parent
8fb3174c78
commit
a7b86fd03e
5 changed files with 114 additions and 32 deletions
pkgs/rootfs
|
|
@ -4,7 +4,12 @@
|
|||
runCommand,
|
||||
...
|
||||
}:
|
||||
let
|
||||
secureBootEnroll = ./secure-boot-enroll.sh;
|
||||
in
|
||||
runCommand "patos-initrd" {
|
||||
inherit secureBootEnroll;
|
||||
|
||||
buildInputs = with pkgs; [
|
||||
cpio
|
||||
xz
|
||||
|
|
@ -32,31 +37,7 @@ ln -sf /etc/os-release ./etc/initrd-release
|
|||
ln -sf initrd.target ./usr/lib/systemd/system/default.target
|
||||
|
||||
# setup secure boot
|
||||
cat <<EOF > ./usr/bin/secure-boot-enroll
|
||||
#!/bin/sh
|
||||
set -ex -o pipefail
|
||||
|
||||
SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
|
||||
|
||||
[ "\$SETUP_MODE" = "false" ] && exit 0
|
||||
|
||||
cat <<EOL> /run/sbctl.yml
|
||||
---
|
||||
keydir: /sysroot/boot/sbctl/keys
|
||||
guid: /sysroot/boot/sbctl/GUID
|
||||
EOL
|
||||
|
||||
ESP=\$(blkid --label ESP)
|
||||
|
||||
mount \$ESP /sysroot/boot && \
|
||||
sbctl --config /run/sbctl.yml create-keys && \
|
||||
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
|
||||
# Sign EFIs
|
||||
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
|
||||
|
||||
umount /sysroot/boot && \
|
||||
systemctl reboot -f
|
||||
EOF
|
||||
cat $secureBootEnroll > ./usr/bin/secure-boot-enroll
|
||||
chmod +x ./usr/bin/secure-boot-enroll
|
||||
|
||||
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue