The option `virtualisation.useSecureBoot' does not exist

burik · August 7, 2025, 3:17pm

I’m trying to enable secure boot for a qemu vm. Secure boot support in the OVMF package is enabled by setting virtualisation.useSecureBoot = true, but doing so gives me an error.

➜ sudo nixos-rebuild build --flake .#machine
building the system configuration...
error:
       … while calling the 'seq' builtin
         at /nix/store/l98x43ylm65fckcml3fmcsxlyf748qkc-source/lib/modules.nix:360:18:
          359|         options = checked options;
          360|         config = checked (removeAttrs config [ "_module" ]);
             |                  ^
          361|         _module = checked (config._module);

       … while calling the 'throw' builtin
         at /nix/store/l98x43ylm65fckcml3fmcsxlyf748qkc-source/lib/modules.nix:332:13:
          331|           else
          332|             throw baseMsg
             |             ^
          333|         else

       error: The option `virtualisation.useSecureBoot' does not exist. Definition values:
       - In `/nix/store/faw2g2ba015yd94wagqgamaqg9qb27dk-source/machine.nix': true
Command 'nix --extra-experimental-features 'nix-command flakes' build --print-out-paths '.#nixosConfigurations."machine".config.system.build.toplevel'' returned non-zero exit status 1.

According to search.nixos.org, the option should definitely exist.

I can even reproduce this error with an absolutely minimal flake. Am I missing something obvious here? Is something else on my machine broken?

flake.nix:

{
  description = "A very basic flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
  };

  outputs = { self, nixpkgs }: {
    nixosConfigurations.machine = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        ./machine.nix
      ];
    };
  };
}

machine.nix:

{
  inputs,
  flake,
  config,
  pkgs,
  lib,
  ...
}:

{
  imports = [
    ./hardware-configuration.nix
  ];

  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "test";

  users.users.test = {
    isNormalUser = true;
    home = "/home/test";
  };

  virtualisation.useSecureBoot = true;
  
  system.stateVersion = "25.05";
}

flake.lock:

{
  "nodes": {
    "nixpkgs": {
      "locked": {
        "lastModified": 1754498491,
        "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      }
    }
  },
  "root": "root",
  "version": 7
}

eblechschmidt · August 7, 2025, 5:10pm

I can reproduce both on my config as well as on your ‘demo’. But I don’t have an answer

tejing · August 7, 2025, 5:23pm

The file that defines that option is only imported in a submodule that replicates the main config for the purposes of nixos-rebuild build-vm. So the option doesn’t exist in the main config. You can set them in the submodule, though, by putting them under virtualisation.vmVariant and virtualisation.vmVariantWithBootLoader.

rnhmjoj · August 7, 2025, 5:23pm

It’s the oldest footgun of NixOS, see:

nixos: add boot.isVM option by rnhmjoj · Pull Request #390897 · NixOS/nixpkgs · GitHub