Does Secure Boot with NixOS even make sense? In an ordinary Secure Boot setup, y... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jchw 20 days ago \| parent \| context \| favorite \| on: NixOS 25.11 released Does Secure Boot with NixOS even make sense? In an ordinary Secure Boot setup, you get the kernel/initrd/etc. with signatures from a trusted vendor, but with NixOS it is going to obviously sign everything locally. That means that you are not protected against bootkits and a root compromise is still just as bad as ever. I suppose in combination with LUKS you could at least prevent evil maid attacks, to the extent that your machine's firmware is actually secure, but it seems like a lot of work for just that...

rkomorn 20 days ago [–]

To be honest, for me it boiled down to "I don't have to type in my LUKS password by hand" combined with some intellectual curiosity.

I didn't have some strong security-driven mindset behind it.

That said I did also lock down my BIOS with a password (to prevent disabling secure boot).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact