nixos: actually enable sb
This commit is contained in:
parent
ccdd02bf1c
commit
2148cb06ab
|
@ -153,6 +153,7 @@
|
||||||
databasePath = "pki";
|
databasePath = "pki";
|
||||||
})
|
})
|
||||||
pkgs.sbsigntool
|
pkgs.sbsigntool
|
||||||
|
pkgs.efitools
|
||||||
];
|
];
|
||||||
|
|
||||||
inputsFrom = [
|
inputsFrom = [
|
||||||
|
@ -175,7 +176,7 @@
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
useBootLoader = true;
|
useBootLoader = true;
|
||||||
useEFIBoot = true;
|
useEFIBoot = true;
|
||||||
# useSecureBoot = true;
|
useSecureBoot = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.loader.efi = {
|
boot.loader.efi = {
|
||||||
|
@ -185,7 +186,7 @@
|
||||||
boot.lanzaboote = {
|
boot.lanzaboote = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enrollKeys = true;
|
enrollKeys = true;
|
||||||
pkiBundle = ./pki/keys;
|
pkiBundle = ./pki;
|
||||||
package = lanzatool;
|
package = lanzatool;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -2,11 +2,14 @@
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
cfg = config.boot.lanzaboote;
|
cfg = config.boot.lanzaboote;
|
||||||
|
sbctlWithPki = pkgs.sbctl.override {
|
||||||
|
databasePath = "/tmp/pki";
|
||||||
|
};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.boot.lanzaboote = {
|
options.boot.lanzaboote = {
|
||||||
enable = mkEnableOption "Enable the LANZABOOTE";
|
enable = mkEnableOption "Enable the LANZABOOTE";
|
||||||
enrollKeys = mkEnableOption "Automatic enrollment of the keys";
|
enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
|
||||||
pkiBundle = mkOption {
|
pkiBundle = mkOption {
|
||||||
type = types.nullOr types.path;
|
type = types.nullOr types.path;
|
||||||
default = null;
|
default = null;
|
||||||
|
@ -14,12 +17,12 @@ in
|
||||||
};
|
};
|
||||||
publicKeyFile = mkOption {
|
publicKeyFile = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null;
|
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null;
|
||||||
description = "Public key to sign your boot files";
|
description = "Public key to sign your boot files";
|
||||||
};
|
};
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = mkOption {
|
||||||
type = types.path;
|
type = types.path;
|
||||||
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null;
|
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null;
|
||||||
description = "Private key to sign your boot files";
|
description = "Private key to sign your boot files";
|
||||||
};
|
};
|
||||||
package = mkOption {
|
package = mkOption {
|
||||||
|
@ -33,9 +36,13 @@ in
|
||||||
boot.loader.external = {
|
boot.loader.external = {
|
||||||
enable = true;
|
enable = true;
|
||||||
passBootspec = true;
|
passBootspec = true;
|
||||||
installHook = if cfg.pkiBundle != null
|
installHook = "${pkgs.writeShellScriptBin "bootinstall" ''
|
||||||
then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}"
|
mkdir -p /tmp/pki
|
||||||
else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}";
|
cp -r ${cfg.pkiBundle}/* /tmp/pki
|
||||||
|
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
|
||||||
|
${cfg.package}/bin/lanzatool install ${cfg.publicKeyFile} ${cfg.privateKeyFile} "$@"
|
||||||
|
''}/bin/bootinstall";
|
||||||
|
# ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue