diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index 74e0931..5612185 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -18,6 +18,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
mtools
e2fsprogs
jq
+ openssl
];
env = {
diff --git a/pkgs/image/mkimage.sh b/pkgs/image/mkimage.sh
index 8c94348..3e6ed9e 100644
--- a/pkgs/image/mkimage.sh
+++ b/pkgs/image/mkimage.sh
@@ -58,8 +58,7 @@ $systemd/usr/bin/systemd-repart \
--split=true \
--json=pretty \
--root=$out \
- patos-$version.raw > init-repart-output.json
-rm -f patos-$version.raw
+ patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
@@ -91,12 +90,29 @@ $systemd/usr/bin/ukify build \
--os-release @./reset-os-release \
--cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
-o patos_factory_reset.efi
-rm -rf rootfs
-cp patos_${version}.efi boot/
-cp patos_factory_reset.efi boot/
-cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
-echo "timeout 2" > boot/loader.conf
+# Secure boot
+openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
+
+SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
+ --secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
+
+# install UKIs
+cp patos_${version}.efi rootfs/boot/EFI/Linux
+cp patos_factory_reset.efi rootfs/boot/EFI/Linux
+
+# sign EFIs
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
+
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
+
+$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
+ rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
+
+echo "timeout 2" > rootfs/boot/loader/loader.conf
+echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
@@ -105,10 +121,7 @@ Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
-CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
-CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
-CopyFiles=/boot/patos_factory_reset.efi:/EFI/Linux/patos_factory_reset.efi
-CopyFiles=/boot/loader.conf:/loader/loader.conf
+CopyFiles=/rootfs/boot:/
EOF
cat <<EOF > final.repart.d/20-root.conf
@@ -142,6 +155,6 @@ $systemd/usr/bin/systemd-repart \
--root=$out \
patos-$version.raw > final-repart-output.json
-rm -rf boot
+rm -rf rootfs
popd
diff --git a/pkgs/systemd/default.nix b/pkgs/systemd/default.nix
index b22d243..a1cb314 100644
--- a/pkgs/systemd/default.nix
+++ b/pkgs/systemd/default.nix
@@ -30,6 +30,8 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-6rxJUYRq785U6aik5VhQRqG+Ss67lBB6T3eQF+tkyhk=";
};
+ patches = [ ./skip-verify-esp.patch ];
+
dontCheckForBrokenSymlinks = true;
nativeBuildInputs = with pkgs; [
diff --git a/pkgs/systemd/skip-verify-esp.patch b/pkgs/systemd/skip-verify-esp.patch
new file mode 100644
index 0000000..2cb9505
--- /dev/null
+++ b/pkgs/systemd/skip-verify-esp.patch
@@ -0,0 +1,24 @@
+diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
+index f830d6dfe3..7ad2a8cd1d 100644
+--- a/src/shared/find-esp.c
++++ b/src/shared/find-esp.c
+@@ -403,15 +403,15 @@ static int verify_esp(
+ "File system \"%s\" is not a FAT EFI System Partition (ESP) file system.", p);
+ }
+
+- r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
+- if (r < 0)
+- return r;
+-
+ /* In a container we don't have access to block devices, skip this part of the verification, we trust
+ * the container manager set everything up correctly on its own. */
+ if (FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK))
+ goto finish;
+
++ r = verify_fsroot_dir(pfd, p, flags, FLAGS_SET(flags, VERIFY_ESP_SKIP_DEVICE_CHECK) ? NULL : &devid);
++ if (r < 0)
++ return r;
++
+ if (devnum_is_zero(devid))
+ return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
+ SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),