Commit Graph

32 Commits

Author SHA1 Message Date
Julian Stecklina 9daa941320
Merge pull request #113 from dasJ/feat/fwupd
Properly handle fwupd update capsules
2023-02-25 23:01:12 +01:00
nikstur ab4e90c331 tests: correctly test appending secret to initrd
The way the test was implemented previously did not make it fail if no
secret was appended to the initrd. Now it is implemented similary to the
initrd-secrets test in Nixpkgs and works correctly.
2023-02-25 21:41:38 +01:00
nikstur f4f8c41005 tests: add initrd-secrets-update
Add a test for updating the secrets on an existing initrd.
2023-02-24 01:16:52 +01:00
Janne Heß 048df99975
Properly handle fwupd update capsules
Closes #85
2023-02-23 11:38:27 +01:00
ercao d1516ffdfd
nixos/lanzaboote: use `config.systemd.package`
Signed-off-by: ercao <vip@ercao.cn>
2023-02-09 22:24:54 +08:00
Julian Stecklina 0963ba83dd tests: check whether disabled secure boot relaxes hash checks 2023-02-02 18:05:09 +01:00
Julian Stecklina f3ede28eac ci: fix regression after Linux loader change
Now that we don't sign the kernel anymore, we need to manually
invalidate its checksum.
2023-02-02 17:57:34 +01:00
nikstur ce3b2c27b5 tool: write systemd-boot loader.conf
To minimize the number of arguments passed to `lzbt`, the loader config
is assembled outside `lzbt` and passed as a single argument.

Instead of reimplementing `consoleMode` under the `lanzaboote`
namespace, `config.loader.systemd-boot.consoleMode` is reused as is.
2023-01-29 16:19:14 +01:00
nikstur fd2e7f7a40 nix.tests: clean up
The test attributes and names are simplified and standardized. They now
roughly follow the same structure as the systemd-boot test in Nixpkgs.
Some comments are added and variable names changed to make it more clear
what they actually do.
2023-01-28 01:40:48 +01:00
nikstur efa2410292 treewide: move uefi-keys into test fixtures
To clean up the repository move the uefi keys (`pki/`) to
`nix/tests/fixtures/uefi-keys`.
2023-01-26 01:18:41 +01:00
nikstur cc169689f3 tool: smarter systemd-boot install
The process of installing systemd-boot is "smarter" because it now
considers a a few conditions instead of doing nothing if there is a file
at the deistination path. systemd-boot is now forcibly installed (i.e.
overwriting any file at the destination) if (1) there is no file at the
destination, OR (2) a newer version of systemd-boot is available, OR (3)
the signature of the file at the destination could not be verified.
2023-01-25 22:21:14 +01:00
Julian Stecklina dd499f6642 treewide: fix typos 2023-01-21 10:27:34 +01:00
nikstur 5bb33f3389 treewide: simplify subproject names
Lanzatool is renamed to 'tool' and lanzaboote is renamed to 'stub'.
The name of the lanzatool binary is now 'lzbt' standing for
LanZaBooteTool.
2023-01-17 21:31:14 +01:00
nikstur 4f44cb70a2 lanzatool: generate custom os-release 2023-01-06 21:27:51 +01:00
nikstur eca0ea67fe lanzabooteModule: implement configuration limit 2023-01-02 00:05:21 +01:00
nikstur 7d5ac15cbb nix.tests: move from flake 2022-12-25 18:49:28 +01:00
nikstur 912c9b27a6 nix: move package and module into subdir 2022-12-25 18:38:41 +01:00
nikstur eb9b1bbbe3 treewide: format with nixpkgs-fmt 2022-12-25 18:38:39 +01:00
Raito Bezarius e3f6029643 nixos/lanzaboote: use upstream bootspec for extension generation 2022-12-25 18:05:07 +01:00
Julian Stecklina 30be791826
Merge pull request #24 from nix-community/remove-auto-entroll
Remove auto entroll leftovers
2022-12-11 14:48:27 +00:00
nikstur 36c0a13c4c lanzaboote module: remove --pki-bundle option 2022-12-10 18:11:23 +01:00
Jörg Thalheim c9f9f1c52a nixos/lanzaboote: pkiBundle is not actual optional
the installHook needs it.
2022-12-08 21:26:17 +01:00
Julian Stecklina 28bb93c5f3 nix: switch everything to crane and drop naersk 2022-11-28 14:01:35 +01:00
nikstur 0a96623461 lanzatool: bootspec from generation
The bootspec is now read from each generation so that more than one
entry can be generated when calling install
2022-11-26 22:27:44 +01:00
Ryan Lahfa 95f596f4dc lanzatool: add support for generations and correct naming of kernels a… (#12)
* lanzatool: add support for generations and correct naming of kerels and initrds

* test: use convert_to_esp(extract_bspec_attr(⋅)) for unsigned tests

* lanzatool: ryan is a B class engineer

Co-authored-by: nikstur@outlook.com
2022-11-26 03:14:21 +01:00
Raito Bezarius 9f65f75289 feature: support initrd secrets 2022-11-26 02:01:41 +01:00
Raito Bezarius a99646bb01 nixos: enrollment is optional 2022-11-25 11:29:56 +01:00
Raito Bezarius e75d892964 nixos: disable it and adapt it 2022-11-24 17:09:51 +01:00
Raito Bezarius 2148cb06ab nixos: actually enable sb 2022-11-24 17:07:06 +01:00
Raito Bezarius ccdd02bf1c nixos: add a lanzaboote module
- Wire up things with Bootspec & External bootloaders
- Introduce SecureBoot keys
2022-11-24 17:07:05 +01:00
Raito Bezarius c53477fbf5 nixos: add a lanzaboote module 2022-11-24 16:59:59 +01:00
Julian Stecklina bcad59a20a Move uefi-run into its own Nix file 2022-11-22 00:43:15 +01:00