diff --git a/pkgs/image/default.nix b/pkgs/image/default.nix
index e0a4a24..94748a3 100644
--- a/pkgs/image/default.nix
+++ b/pkgs/image/default.nix
@@ -22,7 +22,7 @@ runCommand pname {
env = {
# vfat options won't efi won't find the fs otherwise.
SYSTEMD_REPART_MKFS_OPTIONS_VFAT = "-S 512 -c";
- SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root"; # -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
+ SYSTEMD_REPART_MKFS_OPTIONS_EROFS = "--all-root -zlz4hc,12 -C1048576 -Efragments,dedupe,ztailpacking";
};
kernelCmdLine = "console=ttyS0 patos.secureboot=true";
@@ -218,8 +218,8 @@ Type=root
Label=root-${version}
CopyBlocks=/$rootPart
UUID=$rootUuid
-SizeMinBytes=256M
-SizeMaxBytes=256M
+SizeMinBytes=64M
+SizeMaxBytes=64M
ReadOnly=1
EOF
@@ -229,8 +229,6 @@ Type=root-verity
Label=verity-${version}
CopyBlocks=/$verityPart
UUID=$verityUuid
-SizeMinBytes=10M
-SizeMaxBytes=10M
ReadOnly=1
EOF
diff --git a/pkgs/rootfs/mkinitrd.nix b/pkgs/rootfs/mkinitrd.nix
index 10399a6..c46ed9d 100644
--- a/pkgs/rootfs/mkinitrd.nix
+++ b/pkgs/rootfs/mkinitrd.nix
@@ -47,6 +47,8 @@ DefaultDependencies=false
After=sysroot-run.mount
Requires=sysroot-run.mount
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
+ConditionKernelCommandLine=patos.secureboot=true
+ConditionPathExists=|!/sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
[Service]
Type=oneshot
diff --git a/pkgs/rootfs/mkrootfs.nix b/pkgs/rootfs/mkrootfs.nix
index 61e99d1..257ffb6 100644
--- a/pkgs/rootfs/mkrootfs.nix
+++ b/pkgs/rootfs/mkrootfs.nix
@@ -81,23 +81,21 @@ EOF
cat <<EOF > $out/etc/repart.d/20-root-a.conf
[Partition]
Type=root
-SizeMaxBytes=256M
-SizeMinBytes=256M
+SizeMaxBytes=64M
+SizeMinBytes=64M
EOF
cat <<EOF > $out/etc/repart.d/22-root-verify-a.conf
[Partition]
Type=root-verity
-SizeMaxBytes=10M
-SizeMinBytes=10M
EOF
cat <<EOF > $out/etc/repart.d/30-root-b.conf
[Partition]
Type=root
Label=_empty
-SizeMaxBytes=256M
-SizeMinBytes=256M
+SizeMaxBytes=64M
+SizeMinBytes=64M
ReadOnly=1
EOF
@@ -105,8 +103,6 @@ cat <<EOF > $out/etc/repart.d/32-root-verity-b.conf
[Partition]
Type=root-verity
Label=_empty
-SizeMaxBytes=10M
-SizeMinBytes=10M
ReadOnly=1
EOF
@@ -179,7 +175,6 @@ cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
rm -f $out/usr/bin/blkid
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
cp -P ${pkgs.util-linuxMinimal}/bin/lsblk $out/usr/bin/
-cp -P ${pkgs.bash}/bin/bash $out/usr/bin/
### install xq (jq clone)
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
diff --git a/pkgs/rootfs/secure-boot-enroll.sh b/pkgs/rootfs/secure-boot-enroll.sh
index 9546027..2588baf 100644
--- a/pkgs/rootfs/secure-boot-enroll.sh
+++ b/pkgs/rootfs/secure-boot-enroll.sh
@@ -1,23 +1,9 @@
-#!/bin/bash
+#!/bin/sh
set -ex -uo pipefail
-enroll=
-for o in $(< /proc/cmdline); do
- case $o in
- patos.secureboot=*)
- enroll=${o#*=}
- ;;
- esac
-done
-
-if [ -z "$enroll" ]; then
- echo 'No patos.secureboot= parameter on the kernel command line' >&2
- exit 0
-fi
-
SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')
-[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0
+[ "$SETUP_MODE" = "false" ] && exit 0
cat <<EOL> /run/sbctl.yml
---