Properly handle fwupd update capsules

Co-Authored-By: Janne Heß <janne@hess.ooo>
This commit is contained in:
Lily Foster 2023-03-16 20:57:49 -04:00
parent bdcada4bc2
commit 658d753d1c
No known key found for this signature in database
GPG Key ID: 49340081E484C893
2 changed files with 23 additions and 2 deletions

View File

@ -89,6 +89,12 @@ the initrd into the signed UKI.
The stub lives in `rust/stub`.
### Fwupd
When both Lanzaboote and `services.fwupd` are enabled, for
`fwupd.service` a `preStart` will be added that ensures a signed fwupd
binary is placed in `/run` that fwupd will use.
## State of Upstreaming to Nixpkgs
Secure Boot is available as an Nixpkgs out-of-tree feature using the

View File

@ -74,5 +74,20 @@ in
/nix/var/nix/profiles/system-*-link
'';
};
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
# Place the fwupd efi files in /run and sign them
preStart = ''
mkdir -p /run/fwupd-efi
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};
services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
DisableShimForSecureBoot = true;
};
};
}