Lanzaboote is a Rust-based UEFI stub enabling Secure Boot for NixOS by storing kernel and initrd separately from the UKI to preserve multi-generation boot entries.
Key Takeaways
NixOS’s multi-generation model makes standard UKIs impractical; fat binaries per generation would exhaust the ESP quickly.
Lanzaboote implements a custom EFI stub conforming to UKI spec without embedding kernel/initrd, deferring signature checking to UEFI via LoadImage.
Built in Rust targeting x86_64-unknown-uefi (now Tier 2), using rust-osdev/uefi-rs; no build-std required.
lanzatool handles UKI assembly, binary signing, and ESP population; NixOS modules wire it into nixos-rebuild switch.
Root of trust is not yet streamlined: users must generate and manually enroll their own keys into firmware.
Hacker News Comment Review
Commenters point to sbctl as a likely solution for the key generation and enrollment UX gap the authors flagged; it already has a NixOS option in channel 25.11.
