parent
6819565d79
commit
c748e17279
4 changed files with 11 additions and 30 deletions
pkgs
|
|
@ -22,7 +22,7 @@ runCommand pname {
|
|||
env = {
|
||||
# vfat options won't efi won't find the fs otherwise.
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
|
||||
SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
|
||||
};
|
||||
|
||||
kernelCmdLine = "console=ttyS0 patos.secureboot=true";
|
||||
|
|
@ -218,8 +218,8 @@ Type=root
|
|||
Label=root-${version}
|
||||
CopyBlocks=/$rootPart
|
||||
UUID=$rootUuid
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=256M
|
||||
SizeMinBytes=64M
|
||||
SizeMaxBytes=64M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
|
|
@ -229,8 +229,6 @@ Type=root-verity
|
|||
Label=verity-${version}
|
||||
CopyBlocks=/$verityPart
|
||||
UUID=$verityUuid
|
||||
SizeMinBytes=10M
|
||||
SizeMaxBytes=10M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
|
|
|
|||
|
|
@ -47,6 +47,8 @@ DefaultDependencies=false
|
|||
After=sysroot-run.mount
|
||||
Requires=sysroot-run.mount
|
||||
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
|
||||
ConditionKernelCommandLine=patos.secureboot=true
|
||||
ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
|
|
|||
|
|
@ -81,23 +81,21 @@ EOF
|
|||
cat <<EOF > $out/etc/repart.d/20-root-a.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
SizeMaxBytes=256M
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=64M
|
||||
SizeMinBytes=64M
|
||||
EOF
|
||||
|
||||
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
|
||||
[Partition]
|
||||
Type=root-verity
|
||||
SizeMaxBytes=10M
|
||||
SizeMinBytes=10M
|
||||
EOF
|
||||
|
||||
cat <<EOF > $out/etc/repart.d/30-root-b.conf
|
||||
[Partition]
|
||||
Type=root
|
||||
Label=_empty
|
||||
SizeMaxBytes=256M
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=64M
|
||||
SizeMinBytes=64M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
|
|
@ -105,8 +103,6 @@ cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
|
|||
[Partition]
|
||||
Type=root-verity
|
||||
Label=_empty
|
||||
SizeMaxBytes=10M
|
||||
SizeMinBytes=10M
|
||||
ReadOnly=1
|
||||
EOF
|
||||
|
||||
|
|
@ -179,7 +175,6 @@ cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
|
|||
rm -f $out/usr/bin/blkid
|
||||
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
|
||||
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
|
||||
cp -P ${pkgs.bash}/bin/bash $out/usr/bin/
|
||||
|
||||
### install xq (jq clone)
|
||||
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
|
||||
|
|
|
|||
|
|
@ -1,23 +1,9 @@
|
|||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
set -ex -uo pipefail
|
||||
|
||||
enroll=
|
||||
for o in $(< /proc/cmdline); do
|
||||
case $o in
|
||||
patos.secureboot=*)
|
||||
enroll=${o#*=}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -z "$enroll" ]; then
|
||||
echo 'No patos.secureboot= parameter on the kernel command line' >&2
|
||||
exit 0
|
||||
fi
|
||||
|
||||
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
|
||||
|
||||
[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
|
||||
[ "$SETUP_MODE" = "false" ] && exit 0
|
||||
|
||||
cat <<EOL> /run/sbctl.yml
|
||||
---
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue