Comment by jeroenhd

I've seen laptops stuck in weird state. Most likely, Fujitsu didn't bother to test turning off secure boot once they received the BIOS they bought, and fixed the toggle in a firmware update.

Linux boots fine using standard secure boot, so if it refused it's either NixOS using an unsigned bootloader (which is surprising to me) or secure boot just being bugged to hell.

Another option is that NixOS uses secure boot but uses a signature that's too recent: one of the secure boot CAs is expiring soon, and an old BIOS may not carry the new key if NixOS opts to sign their bootloader with the latest key. This issue doesn't just affect Linux, certain Windows images won't boot on older devices either if this mismatch happens.

My bet is on NVRAM getting into a weird state or a buggy BIOS. That's the most obvious thing that would get fixed by updating the BIOS.