Merge pull request #113 from dasJ/feat/fwupd

Properly handle fwupd update capsules
2023-02-25 23:01:12 +01:00 · 2023-02-25 23:01:12 +01:00 · 9daa941320
parent 29e0aaf934 048df99975
commit 9daa941320
2 changed files with 30 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -70,7 +70,7 @@ sign all configurations that should be bootable.

 `lzbt` lives in `rust/tool`.

-### Stub 
+### Stub

 When the Linux kernel and initrd are packed into a UKI, they need an
 UEFI application stub. This role is typically filled by
@ -89,6 +89,11 @@ the initrd into the signed UKI.

 The stub lives in `rust/stub`.

+### Fwupd
+
+When both Lanzaboote and `services.fwupd` are enabled, `fwupd.service` will get a `preStart` that
+ensures a signed fwupd binary in /run that fwupd will use.
+
 ## State of Upstreaming to Nixpkgs

 Secure Boot is available as an Nixpkgs out-of-tree feature using the
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@ -13,6 +13,10 @@ let
    timeout ${toString timeout}
    console-mode ${config.boot.loader.systemd-boot.consoleMode}
  '';
+
+  # This is the fwupd-efi package. We need to get it this way because a user might override services.fwupd.package,
+  # which may cause pkgs.fwupd-efi to be a different package than what the fwupd package has as dependency.
+  fwupd-efi = builtins.head (builtins.filter (x: x.pname == "fwupd-efi") config.services.fwupd.package.buildInputs);
 in
 {
  options.boot.lanzaboote = {
@ -63,7 +67,7 @@ in
          cp -r ${cfg.pkiBundle}/* /tmp/pki
          ${sbctlWithPki}/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
        ''}
-  
+
        ${cfg.package}/bin/lzbt install \
          --systemd ${config.systemd.package} \
          --systemd-boot-loader-config ${systemdBootLoaderConfig} \
@ -74,5 +78,24 @@ in
          /nix/var/nix/profiles/system-*-link
      '';
    };
+
+    systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
+      # Tell fwupd to load its efi files from /run
+      environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+      serviceConfig.RuntimeDirectory = "fwupd-efi";
+      # Place the fwupd efi files in /run and sign them
+      preStart = ''
+        cp ${fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+        ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
+      '';
+    };
+
+    # Disable support for the shim since we sign the binaries directly
+    environment.etc."fwupd/uefi_capsule.conf" = lib.mkIf config.services.fwupd.enable {
+      text = ''
+        [uefi_capsule]
+        DisableShimForSecureBoot=true
+      '';
+    };
  };
 }