min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #134 from kanashimia/hardcoding 

nixos-module: add settings key for the loader.conf
This commit is contained in:
Ryan Lahfa 2023-03-21 15:49:55 +01:00 committed by GitHub
parent 9c0dfff36b ea5e2ba437
commit 7c55847aaf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
nix/modules/lanzaboote.nix
View File

@ -2,52 +2,91 @@
with lib; with lib;
let let
cfg = config.boot.lanzaboote; cfg = config.boot.lanzaboote;
sbctlWithPki = pkgs.sbctl.override { sbctlWithPki = pkgs.sbctl.override {
databasePath = "/tmp/pki"; databasePath = "/tmp/pki";
}; };
configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit; loaderSettingsFormat = pkgs.formats.keyValue {
timeout = if config.boot.loader.timeout == null then 0 else config.boot.loader.timeout; mkKeyValue = k: v: if v == null then "" else
lib.generators.mkKeyValueDefault { } " " k v;
};
systemdBootLoaderConfig = pkgs.writeText "loader.conf" '' loaderConfigFile = loaderSettingsFormat.generate "loader.conf" cfg.settings;
timeout ${toString timeout}
console-mode ${config.boot.loader.systemd-boot.consoleMode} configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
'';
in in
{ {
options.boot.lanzaboote = { options.boot.lanzaboote = {
enable = mkEnableOption "Enable the LANZABOOTE"; enable = mkEnableOption "Enable the LANZABOOTE";
enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl"; enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl";
configurationLimit = mkOption { configurationLimit = mkOption {
default = null; default = config.boot.loader.systemd-boot.configurationLimit;
example = 120; example = 120;
type = types.nullOr types.int; type = types.nullOr types.int;
description = lib.mdDoc '' description = lib.mdDoc ''
Maximum number of latest generations in the boot menu. Maximum number of latest generations in the boot menu.
Useful to prevent boot partition running out of disk space. Useful to prevent boot partition running out of disk space.
`null` means no limit i.e. all generations `null` means no limit i.e. all generations
that were not garbage collected yet. that were not garbage collected yet.
''; '';
}; };
pkiBundle = mkOption { pkiBundle = mkOption {
type = types.nullOr types.path; type = types.nullOr types.path;
description = "PKI bundle containing db, PK, KEK"; description = "PKI bundle containing db, PK, KEK";
}; };
publicKeyFile = mkOption { publicKeyFile = mkOption {
type = types.path; type = types.path;
default = "${cfg.pkiBundle}/keys/db/db.pem"; default = "${cfg.pkiBundle}/keys/db/db.pem";
description = "Public key to sign your boot files"; description = "Public key to sign your boot files";
}; };
privateKeyFile = mkOption { privateKeyFile = mkOption {
type = types.path; type = types.path;
default = "${cfg.pkiBundle}/keys/db/db.key"; default = "${cfg.pkiBundle}/keys/db/db.key";
description = "Private key to sign your boot files"; description = "Private key to sign your boot files";
}; };
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = pkgs.lzbt; default = pkgs.lzbt;
description = "Lanzaboote tool (lzbt) package"; description = "Lanzaboote tool (lzbt) package";
}; };
settings = mkOption rec {
type = types.submodule {
freeformType = loaderSettingsFormat.type;
};
apply = recursiveUpdate default;
default = {
timeout = config.boot.loader.timeout;
console-mode = config.boot.loader.systemd-boot.consoleMode;
editor = config.boot.loader.systemd-boot.editor;
default = "nixos-*";
};
example = literalExpression ''
{
editor = null; # null value removes line from the loader.conf
beep = true;
default = "@saved";
timeout = 10;
}
'';
description = ''
Configuration for the `systemd-boot`
See `loader.conf(5)` for supported values.
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -66,7 +105,7 @@ in
${cfg.package}/bin/lzbt install \ ${cfg.package}/bin/lzbt install \
--systemd ${config.systemd.package} \ --systemd ${config.systemd.package} \
--systemd-boot-loader-config ${systemdBootLoaderConfig} \ --systemd-boot-loader-config ${loaderConfigFile} \
--public-key ${cfg.publicKeyFile} \ --public-key ${cfg.publicKeyFile} \
--private-key ${cfg.privateKeyFile} \ --private-key ${cfg.privateKeyFile} \
--configuration-limit ${toString configurationLimit} \ --configuration-limit ${toString configurationLimit} \

8
nix/tests/lanzaboote.nix
View File

@ -249,11 +249,11 @@ in
testScript = '' testScript = ''
machine.start() machine.start()
actual_loader_config = machine.succeed("cat /boot/loader/loader.conf") actual_loader_config = machine.succeed("cat /boot/loader/loader.conf").split("\n")
expected_loader_config = "timeout 0\nconsole-mode auto\n" expected_loader_config = ["timeout 0", "console-mode auto"]
assert actual_loader_config == expected_loader_config, \ assert all(cfg in actual_loader_config for cfg in expected_loader_config), \
f"Actual: '{actual_loader_config}' is not equal to expected: '{expected_loader_config}'" f"Expected: {expected_loader_config} is not included in actual config: '{actual_loader_config}'"
''; '';
}; };
} }