2022-12-25 08:43:52 -06:00
|
|
|
{ lib, config, pkgs, ... }:
|
2022-11-23 04:59:54 -06:00
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.boot.lanzaboote;
|
2022-11-24 09:59:16 -06:00
|
|
|
sbctlWithPki = pkgs.sbctl.override {
|
|
|
|
databasePath = "/tmp/pki";
|
|
|
|
};
|
2022-12-25 13:50:30 -06:00
|
|
|
|
|
|
|
configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
|
2023-01-26 17:37:05 -06:00
|
|
|
timeout = if config.boot.loader.timeout == null then 0 else config.boot.loader.timeout;
|
|
|
|
|
|
|
|
systemdBootLoaderConfig = pkgs.writeText "loader.conf" ''
|
|
|
|
timeout ${toString timeout}
|
|
|
|
console-mode ${config.boot.loader.systemd-boot.consoleMode}
|
|
|
|
'';
|
2022-11-23 04:59:54 -06:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options.boot.lanzaboote = {
|
|
|
|
enable = mkEnableOption "Enable the LANZABOOTE";
|
2022-11-24 09:59:16 -06:00
|
|
|
enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
|
2022-12-25 13:50:30 -06:00
|
|
|
configurationLimit = mkOption {
|
|
|
|
default = null;
|
|
|
|
example = 120;
|
|
|
|
type = types.nullOr types.int;
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
Maximum number of latest generations in the boot menu.
|
|
|
|
Useful to prevent boot partition running out of disk space.
|
|
|
|
`null` means no limit i.e. all generations
|
|
|
|
that were not garbage collected yet.
|
|
|
|
'';
|
|
|
|
};
|
2022-11-23 04:59:54 -06:00
|
|
|
pkiBundle = mkOption {
|
|
|
|
type = types.nullOr types.path;
|
2023-01-21 03:27:34 -06:00
|
|
|
description = "PKI bundle containing db, PK, KEK";
|
2022-11-23 04:59:54 -06:00
|
|
|
};
|
|
|
|
publicKeyFile = mkOption {
|
|
|
|
type = types.path;
|
2022-12-08 14:26:16 -06:00
|
|
|
default = "${cfg.pkiBundle}/keys/db/db.pem";
|
2022-11-23 04:59:54 -06:00
|
|
|
description = "Public key to sign your boot files";
|
|
|
|
};
|
|
|
|
privateKeyFile = mkOption {
|
|
|
|
type = types.path;
|
2022-12-08 14:26:16 -06:00
|
|
|
default = "${cfg.pkiBundle}/keys/db/db.key";
|
2022-11-23 04:59:54 -06:00
|
|
|
description = "Private key to sign your boot files";
|
|
|
|
};
|
|
|
|
package = mkOption {
|
|
|
|
type = types.package;
|
2023-01-13 15:10:40 -06:00
|
|
|
default = pkgs.lzbt;
|
|
|
|
description = "Lanzaboote tool (lzbt) package";
|
2022-11-23 04:59:54 -06:00
|
|
|
};
|
2022-11-23 04:59:54 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
2022-12-17 17:31:09 -06:00
|
|
|
boot.bootspec = {
|
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
boot.loader.supportsInitrdSecrets = true;
|
2022-11-23 04:59:54 -06:00
|
|
|
boot.loader.external = {
|
|
|
|
enable = true;
|
2022-11-26 15:23:00 -06:00
|
|
|
installHook = pkgs.writeShellScript "bootinstall" ''
|
|
|
|
${optionalString cfg.enrollKeys ''
|
|
|
|
mkdir -p /tmp/pki
|
|
|
|
cp -r ${cfg.pkiBundle}/* /tmp/pki
|
|
|
|
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
|
|
|
|
''}
|
|
|
|
|
2023-01-13 15:10:40 -06:00
|
|
|
${cfg.package}/bin/lzbt install \
|
2023-01-17 18:58:45 -06:00
|
|
|
--systemd ${pkgs.systemd} \
|
2023-01-26 17:37:05 -06:00
|
|
|
--systemd-boot-loader-config ${systemdBootLoaderConfig} \
|
2022-11-26 15:23:00 -06:00
|
|
|
--public-key ${cfg.publicKeyFile} \
|
|
|
|
--private-key ${cfg.privateKeyFile} \
|
2022-12-25 13:50:30 -06:00
|
|
|
--configuration-limit ${toString configurationLimit} \
|
2022-11-26 15:23:00 -06:00
|
|
|
${config.boot.loader.efi.efiSysMountPoint} \
|
|
|
|
/nix/var/nix/profiles/system-*-link
|
|
|
|
'';
|
2022-11-23 04:59:54 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|