Fixing EFI issues after NixOS upgrades qemu/virt-manager

07 Oct, 2025

Didn't really find a quick guide for this online targetted at NixOS. So sharing what happens and what I do. I use virt-manager to manage a windows VM for testing stuff at work. virt-manager puts in absolute paths to the EFI files and when the qemu that virt-manager uses changes in the /nix/store it stops working with a message like this:

Error starting domain: operation failed: Unable to find 'efi' firmware that is compatible with the current configuration

Traceback (most recent call last):
  File "/nix/store/a2pgh3f1rhn7hsvydq0523wwx1p1rij9-virt-manager-5.1.0/share/virt-manager/virtManager/asyncjob.py", line 67, in cb_wrapper
    callback(asyncjob, *args, **kwargs)
  File "/nix/store/a2pgh3f1rhn7hsvydq0523wwx1p1rij9-virt-manager-5.1.0/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb
    callback(*args, **kwargs)
  File "/nix/store/a2pgh3f1rhn7hsvydq0523wwx1p1rij9-virt-manager-5.1.0/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
    ret = fn(self, *args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/a2pgh3f1rhn7hsvydq0523wwx1p1rij9-virt-manager-5.1.0/share/virt-manager/virtManager/object/domain.py", line 1446, in startup
    self._backend.create()
  File "/nix/store/549fvqq50j6ldpi623xqnfprq5icnw54-python3.12-libvirt-11.4.0/lib/python3.12/site-packages/libvirt.py", line 1390, in create
    raise libvirtError('virDomainCreate() failed')
libvirt.libvirtError: operation failed: Unable to find 'efi' firmware that is compatible with the current configuration

So you need to update the paths. I do this via the "xml" overview on a VMs setting. Here is how I list the current "old" path, and how I can find out which qemu it should use:

$ sudo virsh dumpxml VMNAME --xpath os/nvram
<nvram template="/nix/store/9ayrp1prv4ddicgax7cq3y1f74bj2xdz-qemu-9.2.4/share/qemu/edk2-i386-vars.fd" templateFormat="raw" format="raw">/var/lib/libvirt/qemu/nvram/win11-2_VARS.fd</nvram>

$ sudo virsh domcapabilities --machine q35 --xpath /domainCapabilities/os/loader
<loader supported="yes">
  <value>/nix/store/0a0ws5ydxsxbfb8scx8v3psi0nad2i4b-qemu-9.2.4/share/qemu/edk2-x86_64-secure-code.fd</value>
  <value>/nix/store/0a0ws5ydxsxbfb8scx8v3psi0nad2i4b-qemu-9.2.4/share/qemu/edk2-x86_64-code.fd</value>
  <enum name="type">
    <value>rom</value>
    <value>pflash</value>
  </enum>
  <enum name="readonly">
    <value>yes</value>
    <value>no</value>
  </enum>
  <enum name="secure">
    <value>yes</value>
    <value>no</value>
  </enum>
</loader>

So in this example I updated

/nix/store/9ayrp1prv4ddicgax7cq3y1f74bj2xdz-qemu-9.2.4
to
/nix/store/0a0ws5ydxsxbfb8scx8v3psi0nad2i4b-qemu-9.2.4

There are probably ways I could automate this or have a path in the VM's XML which always points to virt-manager's view of qemu? But for now this hack gets me by.