nixos/uki: add bootspec extension

[Prince213]

Adds a Bootspec extension to store path to UKI files. This allows boot loaders to find UKIs as we wait for NixOS/rfcs#165.

Dependents:

• nixos/limine: switch to UKI from bzImage #413039
• nixos/systemd-boot: switch to UKI from bzImage #413077

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• Nixpkgs 25.11 Release Notes (or backporting 24.11 and 25.05 Nixpkgs Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
• NixOS 25.11 Release Notes (or backporting 24.11 and 25.05 NixOS Release notes)
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[valpackett]

At least making the same definition in my own module results in…

       error: infinite recursion encountered
       at /nix/store/1l4nm55xcq55cdp1xz3x5mfgr4c24058-source/nixos/modules/system/boot/uki.nix:84:47:
           83|           Initrd = lib.mkOptionDefault "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}";
           84|           Cmdline = lib.mkOptionDefault "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}";
             |                                               ^
           85|           Stub = lib.mkOptionDefault "${pkgs.systemd}/lib/systemd/boot/efi/linux${efiArch}.efi.stub";

or if I also wanted to include the UKI in image.repart:

       error: infinite recursion encountered
       at /nix/store/95avhndl1r5d2a4gnkybjv6xqipnj57l-source/boot.nix:15:12:
           14|     # https://github.com/NixOS/nixpkgs/pull/413434
           15|     uki = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
             |            ^

I already modified the systemd-boot script for #413077 but turns out we can't even get the info into the bootspec… :(

[valpackett]

Oh, so the bootspec stuff for the regular conf refers to the toplevel with placeholder "out", and it lives in the toplevel because it's a nixos module so it'll be the actual toplevel out, IIUC. uki.nix is also a nixos module so it should be changed to do

  boot.uki.settings.UKI = {
    # no config.system.build.toplevel!!
    Cmdline = lib.mkOptionDefault "init=${placeholder "out"}/init ${toString config.boot.kernelParams}";
  };

(without lib.mkOptionDefault when just doing the same in a custom config)

UPD: welp, the resulting placeholder is for -ukify.conf/ actually..

[valpackett]

I finally figured out a way to actually do it! We have to do everything inside of the toplevel systemBuilder, that's the only way to avoid recursive dependencies. We have to build the UKI itself there (instead of a pkgs.runCommand derivation that is system.build.uki), and inject the result path into the bootspec just like the boot.bootspec.writer does for other things too/.

  boot.uki.settings.UKI.Cmdline = "NOPE"; # get the toplevel $out substitution in systemBuilderCommands

  system.systemBuilderCommands = ''
    ${pkgs.buildPackages.systemdUkify}/lib/systemd/ukify build \
      --config=${config.boot.uki.configFile} \
      --cmdline="init=$out/init ${toString config.boot.kernelParams}" \
      --output="$out/${config.system.boot.loader.ukiFile}"
  '';

  system.extraSystemBuilderCmds = ''
    ${pkgs.buildPackages.jq}/bin/jq \
      ".\"org.nixos.uki\".uki = \"$out/${config.system.boot.loader.ukiFile}\"" \
      <$out/boot.json >$out/boot.json.tmp && mv $out/boot.json.tmp $out/boot.json
  '';

This actually results in working paths:

❯ ls -la result
lrwxrwxrwx 1 val val 86 Jul 25 15:41 result@ -> /nix/store/4wrbkf06sf2i9zvns71m067nq4k53047-nixos-system-owo-25.11pre-git
❯ jaq '."org.nixos.uki"' result/boot.json
{
  "uki": "/nix/store/4wrbkf06sf2i9zvns71m067nq4k53047-nixos-system-owo-25.11pre-git/nixos.efi"
}
❯ bootctl kernel-inspect result/nixos.efi
Kernel Type: uki
    Cmdline: init=/nix/store/4wrbkf06sf2i9zvns71m067nq4k53047-nixos-system-owo-25.11pre-git/init console=tty1 root=fstab loglevel=4 lsm=landlock,yama,bpf