feat: enroll secure boot at first boot

2025-03-17 22:22:35 +01:00 · 2025-03-17 22:22:35 +01:00 · 8fb3174c78
commit 8fb3174c78
parent dc8ed2a774
3 changed files with 68 additions and 15 deletions
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@ -54,6 +54,22 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
 ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
 ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service

+cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
+[Unit]
+Description=Import Secure Boot keys
+DefaultDependencies=no
+RequiresMountsFor=/var/lib/sbctl /boot
+ConditionPathExists=/boot/sbctl/keys
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=sbctl import-keys -d /boot/sbctl/keys
+ExecStartPost=rm -rf /boot/sbctl
+EOF
+ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
+
 # Initial partitioning
 cat <<EOF > init.repart.d/10-root.conf
 [Partition]
@ -102,9 +118,7 @@ ${patosPkgs.systemd}/usr/bin/ukify build \
  -o patos_${version}.efi

 # install ESP
-SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
-  --secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
-echo "timeout 2" > rootfs/boot/loader/loader.conf
+SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot

 # setup factory reset
 mkdir -p rootfs/boot/EFI/tools
@ -122,21 +136,11 @@ options \EFI\tools\factoryreset.nsh L"t"
 efi EFI/tools/shell.efi
 EOF

-# sign EFIs
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  rootfs/boot/EFI/tools/shell.efi --output=rootfs/boot/EFI/tools/shell.efi
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
-
-${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
-  patos_${version}.efi --output=patos_${version}.efi
+echo "timeout 2" > rootfs/boot/loader/loader.conf

 # install UKI
 cp patos_${version}.efi rootfs/boot/EFI/Linux

-echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
-
 # Final partitioning
 cat <<EOF > final.repart.d/10-esp.conf
 [Partition]