lanzaboote/nix/lanzaboote.nix

{ lib, config, pkgs, ... }: 
with lib;
let
  cfg = config.boot.lanzaboote;
  sbctlWithPki = pkgs.sbctl.override {
    databasePath = "/tmp/pki";
  };
in
{
  options.boot.lanzaboote = {
    enable = mkEnableOption "Enable the LANZABOOTE";
    enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
    pkiBundle = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "PKI bundle containg db, PK, KEK";
    };
    publicKeyFile = mkOption {
      type = types.path;
      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null;
      description = "Public key to sign your boot files";
    };
    privateKeyFile = mkOption {
      type = types.path;
      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null;
      description = "Private key to sign your boot files";
    };
    package = mkOption {
      type = types.package;
      default = pkgs.lanzatool;
      description = "Lanzatool package";
    };
  };

  config = mkIf cfg.enable {
    boot.loader.external = {
      enable = true;
      passBootspec = true;
      installHook = "${pkgs.writeShellScriptBin "bootinstall" ''
          ${optionalString cfg.enrollKeys ''
            mkdir -p /tmp/pki
            cp -r ${cfg.pkiBundle}/* /tmp/pki
            ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
          ''}
        ${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@"
      ''}/bin/bootinstall";
      # ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}
    };
  };
}
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`{ lib, config, pkgs, ... }:`
nixos: add a lanzaboote module 2022-11-23 04:59:54 -06:00			`with lib;`
			`let`
			`cfg = config.boot.lanzaboote;`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`sbctlWithPki = pkgs.sbctl.override {`
			`databasePath = "/tmp/pki";`
			`};`
nixos: add a lanzaboote module 2022-11-23 04:59:54 -06:00			`in`
			`{`
			`options.boot.lanzaboote = {`
			`enable = mkEnableOption "Enable the LANZABOOTE";`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`pkiBundle = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = "PKI bundle containg db, PK, KEK";`
			`};`
			`publicKeyFile = mkOption {`
			`type = types.path;`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`description = "Public key to sign your boot files";`
			`};`
			`privateKeyFile = mkOption {`
			`type = types.path;`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`description = "Private key to sign your boot files";`
			`};`
			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.lanzatool;`
			`description = "Lanzatool package";`
			`};`
nixos: add a lanzaboote module 2022-11-23 04:59:54 -06:00			`};`

			`config = mkIf cfg.enable {`
			`boot.loader.external = {`
			`enable = true;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 04:59:54 -06:00			`passBootspec = true;`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`installHook = "${pkgs.writeShellScriptBin "bootinstall" ''`
nixos: enrollment is optional 2022-11-25 04:29:56 -06:00			`${optionalString cfg.enrollKeys ''`
			`mkdir -p /tmp/pki`
			`cp -r ${cfg.pkiBundle}/* /tmp/pki`
			`${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine`
			`''}`
nixos: disable it and adapt it 2022-11-24 10:09:51 -06:00			`${cfg.package}/bin/lanzatool install --pki-bundle ${cfg.pkiBundle} --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile} "$@"`
nixos: actually enable sb 2022-11-24 09:59:16 -06:00			`''}/bin/bootinstall";`
			`# ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}`
nixos: add a lanzaboote module 2022-11-23 04:59:54 -06:00			`};`
			`};`
			`}`