lanzaboote/nix/lanzaboote.nix

{ lib, config, pkgs, ... }: 
with lib;
let
  cfg = config.boot.lanzaboote;
in
{
  options.boot.lanzaboote = {
    enable = mkEnableOption "Enable the LANZABOOTE";
    enrollKeys = mkEnableOption "Automatic enrollment of the keys";
    pkiBundle = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "PKI bundle containg db, PK, KEK";
    };
    publicKeyFile = mkOption {
      type = types.path;
      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null;
      description = "Public key to sign your boot files";
    };
    privateKeyFile = mkOption {
      type = types.path;
      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null;
      description = "Private key to sign your boot files";
    };
    package = mkOption {
      type = types.package;
      default = pkgs.lanzatool;
      description = "Lanzatool package";
    };
  };

  config = mkIf cfg.enable {
    boot.loader.external = {
      enable = true;
      passBootspec = true;
      installHook = if cfg.pkiBundle != null
      then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}"
      else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}";
    };
  };
}
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`{ lib, config, pkgs, ... }:`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`with lib;`
			`let`
			`cfg = config.boot.lanzaboote;`
			`in`
			`{`
			`options.boot.lanzaboote = {`
			`enable = mkEnableOption "Enable the LANZABOOTE";`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`enrollKeys = mkEnableOption "Automatic enrollment of the keys";`
			`pkiBundle = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = "PKI bundle containg db, PK, KEK";`
			`};`
			`publicKeyFile = mkOption {`
			`type = types.path;`
			`default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null;`
			`description = "Public key to sign your boot files";`
			`};`
			`privateKeyFile = mkOption {`
			`type = types.path;`
			`default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null;`
			`description = "Private key to sign your boot files";`
			`};`
			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.lanzatool;`
			`description = "Lanzatool package";`
			`};`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`};`

			`config = mkIf cfg.enable {`
			`boot.loader.external = {`
			`enable = true;`
nixos: add a lanzaboote module - Wire up things with Bootspec & External bootloaders - Introduce SecureBoot keys 2022-11-23 05:59:54 -05:00			`passBootspec = true;`
			`installHook = if cfg.pkiBundle != null`
			`then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}"`
			`else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}";`
nixos: add a lanzaboote module 2022-11-23 05:59:54 -05:00			`};`
			`};`
			`}`