feat: enroll secure boot at first boot

2025-03-17 22:22:35 +01:00 · 2025-03-17 22:22:35 +01:00 · 8fb3174c78
commit 8fb3174c78
parent dc8ed2a774
3 changed files with 68 additions and 15 deletions
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@ -31,6 +31,49 @@ ln -sf /etc/os-release ./etc/initrd-release
 # set default target to initrd inside initrd
 ln -sf initrd.target ./usr/lib/systemd/system/default.target

+# setup secure boot
+cat <<EOF > ./usr/bin/secure-boot-enroll
+#!/bin/sh
+set -ex -o pipefail
+
+SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
+
+[ "\$SETUP_MODE" = "false" ] && exit 0
+
+cat <<EOL> /run/sbctl.yml
+---
+keydir: /sysroot/boot/sbctl/keys
+guid: /sysroot/boot/sbctl/GUID
+EOL
+
+ESP=\$(blkid --label ESP)
+
+mount \$ESP /sysroot/boot && \
+  sbctl --config /run/sbctl.yml create-keys && \
+  sbctl --config /run/sbctl.yml enroll-keys --yolo && \
+  # Sign EFIs
+  find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
+
+umount /sysroot/boot && \
+  systemctl reboot -f
+EOF
+chmod +x ./usr/bin/secure-boot-enroll
+
+cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
+[Unit]
+Description=Enroll Secure Boot
+DefaultDependencies=false
+After=sysroot-run.mount
+Requires=sysroot-run.mount
+Before=systemd-repart.service initrd.target shutdown.target sysinit.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/secure-boot-enroll
+RemainAfterExit=yes
+EOF
+ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
+
 # bind mount /run to /sysroot/run
 cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
 [Unit]
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@ -172,7 +172,13 @@ cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
 cp -P ${pkgs.kmod}/bin/* $out/usr/bin

 ### install libbpf
-cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
+cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
+
+### install secure boot tools
+cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
+rm -f $out/usr/bin/blkid
+cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
+cp -P ${pkgs.xq}/bin/xq $out/usr/bin/

 ### install ca cert bundle
 chmod 755 $out/etc/ssl $out/etc/ssl/certs