nixos/limine: add settings autoGenerateKeys & autoEnrollKeys (#486777) (21601ecc) · Commits · nix / nixpkgs

nixos/modules/system/boot/loader/limine/limine-install.py

+11 −8

Original line number	Diff line number	Diff line
		@@ -430,7 +430,7 @@ def install_bootloader() -> None:
		partition formatted as FAT.
		'''))

		if config('secureBoot', 'enable') and not config('secureBoot', 'createAndEnrollKeys') and not os.path.exists("/var/lib/sbctl"):
		if config('secureBoot', 'enable') and not config('secureBoot', 'autoGenerateKeys') and not os.path.exists("/var/lib/sbctl"):
		print("There are no sbctl secure boot keys present. Please generate some.")
		sys.exit(1)

		@@ -557,15 +557,18 @@ def install_bootloader() -> None:

		if config('secureBoot', 'enable'):
		sbctl = os.path.join(str(config('secureBoot', 'sbctl')), 'bin', 'sbctl')
		if config('secureBoot', 'createAndEnrollKeys'):
		print("TEST MODE: creating and enrolling keys")
		if not os.path.exists("/var/lib/sbctl") and config('secureBoot', 'autoGenerateKeys'):
		print('auto generating keys')
		try:
		subprocess.run([sbctl, 'create-keys'])
		except:
		print('error: failed to create keys', file=sys.stderr)
		sys.exit(1)
		if config('secureBoot', 'autoEnrollKeys', 'enable'):
		try:
		subprocess.run([sbctl, 'enroll-keys', '--yes-this-might-brick-my-machine'])
		command = [sbctl, 'enroll-keys']
		command.extend(config('secureBoot', 'autoEnrollKeys', 'extraArgs'))
		subprocess.run(command)
		except:
		print('error: failed to enroll keys', file=sys.stderr)
		sys.exit(1)

+25 −9

Original line number	Diff line number	Diff line
		@@ -224,16 +224,22 @@ in
		'';
		};

		createAndEnrollKeys = lib.mkEnableOption null // {
		internal = true;
		description = ''
		Creates secure boot signing keys and enrolls them during bootloader installation.
		autoGenerateKeys = lib.mkEnableOption null // {
		description = "Generate keys automatically when none exists during bootloader installation";
		};

		::: {.note}
		This is used for automated nixos tests.
		NOT INTENDED to be used on a real system.
		:::
		'';
		autoEnrollKeys = {
		enable = lib.mkEnableOption null // {
		description = "Enroll automatically generated keys";
		};
		extraArgs = lib.mkOption {
		default = [
		"--microsoft"
		"--firmware-builtin"
		];
		type = lib.types.listOf lib.types.str;
		description = "Extra arguments passed to sbctl";
		};
		};

		sbctl = lib.mkPackageOption pkgs "sbctl" { };
		@@ -484,5 +490,15 @@ in
		DisableShimForSecureBoot = true;
		};
		})
		(lib.mkIf (cfg.enable && cfg.secureBoot.enable && cfg.secureBoot.autoEnrollKeys.enable) {
		assertions = [
		{
		assertion = cfg.secureBoot.autoGenerateKeys;
		message = "autoEnrollKeys doesn't do anything without autoGenerateKeys.";
		}
		];

		boot.loader.limine.secureBoot.autoGenerateKeys = true;
		})
		];
		}

+3 −1

Original line number	Diff line number	Diff line
		@@ -24,7 +24,9 @@
		boot.loader.limine.enable = true;
		boot.loader.limine.efiSupport = true;
		boot.loader.limine.secureBoot.enable = true;
		boot.loader.limine.secureBoot.createAndEnrollKeys = true;
		boot.loader.limine.secureBoot.autoGenerateKeys = true;
		boot.loader.limine.secureBoot.autoEnrollKeys.enable = true;
		boot.loader.limine.secureBoot.autoEnrollKeys.extraArgs = [ "--yes-this-might-brick-my-machine" ];
		boot.loader.timeout = 0;

		environment.systemPackages = [ pkgs.mokutil ];