Merge pull request #131 from lilyinstarlight/feature/fwupd

Properly handle fwupd update capsules, take 2
2023-03-21 15:26:50 +01:00 · 2023-03-21 15:26:50 +01:00 · 9c0dfff36b
parent bdcada4bc2 fd956c4864
commit 9c0dfff36b
4 changed files with 30 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -70,7 +70,7 @@ sign all configurations that should be bootable.

 `lzbt` lives in `rust/tool`.

-### Stub 
+### Stub

 When the Linux kernel and initrd are packed into a UKI, they need an
 UEFI application stub. This role is typically filled by
@ -89,6 +89,12 @@ the initrd into the signed UKI.

 The stub lives in `rust/stub`.

+### Fwupd
+
+When both Lanzaboote and `services.fwupd` are enabled, for
+`fwupd.service` a `preStart` will be added that ensures a signed fwupd
+binary is placed in `/run` that fwupd will use.
+
 ## State of Upstreaming to Nixpkgs

 Secure Boot is available as an Nixpkgs out-of-tree feature using the
--- a/flake.lock
+++ b/flake.lock
@ -181,16 +181,16 @@
    },
    "nixpkgs-test": {
      "locked": {
-        "lastModified": 1671812130,
-        "narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=",
-        "owner": "RaitoBezarius",
+        "lastModified": 1679009563,
+        "narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be",
+        "rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
        "type": "github"
      },
      "original": {
-        "owner": "RaitoBezarius",
-        "ref": "simplified-qemu-boot-disks",
+        "owner": "NixOS",
+        "ref": "qemu-boot-disk-using-make-disk-image",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -3,7 +3,7 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
-    nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/simplified-qemu-boot-disks";
+    nixpkgs-test.url = "github:NixOS/nixpkgs/qemu-boot-disk-using-make-disk-image";

    flake-parts.url = "github:hercules-ci/flake-parts";

--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@ -63,7 +63,7 @@ in
          cp -r ${cfg.pkiBundle}/* /tmp/pki
          ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
        ''}
-  
+
        ${cfg.package}/bin/lzbt install \
          --systemd ${config.systemd.package} \
          --systemd-boot-loader-config ${systemdBootLoaderConfig} \
@ -74,5 +74,20 @@ in
          /nix/var/nix/profiles/system-*-link
      '';
    };
+
+    systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
+      # Tell fwupd to load its efi files from /run
+      environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+      # Place the fwupd efi files in /run and sign them
+      preStart = ''
+        mkdir -p /run/fwupd-efi
+        cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+        ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
+      '';
+    };
+
+    services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
+      DisableShimForSecureBoot = true;
+    };
  };
 }