Properly handle fwupd update capsules
Co-Authored-By: Janne Heß <janne@hess.ooo>
This commit is contained in:
parent
bdcada4bc2
commit
658d753d1c
|
@ -89,6 +89,12 @@ the initrd into the signed UKI.
|
|||
|
||||
The stub lives in `rust/stub`.
|
||||
|
||||
### Fwupd
|
||||
|
||||
When both Lanzaboote and `services.fwupd` are enabled, for
|
||||
`fwupd.service` a `preStart` will be added that ensures a signed fwupd
|
||||
binary is placed in `/run` that fwupd will use.
|
||||
|
||||
## State of Upstreaming to Nixpkgs
|
||||
|
||||
Secure Boot is available as an Nixpkgs out-of-tree feature using the
|
||||
|
|
|
@ -74,5 +74,20 @@ in
|
|||
/nix/var/nix/profiles/system-*-link
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
|
||||
# Tell fwupd to load its efi files from /run
|
||||
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
|
||||
# Place the fwupd efi files in /run and sign them
|
||||
preStart = ''
|
||||
mkdir -p /run/fwupd-efi
|
||||
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
|
||||
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
|
||||
'';
|
||||
};
|
||||
|
||||
services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
|
||||
DisableShimForSecureBoot = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue