From 658d753d1c4b3a16d3ae08f6cf3e1b2dca320f8a Mon Sep 17 00:00:00 2001
From: Lily Foster <lily@lily.flowers>
Date: Thu, 16 Mar 2023 20:57:49 -0400
Subject: [PATCH] Properly handle fwupd update capsules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Janne Heß <janne@hess.ooo>
---
 README.md                  |  8 +++++++-
 nix/modules/lanzaboote.nix | 17 ++++++++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 43915c2..9aaeb3d 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ sign all configurations that should be bootable.
 
 `lzbt` lives in `rust/tool`.
 
-### Stub 
+### Stub
 
 When the Linux kernel and initrd are packed into a UKI, they need an
 UEFI application stub. This role is typically filled by
@@ -89,6 +89,12 @@ the initrd into the signed UKI.
 
 The stub lives in `rust/stub`.
 
+### Fwupd
+
+When both Lanzaboote and `services.fwupd` are enabled, for
+`fwupd.service` a `preStart` will be added that ensures a signed fwupd
+binary is placed in `/run` that fwupd will use.
+
 ## State of Upstreaming to Nixpkgs
 
 Secure Boot is available as an Nixpkgs out-of-tree feature using the
diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index 1d8792e..02f8f3f 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -63,7 +63,7 @@ in
           cp -r ${cfg.pkiBundle}/* /tmp/pki
           ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
         ''}
-  
+
         ${cfg.package}/bin/lzbt install \
           --systemd ${config.systemd.package} \
           --systemd-boot-loader-config ${systemdBootLoaderConfig} \
@@ -74,5 +74,20 @@ in
           /nix/var/nix/profiles/system-*-link
       '';
     };
+
+    systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
+      # Tell fwupd to load its efi files from /run
+      environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+      # Place the fwupd efi files in /run and sign them
+      preStart = ''
+        mkdir -p /run/fwupd-efi
+        cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+        ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
+      '';
+    };
+
+    services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
+      DisableShimForSecureBoot = true;
+    };
   };
 }