From 2148cb06abe4a4513058ebd8617d5b7e4fc93b64 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Thu, 24 Nov 2022 16:59:16 +0100
Subject: [PATCH] nixos: actually enable sb

---
 flake.nix          |  5 +++--
 nix/lanzaboote.nix | 19 +++++++++++++------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/flake.nix b/flake.nix
index 92a8ea8..d526fb1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -153,6 +153,7 @@
             databasePath = "pki";
           })
           pkgs.sbsigntool
+          pkgs.efitools
         ];
 
         inputsFrom = [
@@ -175,7 +176,7 @@
             virtualisation = {
               useBootLoader = true;
               useEFIBoot = true;
-              # useSecureBoot = true;
+              useSecureBoot = true;
             };
 
             boot.loader.efi = {
@@ -185,7 +186,7 @@
             boot.lanzaboote = {
               enable = true;
               enrollKeys = true;
-              pkiBundle = ./pki/keys;
+              pkiBundle = ./pki;
               package = lanzatool;
             };
           };
diff --git a/nix/lanzaboote.nix b/nix/lanzaboote.nix
index 1851a7d..08667b2 100644
--- a/nix/lanzaboote.nix
+++ b/nix/lanzaboote.nix
@@ -2,11 +2,14 @@
 with lib;
 let
   cfg = config.boot.lanzaboote;
+  sbctlWithPki = pkgs.sbctl.override {
+    databasePath = "/tmp/pki";
+  };
 in
 {
   options.boot.lanzaboote = {
     enable = mkEnableOption "Enable the LANZABOOTE";
-    enrollKeys = mkEnableOption "Automatic enrollment of the keys";
+    enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
     pkiBundle = mkOption {
       type = types.nullOr types.path;
       default = null;
@@ -14,12 +17,12 @@ in
     };
     publicKeyFile = mkOption {
       type = types.path;
-      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null;
+      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null;
       description = "Public key to sign your boot files";
     };
     privateKeyFile = mkOption {
       type = types.path;
-      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null;
+      default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null;
       description = "Private key to sign your boot files";
     };
     package = mkOption {
@@ -33,9 +36,13 @@ in
     boot.loader.external = {
       enable = true;
       passBootspec = true;
-      installHook = if cfg.pkiBundle != null
-      then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}"
-      else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}";
+      installHook = "${pkgs.writeShellScriptBin "bootinstall" ''
+        mkdir -p /tmp/pki
+        cp -r ${cfg.pkiBundle}/* /tmp/pki
+        ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
+        ${cfg.package}/bin/lanzatool install ${cfg.publicKeyFile} ${cfg.privateKeyFile} "$@"
+      ''}/bin/bootinstall";
+      # ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}
     };
   };
 }