min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nix: clean up fwupd-efi handling a little bit

This commit is contained in:
Lily Foster 2023-04-04 06:38:19 -04:00
parent 7c55847aaf
commit 4066b0a894
No known key found for this signature in database
GPG Key ID: 49340081E484C893
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
nix/modules/lanzaboote.nix
View File

@ -117,10 +117,23 @@ in
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
};
systemd.services.fwupd-efi = lib.mkIf config.services.fwupd.enable {
description = "Sign fwupd EFI app";
# Exist with the lifetime of the fwupd service
wantedBy = [ "fwupd.service" ];
partOf = [ "fwupd.service" ];
before = [ "fwupd.service" ];
# Create runtime directory for signed efi app
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
RuntimeDirectory = "fwupd-efi";
};
# Place the fwupd efi files in /run and sign them
preStart = ''
mkdir -p /run/fwupd-efi
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
script = ''
ln -sf ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};