talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to the new secureboot location.

Browse Source
This commit is contained in:
Tom Alexander 2025-01-18 10:54:34 -05:00
parent f9b18809f9
commit 41138ab34a
Signed by: talexander
GPG Key ID: D3A179C9A53C0EDE
1 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nix/configuration/roles/boot/default.nix
View File

@ -22,6 +22,14 @@
}; };
config = lib.mkMerge [ config = lib.mkMerge [
{
environment.systemPackages = with pkgs; [
tpm2-tools # For tpm2_eventlog to check for OptionRoms
# cp /sys/kernel/security/tpm0/binary_bios_measurements eventlog
# tpm2_eventlog eventlog | grep "BOOT_SERVICES_DRIVER"
sbctl # For debugging and troubleshooting Secure Boot.
];
}
(lib.mkIf (!config.me.buildingIso) { (lib.mkIf (!config.me.buildingIso) {
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
@ -67,22 +75,18 @@
# }; # };
}) })
(lib.mkIf (config.me.secureBoot.enable) { (lib.mkIf (config.me.secureBoot.enable) {
# For debugging and troubleshooting Secure Boot.
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
sbctl sbctl
]; ];
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = lib.mkForce false;
boot.lanzaboote = { boot.lanzaboote = {
enable = true; enable = true;
pkiBundle = "/etc/secureboot"; pkiBundle = "/var/lib/sbctl";
# TODO:
# pkiBundle = "/var/lib/sbctl";
}; };
environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) { environment.persistence."/persist" = lib.mkIf (!config.me.buildingIso) {
hideMounts = true; hideMounts = true;
directories = [ directories = [
"/etc/secureboot" # Old Secure Boot Keys location
# TODO: run `doas sbctl setup --migrate` to move keys
"/var/lib/sbctl" # Secure Boot Keys "/var/lib/sbctl" # Secure Boot Keys
]; ];
}; };