From 754656d50019a2198d74bc5bea63318b915e498b Mon Sep 17 00:00:00 2001
From: Julian Stecklina <js@alien8.de>
Date: Sat, 25 Feb 2023 23:27:39 +0100
Subject: [PATCH] Revert "Properly handle fwupd update capsules"

---
 README.md                  |  7 +------
 nix/modules/lanzaboote.nix | 25 +------------------------
 2 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index d8cc2a0..43915c2 100644
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ sign all configurations that should be bootable.
 
 `lzbt` lives in `rust/tool`.
 
-### Stub
+### Stub 
 
 When the Linux kernel and initrd are packed into a UKI, they need an
 UEFI application stub. This role is typically filled by
@@ -89,11 +89,6 @@ the initrd into the signed UKI.
 
 The stub lives in `rust/stub`.
 
-### Fwupd
-
-When both Lanzaboote and `services.fwupd` are enabled, `fwupd.service` will get a `preStart` that
-ensures a signed fwupd binary in /run that fwupd will use.
-
 ## State of Upstreaming to Nixpkgs
 
 Secure Boot is available as an Nixpkgs out-of-tree feature using the
diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index 5c96f86..1d8792e 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -13,10 +13,6 @@ let
     timeout ${toString timeout}
     console-mode ${config.boot.loader.systemd-boot.consoleMode}
   '';
-
-  # This is the fwupd-efi package. We need to get it this way because a user might override services.fwupd.package,
-  # which may cause pkgs.fwupd-efi to be a different package than what the fwupd package has as dependency.
-  fwupd-efi = builtins.head (builtins.filter (x: x.pname == "fwupd-efi") config.services.fwupd.package.buildInputs);
 in
 {
   options.boot.lanzaboote = {
@@ -67,7 +63,7 @@ in
           cp -r ${cfg.pkiBundle}/* /tmp/pki
           ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
         ''}
-
+  
         ${cfg.package}/bin/lzbt install \
           --systemd ${config.systemd.package} \
           --systemd-boot-loader-config ${systemdBootLoaderConfig} \
@@ -78,24 +74,5 @@ in
           /nix/var/nix/profiles/system-*-link
       '';
     };
-
-    systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
-      # Tell fwupd to load its efi files from /run
-      environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
-      serviceConfig.RuntimeDirectory = "fwupd-efi";
-      # Place the fwupd efi files in /run and sign them
-      preStart = ''
-        cp ${fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
-        ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
-      '';
-    };
-
-    # Disable support for the shim since we sign the binaries directly
-    environment.etc."fwupd/uefi_capsule.conf" = lib.mkIf config.services.fwupd.enable {
-      text = ''
-        [uefi_capsule]
-        DisableShimForSecureBoot=true
-      '';
-    };
   };
 }