When boot.lanzaboote.enable = true; the Xen boot entries (generated by virtualisation.xen.enable = true;) are not included in the boot menu, and their corresponding EFI binaries are removed from /boot/EFI/nixos/.
virtualisation.xen.enable = true; and boot.lanzaboote.enable = false;
saya@Gamma ~> nixos-rebuild switch --sudo --flake ~/Projects/nixos
building the system configuration...
Checking switch inhibitors... done
Installing Xen Project Hypervisor boot entries...done.
activating the configuration...
reloading user units for saya...
restarting sysinit-reactivation.target
the following new units were started: run-keys.mount, sysinit-reactivation.target, systemd-tmpfiles-resetup.service, xendomains.service
Done. The new configuration is /nix/store/kdyi1shjbchqw7k61dkn8m5p7i0g3179-nixos-system-Gamma-26.05.20260102.fb7944c
saya@Gamma ~> sudo tree /boot
/boot
├── EFI
│ ├── BOOT
│ │ └── BOOTX64.EFI
│ ├── Linux
│ │ └── nixos-generation-1-dxezq5w47agoeezoijt4g7w57sjvlv7gvs7lv77zbzhc2yo75d5q.efi
│ ├── nixos
│ │ ├── 0mnwlryk444asm44qngihs8sqbds1gmg-linux-6.18.3-bzImage.efi
│ │ ├── 87b7fx2ggfsm6apn52hy2ggg9p9xk8yd-initrd-linux-6.18.3-initrd.efi
│ │ └── xen-generation-1.efi
│ └── systemd
│ └── systemd-bootx64.efi
└── loader
├── entries
│ ├── nixos-generation-1.conf
│ └── xen-generation-1.conf
├── entries.srel
├── keys
├── loader.conf
└── random-seed
9 directories, 11 files
saya@Gamma ~>
virtualisation.xen.enable = true; and boot.lanzaboote.enable = true;
saya@Gamma ~> nixos-rebuild switch --sudo --flake ~/Projects/nixos
building the system configuration...
Checking switch inhibitors... done
Installing Lanzaboote to "/boot"...
Collecting garbage...
Successfully installed Lanzaboote.
activating the configuration...
reloading user units for saya...
restarting sysinit-reactivation.target
Done. The new configuration is /nix/store/4bpqcbf7qxkdj36cpya81hgqi70ix6q7-nixos-system-Gamma-26.05.20260102.fb7944c
saya@Gamma ~> sudo tree /boot
/boot
├── EFI
│ ├── BOOT
│ │ └── BOOTX64.EFI
│ ├── Linux
│ │ ├── nixos-generation-1-jhfbl2dyv67pjewzry3t6qtcpwgdrqs665bpqqlik4mk4ahwu7ca.efi
│ │ └── nixos-generation-2-dxezq5w47agoeezoijt4g7w57sjvlv7gvs7lv77zbzhc2yo75d5q.efi
│ ├── nixos
│ │ ├── initrd-6.18.3-yo3n4blfo3suhtux3ofxhdnkpw3bmfho5zbya2x7wb3orc75imoa.efi
│ │ └── kernel-6.18.3-4gxwufe7pyges3lr6ari24vq75gnsoxio6yib3qwqwqosubjroya.efi
│ └── systemd
│ └── systemd-bootx64.efi
└── loader
├── entries
│ ├── nixos-generation-1.conf
│ └── xen-generation-1.conf
├── entries.srel
├── keys
├── loader.conf
└── random-seed
9 directories, 11 files
saya@Gamma ~>
I noticed that /boot/EFI/nixos/xen-generation-1.efi has been deleted.
Expected Behavior
- Recognize and sign the Xen EFI stub (if compatible with its Secure Boot logic).
- At least allow the standard NixOS Xen installation logic to persist alongside Lanzaboote's generated EFI, ensuring Xen remains functional (even if it is not automatically signed by the Lanzaboote toolchain).
When
boot.lanzaboote.enable = true;the Xen boot entries (generated byvirtualisation.xen.enable = true;) are not included in the boot menu, and their corresponding EFI binaries are removed from /boot/EFI/nixos/.virtualisation.xen.enable = true;andboot.lanzaboote.enable = false;virtualisation.xen.enable = true;andboot.lanzaboote.enable = true;I noticed that
/boot/EFI/nixos/xen-generation-1.efihas been deleted.Expected Behavior