diff --git a/modules/flash-script.nix b/modules/flash-script.nix
index f9c64125..2d4423d2 100644
--- a/modules/flash-script.nix
+++ b/modules/flash-script.nix
@@ -24,6 +24,13 @@ in
       firmware = {
         autoUpdate = lib.mkEnableOption "automatic updates for Jetson firmware";
 
+        bootOrder = mkOption {
+          # https://github.com/NVIDIA/edk2-nvidia/blob/71fc2f6de48f3e9f01214b4e9464dd03620b876b/Silicon/NVIDIA/Library/PlatformBootOrderLib/PlatformBootOrderLib.c#L26
+          type = types.nullOr (types.listOf (types.enum [ "scsi" "usb" "sata" "pxev4" "httpv4" "pxev6" "httpv6" "nvme" "ufs" "sd" "emmc" "cdrom" "boot.img" "virtual" "shell" ]));
+          default = null;
+          description = "The default boot order";
+        };
+
         uefi = {
           logo = mkOption {
             type = types.nullOr types.path;
@@ -285,15 +292,23 @@ in
       [ cfg.flashScriptOverrides.configFileName "mmcblk0p1" ]
       );
 
-    hardware.nvidia-jetpack.flashScriptOverrides.additionalDtbOverlays = let
-      uefiDefaultKeysDtbo = pkgs.runCommand "UefiDefaultSecurityKeys.dtbo" { nativeBuildInputs = with pkgs.buildPackages; [ dtc ]; } ''
-        export pkDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultPkEslFile}")
-        export kekDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultKekEslFile}")
-        export dbDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultDbEslFile}")
-        substituteAll ${./uefi-default-keys.dts} keys.dts
-        dtc -I dts -O dtb keys.dts -o $out
-      '';
-    in lib.optional cfg.firmware.uefi.secureBoot.enrollDefaultKeys uefiDefaultKeysDtbo;
+      hardware.nvidia-jetpack.flashScriptOverrides.additionalDtbOverlays =
+        let
+          bootOrder = pkgs.runCommand "DefaultBootOrder.dtbo" { nativeBuildInputs = with pkgs.buildPackages; [ dtc ]; } ''
+            export bootOrder=${lib.concatStringsSep "," cfg.firmware.bootOrder}
+            substituteAll ${./uefi-boot-order.dts} keys.dts
+            dtc -I dts -O dtb keys.dts -o $out
+          '';
+          uefiDefaultKeysDtbo = pkgs.runCommand "UefiDefaultSecurityKeys.dtbo" { nativeBuildInputs = with pkgs.buildPackages; [ dtc ]; } ''
+            export pkDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultPkEslFile}")
+            export kekDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultKekEslFile}")
+            export dbDefault=$(od -t x1 -An "${cfg.firmware.uefi.secureBoot.defaultDbEslFile}")
+            substituteAll ${./uefi-default-keys.dts} keys.dts
+            dtc -I dts -O dtb keys.dts -o $out
+          '';
+      in
+      (lib.optional (cfg.firmware.bootOrder != null) bootOrder) ++
+        (lib.optional cfg.firmware.uefi.secureBoot.enrollDefaultKeys uefiDefaultKeysDtbo);
 
     hardware.nvidia-jetpack.flashScriptOverrides.fuseArgs = lib.mkAfter [ cfg.flashScriptOverrides.configFileName ];
 
diff --git a/modules/uefi-boot-order.dts b/modules/uefi-boot-order.dts
new file mode 100644
index 00000000..88c4e5e3
--- /dev/null
+++ b/modules/uefi-boot-order.dts
@@ -0,0 +1,28 @@
+/dts-v1/;
+/plugin/;
+
+/ {
+	overlay-name = "UEFI Boot order";
+
+	fragment@0 {
+		target-path = "/";
+		board_config {
+			sw-modules = "uefi";
+		};
+
+		__overlay__ {
+			firmware {
+				uefi {
+					variables {
+						gNVIDIATokenSpaceGuid {
+							DefaultBootPriority {
+								data = "@bootOrder@";
+								locked;
+							};
+						};
+					};
+				};
+			};
+		};
+	};
+};