diff --git a/nixos/tests/systemd-initrd-luks-fido2.nix b/nixos/tests/systemd-initrd-luks-fido2.nix
index e822c811cec5..002281585064 100644
--- a/nixos/tests/systemd-initrd-luks-fido2.nix
+++ b/nixos/tests/systemd-initrd-luks-fido2.nix
@@ -2,6 +2,11 @@
 {
   name = "systemd-initrd-luks-fido2";
 
+  meta = {
+    # `canokey-qemu` is marked broken.
+    broken = true;
+  };
+
   nodes.machine =
     { pkgs, config, ... }:
     {
diff --git a/pkgs/applications/virtualization/qemu/canokey-qemu.nix b/pkgs/applications/virtualization/qemu/canokey-qemu.nix
index 0ad27dd55cfb..34a9bccbeeb5 100644
--- a/pkgs/applications/virtualization/qemu/canokey-qemu.nix
+++ b/pkgs/applications/virtualization/qemu/canokey-qemu.nix
@@ -57,5 +57,10 @@ stdenv.mkDerivation rec {
     description = "CanoKey QEMU Virt Card";
     license = licenses.asl20;
     maintainers = with maintainers; [ oxalica ];
+    # Uses a four‐year‐old patched vendored version of Mbed TLS for
+    # cryptography that doesn’t build with CMake 4. Doesn’t build with
+    # gurrent versions of `canokey-core`, either. No upstream
+    # development since 2023.
+    broken = true;
   };
 }
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 7c78704ef8c6..00521e0feb27 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -90,7 +90,7 @@
   tpmSupport ? !minimal,
   uringSupport ? stdenv.hostPlatform.isLinux && !userOnly,
   liburing,
-  canokeySupport ? !minimal,
+  canokeySupport ? false,
   canokey-qemu,
   capstoneSupport ? !minimal,
   capstone,