min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #131 from lilyinstarlight/feature/fwupd 

Properly handle fwupd update capsules, take 2
This commit is contained in:
Ryan Lahfa 2023-03-21 15:26:50 +01:00 committed by GitHub
parent bdcada4bc2 fd956c4864
commit 9c0dfff36b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -89,6 +89,12 @@ the initrd into the signed UKI.
The stub lives in `rust/stub`. The stub lives in `rust/stub`.
### Fwupd
When both Lanzaboote and `services.fwupd` are enabled, for
`fwupd.service` a `preStart` will be added that ensures a signed fwupd
binary is placed in `/run` that fwupd will use.
## State of Upstreaming to Nixpkgs ## State of Upstreaming to Nixpkgs
Secure Boot is available as an Nixpkgs out-of-tree feature using the Secure Boot is available as an Nixpkgs out-of-tree feature using the

12
flake.lock
View File

@ -181,16 +181,16 @@
}, },
"nixpkgs-test": { "nixpkgs-test": {
"locked": { "locked": {
"lastModified": 1671812130, "lastModified": 1679009563,
"narHash": "sha256-GALBK+qB9rhnB+lVnxdgtMoXCySXughZZ3+qGO1Ke/k=", "narHash": "sha256-jizICiQOqUcYFNHRNNOo69bfyNo36iyuRAHem5z68LQ=",
"owner": "RaitoBezarius", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e51bf8cc8e2c75192e930ad83ed272938729e7be", "rev": "371d3778c4f9cee7d5cf014e6ce400d57366570f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "RaitoBezarius", "owner": "NixOS",
"ref": "simplified-qemu-boot-disks", "ref": "qemu-boot-disk-using-make-disk-image",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }

2
flake.nix
View File

@ -3,7 +3,7 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/simplified-qemu-boot-disks"; nixpkgs-test.url = "github:NixOS/nixpkgs/qemu-boot-disk-using-make-disk-image";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";

15
nix/modules/lanzaboote.nix
View File

@ -74,5 +74,20 @@ in
/nix/var/nix/profiles/system-*-link /nix/var/nix/profiles/system-*-link
''; '';
}; };
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
# Place the fwupd efi files in /run and sign them
preStart = ''
mkdir -p /run/fwupd-efi
cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};
services.fwupd.uefiCapsuleSettings = lib.mkIf config.services.fwupd.enable {
DisableShimForSecureBoot = true;
};
}; };
} }