Merge pull request #131 from lilyinstarlight/feature/fwupd
Properly handle fwupd update capsules, take 2
This commit is contained in:
commit
9c0dfff36b
|
@ -70,7 +70,7 @@ sign all configurations that should be bootable.
|
|||
|
||||
`lzbt` lives in `rust/tool`.
|
||||
|
||||
### Stub
|
||||
### Stub
|
||||
|
||||
When the Linux kernel and initrd are packed into a UKI, they need an
|
||||
UEFI application stub. This role is typically filled by
|
||||
|
@ -89,6 +89,12 @@ the initrd into the signed UKI.
|
|||
|
||||
The stub lives in `rust/stub`.
|
||||
|
||||
### Fwupd
|
||||
|
||||
When both Lanzaboote and `services.fwupd` are enabled, for
|
||||
`fwupd.service` a `preStart` will be added that ensures a signed fwupd
|
||||
binary is placed in `/run` that fwupd will use.
|
||||
|
||||
## State of Upstreaming to Nixpkgs
|
||||
|
||||
Secure Boot is available as an Nixpkgs out-of-tree feature using the
|
||||
|
|
12
flake.lock
12
flake.lock
|
@ -181,16 +181,16 @@
|
|||
},
|
||||
"nixpkgs-test": {
|
||||
"locked": {
|
||||
"lastModified": 1671812130,
|
||||
"narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=",
|
||||
"owner": "RaitoBezarius",
|
||||
"lastModified": 1679009563,
|
||||
"narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be",
|
||||
"rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "RaitoBezarius",
|
||||
"ref": "simplified-qemu-boot-disks",
|
||||
"owner": "NixOS",
|
||||
"ref": "qemu-boot-disk-using-make-disk-image",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
|
||||
nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/simplified-qemu-boot-disks";
|
||||
nixpkgs-test.url = "github:NixOS/nixpkgs/qemu-boot-disk-using-make-disk-image";
|
||||
|
||||
flake-parts.url = "github:hercules-ci/flake-parts";
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@ in
|
|||
cp -r ${cfg.pkiBundle}/* /tmp/pki
|
||||
${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
|
||||
''}
|
||||
|
||||
|
||||
${cfg.package}/bin/lzbt install \
|
||||
--systemd ${config.systemd.package} \
|
||||
--systemd-boot-loader-config ${systemdBootLoaderConfig} \
|
||||
|
@ -74,5 +74,20 @@ in
|
|||
/nix/var/nix/profiles/system-*-link
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
|
||||
# Tell fwupd to load its efi files from /run
|
||||
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
|
||||
# Place the fwupd efi files in /run and sign them
|
||||
preStart = ''
|
||||
mkdir -p /run/fwupd-efi
|
||||
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
|
||||
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
|
||||
'';
|
||||
};
|
||||
|
||||
services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
|
||||
DisableShimForSecureBoot = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue