min
/
lanzaboote
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

treewide: format with nixpkgs-fmt

This commit is contained in:
nikstur 2022-12-25 15:43:52 +01:00
parent 07fc31613e
commit eb9b1bbbe3
2 changed files with 86 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
flake.nix
View File

@ -40,28 +40,32 @@
}; };
# Build attributes for a Rust application. # Build attributes for a Rust application.
buildRustApp = { buildRustApp =
src, target ? null, doCheck ? true { src
}: let , target ? null
cleanedSrc = craneLib.cleanCargoSource src; , doCheck ? true
commonArgs = { }:
src = cleanedSrc; let
CARGO_BUILD_TARGET = target; cleanedSrc = craneLib.cleanCargoSource src;
inherit doCheck; commonArgs = {
src = cleanedSrc;
CARGO_BUILD_TARGET = target;
inherit doCheck;
};
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
in
{
package = craneLib.buildPackage (commonArgs // {
inherit cargoArtifacts;
});
clippy = craneLib.cargoClippy (commonArgs // {
inherit cargoArtifacts;
cargoClippyExtraArgs = "-- --deny warnings";
});
}; };
cargoArtifacts = craneLib.buildDepsOnly commonArgs;
in {
package = craneLib.buildPackage (commonArgs // {
inherit cargoArtifacts;
});
clippy = craneLib.cargoClippy (commonArgs // {
inherit cargoArtifacts;
cargoClippyExtraArgs = "-- --deny warnings";
});
};
lanzabooteCrane = buildRustApp { lanzabooteCrane = buildRustApp {
src = ./rust/lanzaboote; src = ./rust/lanzaboote;
target = "x86_64-unknown-uefi"; target = "x86_64-unknown-uefi";
@ -76,9 +80,10 @@
lanzatool-unwrapped = lanzatoolCrane.package; lanzatool-unwrapped = lanzatoolCrane.package;
lanzatool = pkgs.runCommand "lanzatool" { lanzatool = pkgs.runCommand "lanzatool"
nativeBuildInputs = [ pkgs.makeWrapper ]; {
} '' nativeBuildInputs = [ pkgs.makeWrapper ];
} ''
mkdir -p $out/bin mkdir -p $out/bin
# Clean PATH to only contain what we need to do objcopy. Also # Clean PATH to only contain what we need to do objcopy. Also
@ -88,7 +93,8 @@
--set RUST_BACKTRACE full \ --set RUST_BACKTRACE full \
--set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi
''; '';
in { in
{
overlays.default = final: prev: { overlays.default = final: prev: {
inherit lanzatool; inherit lanzatool;
}; };
@ -122,65 +128,66 @@
]; ];
}; };
checks.x86_64-linux = let checks.x86_64-linux =
mkSecureBootTest = { name, machine ? {}, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest { let
inherit name testScript; mkSecureBootTest = { name, machine ? { }, testScript }: nixpkgs-test.legacyPackages.x86_64-linux.nixosTest {
nodes.machine = { lib, ... }: { inherit name testScript;
imports = [ nodes.machine = { lib, ... }: {
self.nixosModules.lanzaboote imports = [
machine self.nixosModules.lanzaboote
]; machine
];
nixpkgs.overlays = [ self.overlays.default ]; nixpkgs.overlays = [ self.overlays.default ];
virtualisation = { virtualisation = {
useBootLoader = true; useBootLoader = true;
useEFIBoot = true; useEFIBoot = true;
useSecureBoot = true; useSecureBoot = true;
}; };
boot.loader.efi = { boot.loader.efi = {
canTouchEfiVariables = true; canTouchEfiVariables = true;
}; };
boot.lanzaboote = { boot.lanzaboote = {
enable = true; enable = true;
enrollKeys = lib.mkDefault true; enrollKeys = lib.mkDefault true;
pkiBundle = ./pki; pkiBundle = ./pki;
};
}; };
}; };
};
# Execute a boot test that is intended to fail. # Execute a boot test that is intended to fail.
# #
mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest { mkUnsignedTest = { name, path, appendCrap ? false }: mkSecureBootTest {
inherit name; inherit name;
testScript = '' testScript = ''
import json import json
import os.path import os.path
bootspec = None bootspec = None
def convert_to_esp(store_file_path): def convert_to_esp(store_file_path):
store_dir = os.path.basename(os.path.dirname(store_file_path)) store_dir = os.path.basename(os.path.dirname(store_file_path))
filename = os.path.basename(store_file_path) filename = os.path.basename(store_file_path)
return f'/boot/EFI/nixos/{store_dir}-{filename}.efi' return f'/boot/EFI/nixos/{store_dir}-{filename}.efi'
machine.start() machine.start()
bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1') bootspec = json.loads(machine.succeed("cat /run/current-system/boot.json")).get('v1')
assert bootspec is not None, "Unsupported bootspec version!" assert bootspec is not None, "Unsupported bootspec version!"
src_path = ${path.src} src_path = ${path.src}
dst_path = ${path.dst} dst_path = ${path.dst}
machine.succeed(f"cp -rf {src_path} {dst_path}") machine.succeed(f"cp -rf {src_path} {dst_path}")
'' + lib.optionalString appendCrap '' '' + lib.optionalString appendCrap ''
machine.succeed(f"echo Foo >> {dst_path}") machine.succeed(f"echo Foo >> {dst_path}")
'' + '' +
'' ''
machine.succeed("sync") machine.succeed("sync")
machine.crash() machine.crash()
machine.start() machine.start()
machine.wait_for_console_text("Hash mismatch") machine.wait_for_console_text("Hash mismatch")
''; '';
}; };
in in
{ {
lanzatool-clippy = lanzatoolCrane.clippy; lanzatool-clippy = lanzatoolCrane.clippy;
lanzaboote-clippy = lanzabooteCrane.clippy; lanzaboote-clippy = lanzabooteCrane.clippy;
@ -225,9 +232,9 @@
''; '';
}; };
testScript = '' testScript = ''
machine.start() machine.start()
assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status")
''; '';
}; };
# The initrd is not directly signed. Its hash is embedded # The initrd is not directly signed. Its hash is embedded

2
nix/lanzaboote.nix
View File

@ -1,4 +1,4 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
with lib; with lib;
let let
cfg = config.boot.lanzaboote; cfg = config.boot.lanzaboote;