nixos: add a lanzaboote module

2022-11-23 11:59:54 +01:00 · 2022-11-23 11:59:54 +01:00 · c53477fbf5
parent a089c6fb3d
commit c53477fbf5
3 changed files with 61 additions and 1 deletions
--- a/flake.lock
+++ b/flake.lock
@ -47,6 +47,22 @@
        "type": "indirect"
      }
    },
+    "nixpkgs-test": {
+      "locked": {
+        "lastModified": 1669200924,
+        "narHash": "sha256-NUPT9VMQHnFRqqd/ILcfMSbOvPTLbVBXGO7SWj0N7Dg=",
+        "owner": "RaitoBezarius",
+        "repo": "nixpkgs",
+        "rev": "542f657a93ae903e07d6274de413142c4b99d6ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "RaitoBezarius",
+        "ref": "experimental-secureboot",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1669001258,
@ -83,6 +99,7 @@
      "inputs": {
        "naersk": "naersk",
        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-test": "nixpkgs-test",
        "rust-overlay": "rust-overlay"
      }
    },
--- a/flake.nix
+++ b/flake.nix
@ -3,11 +3,12 @@

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    nixpkgs-test.url = "github:RaitoBezarius/nixpkgs/experimental-secureboot";
    rust-overlay.url = "github:oxalica/rust-overlay";
    naersk.url = "github:nix-community/naersk";
  };

-  outputs = { self, nixpkgs, rust-overlay, naersk }:
+  outputs = { self, nixpkgs, nixpkgs-test, rust-overlay, naersk }:
    let
      pkgs = import nixpkgs {
        system = "x86_64-linux";
@ -127,6 +128,12 @@
        add-sections ${lanzaboote}/bin/lanzaboote.efi ${osrel} ${cmdline} $out/bin/lanzaboote.efi
      '';
    in {
+      overlays.default = final: prev: {
+        inherit lanzaboote lanzatool;
+      };
+
+      nixosModules.lanzaboote = import ./nix/lanzaboote.nix;
+
      packages.x86_64-linux = {
        inherit qemuUefi uefi-run initrd-stub lanzaboote lanzaboote-uki lanzatool wrapInitrd;
        default = lanzaboote-uki;
@ -146,5 +153,24 @@
          lanzaboote
        ];
      };
+
+      checks.x86_64-linux = {
+        lanzaboote-boot = 
+        let test = import ("${nixpkgs-test}/nixos/lib/testing-python.nix") { system = "x86_64-linux"; };
+        in
+        test.makeTest
+        {
+          name = "stub-boot";
+          nodes.machine = { ... }: {
+            imports = [ self.nixosModules.lanzaboote ];
+            nixpkgs.overlays = [ self.overlays.default ];
+
+            boot.lanzaboote.enable = true;
+          };
+          testScript = ''
+            start_all()
+          '';
+        };
+      };
    };
 }
--- a/nix/lanzaboote.nix
+++ b/nix/lanzaboote.nix
@ -0,0 +1,17 @@
+{ lib, config, ... }: 
+with lib;
+let
+  cfg = config.boot.lanzaboote;
+in
+{
+  options.boot.lanzaboote = {
+    enable = mkEnableOption "Enable the LANZABOOTE";
+  };
+
+  config = mkIf cfg.enable {
+    boot.loader.external = {
+      enable = true;
+      installHook = "${pkgs.lanzatool}/bin/lanzatool install";
+    };
+  };
+}