Patagia/patos
Patagia/patos
1
1
Code Issues4 Pull requests6 Activity

feat: enable secure boot

Browse source
This commit is contained in:
Lars Sjöström 2025-03-14 10:45:39 +01:00
parent 1fcc45dd32
commit 1f1c93b775
No known key found for this signature in database
4 changed files with 52 additions and 12 deletions

1
pkgs/image/default.nix
View file

@ -18,6 +18,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
mtools
e2fsprogs
jq
openssl
];
env = {

37
pkgs/image/mkimage.sh
View file

@ -58,8 +58,7 @@ $systemd/usr/bin/systemd-repart \
--split=true \
--json=pretty \
--root=$out \
patos-$version.raw > init-repart-output.json
rm -f patos-$version.raw
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@ -91,12 +90,29 @@ $systemd/usr/bin/ukify build \
--os-release @./reset-os-release \
--cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
-o patos_factory_reset.efi
rm -rf rootfs
cp patos_${version}.efi boot/
cp patos_factory_reset.efi boot/
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
echo "timeout 2" > boot/loader.conf
# Secure boot
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
--secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
# install UKIs
cp patos_${version}.efi rootfs/boot/EFI/Linux
cp patos_factory_reset.efi rootfs/boot/EFI/Linux
# sign EFIs
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
echo "timeout 2" > rootfs/boot/loader/loader.conf
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
@ -105,10 +121,7 @@ Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
CopyFiles=/boot/patos_factory_reset.efi:/EFI/Linux/patos_factory_reset.efi
CopyFiles=/boot/loader.conf:/loader/loader.conf
CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
@ -142,6 +155,6 @@ $systemd/usr/bin/systemd-repart \
--root=$out \
patos-$version.raw > final-repart-output.json
rm -rf boot
rm -rf rootfs
popd

2
pkgs/systemd/default.nix
View file

@ -30,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
patches = [ ./skip-verify-esp.patch ];
dontCheckForBrokenSymlinks = true;
nativeBuildInputs = with pkgs; [

24
pkgs/systemd/skip-verify-esp.patch Normal file
View file

@ -0,0 +1,24 @@
diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
index f830d6dfe3..7ad2a8cd1d 100644
--- a/src/shared/find-esp.c
+++ b/src/shared/find-esp.c
@@ -403,15 +403,15 @@ static int verify_esp(
"File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
}
- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
- if (r < 0)
- return r;
-
/* In a container we don't have access to block devices, skip this part of the verification, we trust
* the container manager set everything up correctly on its own. */
if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
goto finish;
+ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
+ if (r < 0)
+ return r;
+
if (devnum_is_zero(devid))
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),