Loading nixos/lib/make-disk-image.nix +3 −0 Original line number Diff line number Diff line Loading @@ -536,6 +536,9 @@ let format' = format; in let concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" ++ lib.optionals touchEFIVars [ "-drive if=pflash,format=raw,unit=1,file=$efiVars" ] ++ lib.optionals (OVMF.systemManagementModeRequired or false) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ] ); inherit memSize; Loading nixos/modules/virtualisation/qemu-vm.nix +6 −0 Original line number Diff line number Diff line Loading @@ -877,9 +877,11 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; Loading Loading @@ -1183,6 +1185,10 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ]) ]; virtualisation.qemu.drives = mkMerge [ Loading nixos/tests/systemd-boot.nix +26 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,32 @@ in ''; }; # Test that systemd-boot works with secure boot secureBoot = makeTest { name = "systemd-boot-secure-boot"; nodes.machine = { imports = [ common ]; environment.systemPackages = [ pkgs.sbctl ]; virtualisation.useSecureBoot = true; }; testScript = '' machine.start(allow_reboot=True) machine.wait_for_unit("multi-user.target") machine.succeed("sbctl create-keys") machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') machine.reboot() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; }; # Check that specialisations create corresponding boot entries. specialisation = makeTest { name = "systemd-boot-specialisation"; Loading pkgs/applications/virtualization/OVMF/default.nix +2 −0 Original line number Diff line number Diff line Loading @@ -172,6 +172,8 @@ edk2.mkDerivation projectDscPath (finalAttrs: { variables = "${prefix}_VARS.fd"; # This will test the EFI firmware for the host platform as part of the NixOS Tests setup. tests.basic-systemd-boot = nixosTests.systemd-boot.basic; tests.secureBoot-systemd-boot = nixosTests.systemd-boot.secureBoot; inherit secureBoot systemManagementModeRequired; }; meta = { Loading Loading
nixos/lib/make-disk-image.nix +3 −0 Original line number Diff line number Diff line Loading @@ -536,6 +536,9 @@ let format' = format; in let concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" ++ lib.optionals touchEFIVars [ "-drive if=pflash,format=raw,unit=1,file=$efiVars" ] ++ lib.optionals (OVMF.systemManagementModeRequired or false) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ] ); inherit memSize; Loading
nixos/modules/virtualisation/qemu-vm.nix +6 −0 Original line number Diff line number Diff line Loading @@ -877,9 +877,11 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; Loading Loading @@ -1183,6 +1185,10 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ "-machine" "q35,smm=on" "-global" "driver=cfi.pflash01,property=secure,value=on" ]) ]; virtualisation.qemu.drives = mkMerge [ Loading
nixos/tests/systemd-boot.nix +26 −0 Original line number Diff line number Diff line Loading @@ -39,6 +39,32 @@ in ''; }; # Test that systemd-boot works with secure boot secureBoot = makeTest { name = "systemd-boot-secure-boot"; nodes.machine = { imports = [ common ]; environment.systemPackages = [ pkgs.sbctl ]; virtualisation.useSecureBoot = true; }; testScript = '' machine.start(allow_reboot=True) machine.wait_for_unit("multi-user.target") machine.succeed("sbctl create-keys") machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') machine.reboot() assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") ''; }; # Check that specialisations create corresponding boot entries. specialisation = makeTest { name = "systemd-boot-specialisation"; Loading
pkgs/applications/virtualization/OVMF/default.nix +2 −0 Original line number Diff line number Diff line Loading @@ -172,6 +172,8 @@ edk2.mkDerivation projectDscPath (finalAttrs: { variables = "${prefix}_VARS.fd"; # This will test the EFI firmware for the host platform as part of the NixOS Tests setup. tests.basic-systemd-boot = nixosTests.systemd-boot.basic; tests.secureBoot-systemd-boot = nixosTests.systemd-boot.secureBoot; inherit secureBoot systemManagementModeRequired; }; meta = { Loading
Arthur Gautier <arthur.gautier@arista.com>Arthur Gautier <arthur.gautier@arista.com>