Merge pull request #131 from lilyinstarlight/feature/fwupd

Properly handle fwupd update capsules, take 2
This commit is contained in:
Ryan Lahfa 2023-03-21 15:26:50 +01:00 committed by GitHub
commit 9c0dfff36b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 9 deletions

View File

@ -70,7 +70,7 @@ sign all configurations that should be bootable.
`lzbt` lives in `rust/tool`.
### Stub
### Stub
When the Linux kernel and initrd are packed into a UKI, they need an
UEFI application stub. This role is typically filled by
@ -89,6 +89,12 @@ the initrd into the signed UKI.
The stub lives in `rust/stub`.
### Fwupd
When both Lanzaboote and `services.fwupd` are enabled, for
`fwupd.service` a `preStart` will be added that ensures a signed fwupd
binary is placed in `/run` that fwupd will use.
## State of Upstreaming to Nixpkgs
Secure Boot is available as an Nixpkgs out-of-tree feature using the

View File

@ -181,16 +181,16 @@
},
"nixpkgs-test": {
"locked": {
"lastModified": 1671812130,
"narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=",
"owner": "RaitoBezarius",
"lastModified": 1679009563,
"narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be",
"rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
"type": "github"
},
"original": {
"owner": "RaitoBezarius",
"ref": "simplified-qemu-boot-disks",
"owner": "NixOS",
"ref": "qemu-boot-disk-using-make-disk-image",
"repo": "nixpkgs",
"type": "github"
}

View File

@ -3,7 +3,7 @@
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/simplified-qemu-boot-disks";
nixpkgs-test.url = "github:NixOS/nixpkgs/qemu-boot-disk-using-make-disk-image";
flake-parts.url = "github:hercules-ci/flake-parts";

View File

@ -63,7 +63,7 @@ in
cp -r ${cfg.pkiBundle}/* /tmp/pki
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
''}
${cfg.package}/bin/lzbt install \
--systemd ${config.systemd.package} \
--systemd-boot-loader-config ${systemdBootLoaderConfig} \
@ -74,5 +74,20 @@ in
/nix/var/nix/profiles/system-*-link
'';
};
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
# Place the fwupd efi files in /run and sign them
preStart = ''
mkdir -p /run/fwupd-efi
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};
services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
DisableShimForSecureBoot = true;
};
};
}