "stack"!

@rfvgyhn
Copy link

rfvgyhn commented May 13, 2025

What's the process look like when the shim package has an update? Do you:

  • Just overwrite the existing files with the new ones?
  • Rerun refind-install --shim /your/updated/shimx64efi/location and overwrite mmx64.efi?
  • Something else?

@JohnRTitor
Copy link
Author

JohnRTitor commented May 13, 2025

Overwriting shim and mmx64 in the refind installation location is okay.

In my case, I regularly update my BIOS (which clears Bootloader entries by the way). So I refind-install again with new shim (if there's an update).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment