nixos: actually enable sb

This commit is contained in:
Raito Bezarius 2022-11-24 16:59:16 +01:00
parent ccdd02bf1c
commit 2148cb06ab
2 changed files with 16 additions and 8 deletions

View File

@ -153,6 +153,7 @@
databasePath = "pki"; databasePath = "pki";
}) })
pkgs.sbsigntool pkgs.sbsigntool
pkgs.efitools
]; ];
inputsFrom = [ inputsFrom = [
@ -175,7 +176,7 @@
virtualisation = { virtualisation = {
useBootLoader = true; useBootLoader = true;
useEFIBoot = true; useEFIBoot = true;
# useSecureBoot = true; useSecureBoot = true;
}; };
boot.loader.efi = { boot.loader.efi = {
@ -185,7 +186,7 @@
boot.lanzaboote = { boot.lanzaboote = {
enable = true; enable = true;
enrollKeys = true; enrollKeys = true;
pkiBundle = ./pki/keys; pkiBundle = ./pki;
package = lanzatool; package = lanzatool;
}; };
}; };

View File

@ -2,11 +2,14 @@
with lib; with lib;
let let
cfg = config.boot.lanzaboote; cfg = config.boot.lanzaboote;
sbctlWithPki = pkgs.sbctl.override {
databasePath = "/tmp/pki";
};
in in
{ {
options.boot.lanzaboote = { options.boot.lanzaboote = {
enable = mkEnableOption "Enable the LANZABOOTE"; enable = mkEnableOption "Enable the LANZABOOTE";
enrollKeys = mkEnableOption "Automatic enrollment of the keys"; enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
pkiBundle = mkOption { pkiBundle = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
default = null; default = null;
@ -14,12 +17,12 @@ in
}; };
publicKeyFile = mkOption { publicKeyFile = mkOption {
type = types.path; type = types.path;
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.pem" else null; default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.pem" else null;
description = "Public key to sign your boot files"; description = "Public key to sign your boot files";
}; };
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.path; type = types.path;
default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/db/db.key" else null; default = if cfg.pkiBundle != null then "${cfg.pkiBundle}/keys/db/db.key" else null;
description = "Private key to sign your boot files"; description = "Private key to sign your boot files";
}; };
package = mkOption { package = mkOption {
@ -33,9 +36,13 @@ in
boot.loader.external = { boot.loader.external = {
enable = true; enable = true;
passBootspec = true; passBootspec = true;
installHook = if cfg.pkiBundle != null installHook = "${pkgs.writeShellScriptBin "bootinstall" ''
then "${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--autoenroll"} --pki-bundle ${cfg.pkiBundle}" mkdir -p /tmp/pki
else "${cfg.package}/bin/lanzatool install --public-key ${cfg.publicKeyFile} --private-key ${cfg.privateKeyFile}"; cp -r ${cfg.pkiBundle}/* /tmp/pki
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
${cfg.package}/bin/lanzatool install ${cfg.publicKeyFile} ${cfg.privateKeyFile} "$@"
''}/bin/bootinstall";
# ${cfg.package}/bin/lanzatool install ${optionalString cfg.enrollKeys "--auto-enroll"} --pki-bundle ${cfg.pkiBundle}
}; };
}; };
} }