From 8fb3174c7868f39470a0070462344f7e64a5d6b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6strom?= <lars@radicore.se>
Date: Mon, 17 Mar 2025 22:22:35 +0100
Subject: [PATCH] feat: enroll secure boot at first boot

---
 pkgs/image/default.nix   | 32 +++++++++++++++++-------------
 pkgs/rootfs/mkinitrd.nix | 43 ++++++++++++++++++++++++++++++++++++++++
 pkgs/rootfs/mkrootfs.nix |  8 +++++++-
 3 files changed, 68 insertions(+), 15 deletions(-)

diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index e82bc3d..2084901 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -54,6 +54,22 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
 ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
 ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
 
+cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
+[Unit]
+Description=Import Secure Boot keys
+DefaultDependencies=no
+RequiresMountsFor=/var/lib/sbctl /boot
+ConditionPathExists=/boot/sbctl/keys
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=sbctl import-keys -d /boot/sbctl/keys
+ExecStartPost=rm -rf /boot/sbctl
+EOF
+ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
+
 # Initial partitioning
 cat <<EOF > init.repart.d/10-root.conf
 [Partition]
@@ -102,9 +118,7 @@ ${patosPkgs.systemd}/usr/bin/ukify build \
   -o patos_${version}.efi
 
 # install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
-  --secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
-echo "timeout 2" > rootfs/boot/loader/loader.conf
+SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
 
 # setup factory reset
 mkdir -p rootfs/boot/EFI/tools
@@ -122,21 +136,11 @@ options \EFI\tools\factoryreset.nsh L"t"
 efi EFI/tools/shell.efi
 EOF
 
-# sign EFIs
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  rootfs/boot/EFI/tools/shell.efi --output=rootfs/boot/EFI/tools/shell.efi
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  patos_${version}.efi --output=patos_${version}.efi
+echo "timeout 2" > rootfs/boot/loader/loader.conf
 
 # install UKI
 cp patos_${version}.efi rootfs/boot/EFI/Linux
 
-echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
-
 # Final partitioning
 cat <<EOF > final.repart.d/10-esp.conf
 [Partition]
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 2187514..5cc6411 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -31,6 +31,49 @@ ln -sf /etc/os-release ./etc/initrd-release
 # set default target to initrd inside initrd
 ln -sf initrd.target ./usr/lib/systemd/system/default.target
 
+# setup secure boot
+cat <<EOF > ./usr/bin/secure-boot-enroll
+#!/bin/sh
+set -ex -o pipefail
+
+SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
+
+[ "\$SETUP_MODE" = "false" ] && exit 0
+
+cat <<EOL> /run/sbctl.yml
+---
+keydir: /sysroot/boot/sbctl/keys
+guid: /sysroot/boot/sbctl/GUID
+EOL
+
+ESP=\$(blkid --label ESP)
+
+mount \$ESP /sysroot/boot && \
+  sbctl --config /run/sbctl.yml create-keys && \
+  sbctl --config /run/sbctl.yml enroll-keys --yolo && \
+  # Sign EFIs
+  find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
+
+umount /sysroot/boot && \
+  systemctl reboot -f
+EOF
+chmod +x ./usr/bin/secure-boot-enroll
+
+cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
+[Unit]
+Description=Enroll Secure Boot
+DefaultDependencies=false
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+Before=systemd-repart.service initrd.target shutdown.target sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/secure-boot-enroll
+RemainAfterExit=yes
+EOF
+ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
+
 # bind mount /run to /sysroot/run
 cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
 [Unit]
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index ca449b3..f98a219 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -172,7 +172,13 @@ cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
 cp -P ${pkgs.kmod}/bin/* $out/usr/bin
 
 ### install libbpf
-cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
+cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
+
+### install secure boot tools
+cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
+rm -f $out/usr/bin/blkid
+cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
+cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
 
 ### install ca cert bundle
 chmod 755 $out/etc/ssl $out/etc/ssl/certs