From 658d753d1c4b3a16d3ae08f6cf3e1b2dca320f8a Mon Sep 17 00:00:00 2001 From: Lily Foster Date: Thu, 16 Mar 2023 20:57:49 -0400 Subject: [PATCH 1/3] Properly handle fwupd update capsules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Janne Heß --- README.md | 8 +++++++- nix/modules/lanzaboote.nix | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 43915c2..9aaeb3d 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ sign all configurations that should be bootable. `lzbt` lives in `rust/tool`. -### Stub +### Stub When the Linux kernel and initrd are packed into a UKI, they need an UEFI application stub. This role is typically filled by @@ -89,6 +89,12 @@ the initrd into the signed UKI. The stub lives in `rust/stub`. +### Fwupd + +When both Lanzaboote and `services.fwupd` are enabled, for +`fwupd.service` a `preStart` will be added that ensures a signed fwupd +binary is placed in `/run` that fwupd will use. + ## State of Upstreaming to Nixpkgs Secure Boot is available as an Nixpkgs out-of-tree feature using the diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix index 1d8792e..02f8f3f 100644 --- a/nix/modules/lanzaboote.nix +++ b/nix/modules/lanzaboote.nix @@ -63,7 +63,7 @@ in cp -r ${cfg.pkiBundle}/* /tmp/pki ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine ''} - + ${cfg.package}/bin/lzbt install \ --systemd ${config.systemd.package} \ --systemd-boot-loader-config ${systemdBootLoaderConfig} \ @@ -74,5 +74,20 @@ in /nix/var/nix/profiles/system-*-link ''; }; + + systemd.services.fwupd = lib.mkIf config.services.fwupd.enable { + # Tell fwupd to load its efi files from /run + environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi"; + # Place the fwupd efi files in /run and sign them + preStart = '' + mkdir -p /run/fwupd-efi + cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/ + ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi + ''; + }; + + services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable { + DisableShimForSecureBoot = true; + }; }; } From 738d986536713a6bf473c00aabe496c8adcca7be Mon Sep 17 00:00:00 2001 From: Lily Foster Date: Mon, 20 Mar 2023 07:45:02 -0400 Subject: [PATCH 2/3] flake: update nixpkgs-test The nixpkgs-test input has been moved to the branch from NixOS/nixpkgs#207039. --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 0ef4e5e..a7dbf02 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/simplified-qemu-boot-disks"; + nixpkgs-test.url = "github:NixOS/nixpkgs/qemu-boot-disk-using-make-disk-image"; flake-parts.url = "github:hercules-ci/flake-parts"; From fd956c48647e22d9426ec9390476ecb86460d5ef Mon Sep 17 00:00:00 2001 From: Lily Foster Date: Mon, 20 Mar 2023 07:47:21 -0400 Subject: [PATCH 3/3] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs-test': 'github:RaitoBezarius/nixpkgs/e51bf8cc8e2c75192e930ad83ed272938729e7be' (2022-12-23) → 'github:NixOS/nixpkgs/371d3778c4f9cee7d5cf014e6ce400d57366570f' (2023-03-16) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 433eec5..4960487 100644 --- a/flake.lock +++ b/flake.lock @@ -181,16 +181,16 @@ }, "nixpkgs-test": { "locked": { - "lastModified": 1671812130, - "narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=", - "owner": "RaitoBezarius", + "lastModified": 1679009563, + "narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be", + "rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f", "type": "github" }, "original": { - "owner": "RaitoBezarius", - "ref": "simplified-qemu-boot-disks", + "owner": "NixOS", + "ref": "qemu-boot-disk-using-make-disk-image", "repo": "nixpkgs", "type": "github" }