From 41138ab34a7293b879b09849e227af80a4ecf1ae Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 18 Jan 2025 10:54:34 -0500
Subject: [PATCH] Update to the new secureboot location.

---
 nix/configuration/roles/boot/default.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/nix/configuration/roles/boot/default.nix b/nix/configuration/roles/boot/default.nix
index acef3a1..a75dfb1 100644
--- a/nix/configuration/roles/boot/default.nix
+++ b/nix/configuration/roles/boot/default.nix
@@ -22,6 +22,14 @@
   };
 
   config = lib.mkMerge [
+    {
+      environment.systemPackages = with pkgs; [
+        tpm2-tools # For tpm2_eventlog to check for OptionRoms
+        # cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
+        # tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
+        sbctl # For debugging and troubleshooting Secure Boot.
+      ];
+    }
     (lib.mkIf (!config.me.buildingIso) {
 
       boot.loader.grub.enable = false;
@@ -67,22 +75,18 @@
       # };
     })
     (lib.mkIf (config.me.secureBoot.enable) {
-      # For debugging and troubleshooting Secure Boot.
+
       environment.systemPackages = with pkgs; [
         sbctl
       ];
       boot.loader.systemd-boot.enable = lib.mkForce false;
       boot.lanzaboote = {
         enable = true;
-        pkiBundle = "/etc/secureboot";
-        # TODO:
-        #     pkiBundle = "/var/lib/sbctl";
+        pkiBundle = "/var/lib/sbctl";
       };
       environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
         hideMounts = true;
         directories = [
-          "/etc/secureboot" # Old Secure Boot Keys location
-          # TODO: run `doas sbctl setup --migrate` to move keys
           "/var/lib/sbctl" # Secure Boot Keys
         ];
       };