min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Properly handle fwupd update capsules 

Closes #85
This commit is contained in:
Janne Heß 2023-02-21 21:03:06 +01:00
parent 5af69f0d63
commit 048df99975
No known key found for this signature in database
GPG Key ID: 69165158F05265DF
2 changed files with 30 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -70,7 +70,7 @@ sign all configurations that should be bootable.
`lzbt` lives in `rust/tool`. `lzbt` lives in `rust/tool`.
### Stub ### Stub
When the Linux kernel and initrd are packed into a UKI, they need an When the Linux kernel and initrd are packed into a UKI, they need an
UEFI application stub. This role is typically filled by UEFI application stub. This role is typically filled by
@ -89,6 +89,11 @@ the initrd into the signed UKI.
The stub lives in `rust/stub`. The stub lives in `rust/stub`.
### Fwupd
When both Lanzaboote and `services.fwupd` are enabled, `fwupd.service` will get a `preStart` that
ensures a signed fwupd binary in /run that fwupd will use.
## State of Upstreaming to Nixpkgs ## State of Upstreaming to Nixpkgs
Secure Boot is available as an Nixpkgs out-of-tree feature using the Secure Boot is available as an Nixpkgs out-of-tree feature using the

25
nix/modules/lanzaboote.nix
View File

@ -13,6 +13,10 @@ let
timeout ${toString timeout} timeout ${toString timeout}
console-mode ${config.boot.loader.systemd-boot.consoleMode} console-mode ${config.boot.loader.systemd-boot.consoleMode}
''; '';
# This is the fwupd-efi package. We need to get it this way because a user might override services.fwupd.package,
# which may cause pkgs.fwupd-efi to be a different package than what the fwupd package has as dependency.
fwupd-efi = builtins.head (builtins.filter (x: x.pname == "fwupd-efi") config.services.fwupd.package.buildInputs);
in in
{ {
options.boot.lanzaboote = { options.boot.lanzaboote = {
@ -63,7 +67,7 @@ in
cp -r ${cfg.pkiBundle}/* /tmp/pki cp -r ${cfg.pkiBundle}/* /tmp/pki
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
''} ''}
${cfg.package}/bin/lzbt install \ ${cfg.package}/bin/lzbt install \
--systemd ${config.systemd.package} \ --systemd ${config.systemd.package} \
--systemd-boot-loader-config ${systemdBootLoaderConfig} \ --systemd-boot-loader-config ${systemdBootLoaderConfig} \
@ -74,5 +78,24 @@ in
/nix/var/nix/profiles/system-*-link /nix/var/nix/profiles/system-*-link
''; '';
}; };
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
serviceConfig.RuntimeDirectory = "fwupd-efi";
# Place the fwupd efi files in /run and sign them
preStart = ''
cp ${fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};
# Disable support for the shim since we sign the binaries directly
environment.etc."fwupd/uefi_capsule.conf" = lib.mkIf config.services.fwupd.enable {
text = ''
[uefi_capsule]
DisableShimForSecureBoot=true
'';
};
}; };
} }