nixos/boot/systemd-boot: add UEFI Secure Boot via lanzaboote

nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

@@ -7,6 +7,10 @@ let
 
   efi = config.boot.loader.efi;
 
+  fwupdForSecureBoot = config.services.fwupd.enable && cfg.secureBoot.enable;
+
+  lanzaboote-cross-uefi-stub = pkgs.pkgsCross."${config.boot.kernelPackage.stdenv.qemuArch}-uefi".lanzaboote-uefi-stub;
+
   systemdBootBuilder = pkgs.substituteAll {
     src = ./systemd-boot-builder.py;
 
@@ -64,6 +68,31 @@ let
     #!${pkgs.runtimeShell}
     ${checkedSystemdBootBuilder} "$@"
     ${cfg.extraInstallCommands}
+    '';
+
+  loaderSettingsFormat = pkgs.formats.keyValue {
+    mkKeyValue = k: v: if v == null then "" else
+    lib.generators.mkKeyValueDefault { } " " k v;
+  };
+
+  loaderConfigFile = loaderSettingsFormat.generate "loader.conf" {
+    timeout = config.boot.loader.timeout;
+    console-mode = cfg.consoleMode;
+    editor = cfg.editor;
+    default = "nixos-*";
+  };
+
+  finalLanzabooteBuilder = pkgs.writeShellScript "install-lanzaboote.sh" ''
+    export LANZABOOTE_STUB="${lanzaboote-cross-uefi-stub}/bin/lanzaboote_stub.efi"
+    ${cfg.secureBoot.package}/bin/lzbt install \
+      --systemd ${config.systemd.package} \
+      --systemd-boot-loader-config ${loaderConfigFile} \
+      --public-key ${cfg.secureBoot.publicKeyFile} \
+      --private-key ${cfg.secureBoot.privateKeyFile} \
+      --configuration-limit ${toString (if cfg.configurationLimit == null then 0 else cfg.configurationLimit)} \
+      ${efi.efiSysMountPoint} \
+      /nix/var/nix/profiles/system-*-link
+    ${cfg.extraInstallCommands}
   '';
 in {
 
@@ -234,10 +263,42 @@ in {
       '';
     };
 
+    secureBoot = mkOption {
+      default = {};
+      type = types.submodule ({ config, ... }: {
+        options = {
+          enable = mkEnableOption "Lanzaboote's SecureBoot implementation";
+
+          pkiBundle = mkOption {
+            type = types.nullOr types.path;
+            description = "PKI bundle containing db, PK and KEK files";
+          };
+
+          publicKeyFile = mkOption {
+            type = types.path;
+            default = "${config.pkiBundle}/keys/db/db.pem";
+            description = "Public key to sign your boot files";
+          };
+
+          privateKeyFile = mkOption {
+            type = types.path;
+            default = "${config.pkiBundle}/keys/db/db.key";
+            description = "Private key to sign your boot files";
+          };
+
+          package = mkPackageOptionMD pkgs "lanzaboote-tool" { };
+        };
+      });
+    };
+
   };
 
   config = mkIf cfg.enable {
     assertions = [
+      {
+        assertion = cfg.secureBoot.enable -> config.boot.bootspec.enable;
+        message = "Bootspec needs to be enabled to support SecureBoot";
+      }
       {
         assertion = (config.boot.kernelPackages.kernel.features or { efiBootStub = true; }) ? efiBootStub;
         message = "This kernel does not support the EFI boot stub";
@@ -267,6 +328,26 @@ in {
         }
       ]) (builtins.attrNames cfg.extraFiles);
 
+    warnings = lib.optional cfg.secureBoot.enable ''
+      You enabled Lanzaboote's experimental SecureBoot implementation.
+
+      This will not support all systemd-boot options for now, if you depend
+      critically on them, please send a PR or do not enable SecureBoot yet.
+
+      This is a feature preview of an implementation of SecureBoot in nixpkgs,
+      it is still experimental and can brick your machine in some circumstances,
+      e.g. missing Microsoft keys, broken firmware, etc.
+
+      This implementation only supports a private key reachable from a
+      disk path.
+
+      Multiple profiles are unsupported yet.
+
+      If you want to get rid of this warning, use the out of tree version for
+      the time being.
+    '';
+
+
     boot.loader.grub.enable = mkDefault false;
 
     boot.loader.supportsInitrdSecrets = true;
@@ -295,9 +376,37 @@ in {
       })
     ];
 
-    system = {
-      build.installBootLoader = finalSystemdBootBuilder;
+    systemd.services.fwupd = lib.mkIf fwupdForSecureBoot {
+      # Tell fwupd to load its efi files from /run
+      environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+    };
 
+    systemd.services.fwupd-efi = lib.mkIf fwupdForSecureBoot {
+      description = "Sign fwupd EFI app";
+      # Exist with the lifetime of the fwupd service
+      wantedBy = [ "fwupd.service" ];
+      partOf = [ "fwupd.service" ];
+      before = [ "fwupd.service" ];
+      # Create runtime directory for signed efi app
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        RuntimeDirectory = "fwupd-efi";
+      };
+      # Place the fwupd efi files in /run and sign them
+      script = ''
+        ln -sf ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+        ${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
+      '';
+    };
+
+    services.fwupd.uefiCapsuleSettings = lib.mkIf fwupdForSecureBoot {
+      DisableShimForSecureBoot = true;
+    };
+
+
+    system = {
+      build.installBootLoader = if cfg.secureBoot.enable then finalLanzabooteBuilder else finalSystemdBootBuilder;
       boot.loader.id = "systemd-boot";
 
       requiredKernelConfig = with config.lib.kernelConfig; [

nixos/tests/fixtures/uefi-keys/GUID

@@ -0,0 +1 @@
+22af0913-4926-41c2-a2be-5bc9f3dfc3e4

nixos/tests/fixtures/uefi-keys/README.md

@@ -0,0 +1,5 @@
+# UEFI testing key infrastructure
+
+Those are **snakeoil** UEFI keys which are used for our integration testing, *do not use in production*.
+
+They were generated using `sbctl create-keys`.

nixos/tests/fixtures/uefi-keys/keys/KEK/KEK.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDadlSw2a35+y4k
+oQHp2Un/DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9
+J+0K0jc5Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hN
+gnvB2V3ornI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUA
+QXVJx+UJ7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0o
+YRHnGVwZvCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYR
+S+GNce/3PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIw
+x+LsRmx+g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yy
+QR+8k1hUjmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUB
+jisQNTx88FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t67
+0s+O2LQpiMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSO
+qzK/1ZbegE8RW/9+Eur8oKTuTewnkwIDAQABAoICAQCKJZgKuay1zuvwB8zw9xI+
+8kEYI7ru5y5jLULR2SU/o/BBX8dz0gX0pjyGMyIvZMx+Wpbq6opNSIVB9NSGKkb3
+sSH6WC0tF+gQ/XDZdiLD40u+2ksFx/g3Ii7FnGxg1Kh6tIzVbqz1SImychgWjoE/
+GclsQndpPJYO0J5GTbbdS4l9jw3GJBHyLUfi3O/5O8Z6+bTdnhBLSTPeBIbJ4Flq
+/dkxb3r2YlBQrZYQ2Gbe2Y0/P0QKRH6NZVz+T9L0PxUBt8KfgWWOc/SvOysaC8Rd
+FcYF4hNopzfECCtjtv7SWYlwhVO5pviTe6U+sNhLUSbcveWXwo4f5EBY0bZRPsKy
+VmsEkW9if/+nthYPsonVfWoiBl5mn+06+zPn8NMWVhlLRMLTYDnYyz22eGqjvS3m
+FPSroNK/A2D2lNSfuORJ4fAHhYoB9K8F5wBPFRrndlXn5tHiofYaKywSQPgymOGN
+YCtzXPAnYvEsiIlD0HDBEI6F/6aRNlEgjPreGOInuiQD1o81yv/N4o4JFtsD3T8Y
+LEngIdAzn2D9qEHsg0H4qoUJum6Z9Gw2IZYEH+CRM56jp50QrrYnLD++eGF8wPsP
+PNgU1I/gNq/JbH5fYGMX1QAMopbDMnib4uPKG/wxUTEUFkVV7rtCFhKGg9WnGdjn
+y2IDWEIowGwLsp8ARrNS2QKCAQEA3ABLBY4BkWLbfIGIjseLTDPvSxB4UErrIIJ3
+qpxHdp3ORr66BIqQ117g26TuCQL0iAiiNgK1WLqohOpSvlaEh2UTXux4Poh02Hiy
+p7t/BdAXU/Zz937p767fa319Sn4UG8Lf4p6BNu4mgVAgZ0yelwpkgHmNtJqcnywn
+JtYBhPNgr7VSHQ12iiQw+lEgw+D7pV7FmIi33E0Te52YSBOPBRYqOWMJXI2e4nHH
+wqSP99xx0SQ6WAnx9Uvj7RrpEHexYTOSkjqaAl5eS1ATnuCtgs1dNWryw7SgLjnG
+tt+UfBPBAfwy7Bfs0hSdCrw/14paE5dRrkwqIV4SJr+WagQvDwKCAQEA/jWS2AQw
+WQXZ+DbtMGcyP45XwNRqkBxtLeNXzP7H1ixZ+r/CD0oh6tqjK+2QyCD31ufE2tmb
+TltgBiJuMt5kELtj87vVtZ4ER2YCXEMB3EpONDDG7Tb6T589LiMno09YKeApRcKH
+XLM0R3ffKzTMl0j5KTtlOXzfdVDSV2ef5vI8hyUJpqBZbBPHmLyeyTi7MfF1X3MD
+jqEoHVnx7kxBNRzUwW4E+9i9qdwSjlfPPD/HbKbNrYHbp9UVL7CTdTQ4tBdhj46A
+mqETKzHWWcSXgNcG8MT+DhZXV+SX80eNI7YAdHK+3UpHG/2jJmOK7EChSFd3kI9K
+UOJArJ5OfyP/PQKCAQEAkmavhfbGHFXI8cXRdhJcJE27RByls+jnJy8rKyHsfIbv
+Kizp5PPBB1FgGUpcDSsmRxBXwdFzlKRCWJEGlxtD/kXI6jY6noJ4H0XSvcQL93ZO
+z9UFvwF588JPc1yC7/uOrhq0mj4YhtFcVllX9uYJ80E7ODOrlS/+Yf4j37gyMqMz
+CDqFdkfrRmpnHWy3fSJO0/GJVMRGdhfkizKIkA5T8nKZjq7VH/4uaUqGQIT6OVs9
+covFN6kGltH1z2dFCWxdYe3L7/uHWWQrI7saE3Q4gv7etBmDi7C7l4djMXb/fMI4
+gnWt/Wa+dd650tcLNQgggUEFXhPZRXMwaRC9q7c1CQKCAQBYivqByTu51kLspN0K
+zfb/kinYnWQcm/ofUJ9lZJzgaYRRxXbncm/L6KmLBG04d9s7fHDhtYfVzBfvKxDt
+IO8DsPGIlLVEVCyzXcGWtzQvsaX5ob+4Ij0ffJyHtHD6/gj8VPqrNK2HSVf9SLBv
+0S0tyJoYlXqVgnwm1abeENbuTxNsEyeAZTugXGdaOOCpv9vb8nlqbJohlNpvFsQg
+t2jDAi7MzPBpdD3jqya/c7BYEPL6UkMzmxaSJ7MAcGV8HltdxwMRSJZcxZvyoKJD
+lCkdFEhzlnnTGE8F6zZN428ysBMKfGkklNmd00N/fI6H6Z8Dnoujy3UcJSJXvbAj
+srsVAoIBABWmstJYCh294LL2q9Io746NkWsgAcXPK9Klg5+Tgl3UQkH4FejZ07rO
+mchehpzwZ0hbSb++IJP+5DVGpxdIJ6N36742bANNLt3SSXTpj21X0uFpF9cD5GMt
+pZd/4PjrL2Jfj4Hl8di+v0u9WUd5+++CLoMNm+CYUF85eLJtQxGTR0qJZMSPUBBW
+WaNyfguwx0WNJ0UadoWU+tXsOm1eVS5TTepOOU7kkqos5n0+VAnHgzsPOtwLRrrF
+8XJ8gBBU7M5LY1uoEwSjtkll9uAsfffsBMt+FKM4sHHV75Sxg2AYLwGy3eUZfNAQ
+k+GbSvCxlZqSnyXYt1dMWTcDQXDN1H8=
+-----END PRIVATE KEY-----

nixos/tests/fixtures/uefi-keys/keys/KEK/KEK.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIRALFOG3w2ptEQcQqzvAg6PzwwDQYJKoZIhvcNAQELBQAw
+NjEZMBcGA1UEBhMQS2V5IEV4Y2hhbmdlIEtleTEZMBcGA1UEAxMQS2V5IEV4Y2hh
+bmdlIEtleTAeFw0yMjExMjMxMjU2NTNaFw0yNzExMjMxMjU2NTNaMDYxGTAXBgNV
+BAYTEEtleSBFeGNoYW5nZSBLZXkxGTAXBgNVBAMTEEtleSBFeGNoYW5nZSBLZXkw
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDadlSw2a35+y4koQHp2Un/
+DUM6e/hIT37jIchplGzlVAPQMGJ2IPW+b9OAn/dRc7D5/w57fYvB02d9J+0K0jc5
+Po3WMaYnptVtJ03ks/qmlgQm52uZszSeIBiPIdUNQaPxrOPAckR6z6hNgnvB2V3o
+rnI6cpWSZ6LR7cJoNWcPTaVDqWq0mC5XstKt17rnQkkLGfx/4qIb/eUAQXVJx+UJ
+7zyAN58hAy+Altz41Mn9DMf40B3O3sQJosbXOsiSojUkD5GMQKT0NG0oYRHnGVwZ
+vCHZRRMlw8zMj/lA+tuU4+lBjPIdFhwFu9iBXNSLcJRvvLVF1W0idvYRS+GNce/3
+PAvkjU+a1LWpfTs0UNyfFoBxry8JbJACNJt8EVY6io2EsoY5upppJWIwx+LsRmx+
+g+67cVZ5OZuuoI3EXhduBbPxQ3VutygpwrBV7uMABE1Y529CLnbS13yyQR+8k1hU
+jmJaEyH/Yrqr62P/m4cXqVjvVwXbRVPiVl7DOBUGkwPptzuwHWGUThUBjisQNTx8
+8FGfcDFiJ7iBDIIUbW2YGs4X+baD4mrJrCkfIqrm3hLkQFxuXqA69t670s+O2LQp
+iMuXSX2TDxow5RI5U+dV7YiK1aCRSPYd1nTuKJ6kiGwfwlWxidchESSOqzK/1Zbe
+gE8RW/9+Eur8oKTuTewnkwIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZI
+hvcNAQELBQADggIBACYvqkZYAIPnFZ5hwZDYfZeBJ99uIv+yft7DR7l4g3scBheg
+eZTn7SKIKAqRnJXuvdOANb40eLyzEuU59bzBCIonp7BsKSoNPWJvfZu5EjdybaWv
+owUmBKfmQcnM9LSkKnr6qsvj0PBw9m69l8d4sWz4eRGlQc7mY2Fgsik4swmjkj9J
+iHN5xhvKFtpPdJJcCVwjjCvRiYZfibRgI74YK+NRD1CYIIf8bh9uROzgjnXUTa4s
+38GxrwhEF2v5dOyEjohuLdD/yO5e6m424JWytEFB4dldpgH0DNVcsOe7Xj6I6I1c
+oh+WCgwWqoAXTBNdPMYHWZybQXqhBBIVVtRddzo1ViLsaaDxmaijNKac6JsutNQN
+f0Zm/uw67lLMfMUtf/jwU9SCWgWSF4S66pohmGfONbGytjk8Str9p+lN0B+rL7IE
+xM5i9883HpZkFJ1LXvyfz/qJ5KrFOTixgXE/P5+iH7/4PyiAXlCbXpDbwd/ycEGm
+W5DVThwPtvaXB7g1/WMXgLIlH0/p2yBYqtEAUDpKpFq11uu/D6DctzvzgamTsvND
+CCDGNK58N6Cfp2IjjzM1sjpJQSDKJvQWnb+bt0MO5zqqi8L7ejEbeSF3imS3JfzY
+RqA7XR+T8SwdiPqMxR5mXL0Mfk2z95G6znH8DOf2CGxc3X/MLfAW0jvUaPZa
+-----END CERTIFICATE-----

nixos/tests/fixtures/uefi-keys/keys/PK/PK.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDI6Sqb8P5wucXp
+LkUKXGkA8liEUeMvlHf9HRBuAp/WumQvLMFYgt2JT+D9za9qr999NdN8r6YXI93e
+3W4cavcdtIGmcTdE5ACTij7G0KxCZk1C22dfX8pa7iNjuXzOBq0m9XQoLoSsgl/r
+DHQP4wMC8sUiNqZT9OtRVumXnApvpZO2yVh8xG294nV4mGAAjCPaeYgdYTCPtrtU
+VWp98/w6luX58QUEId7WU1r9G8aDqlkOG6sLg0+5AQqbKU2V4hzmisyEaSFdPqzx
+8x4fR02NJIvAIE5Sn0+xfQjC1n9XIhldiXytSiEjtV/fG+c5q3sLIgYzEgEtxP9N
+357SXApcBPXZB7fjOYveXT36mDPurg7M/86qt0z+Lc7ZlgCpHgkqtl2vSgjP6J4I
+KTGCPKDDv1cD2mE7bWV7Q/FvBrozEht6n/hflU1HG1sa1D79l3Ap6BfbCbC/PI4g
+PSny1lvtv0MmOvEhaKn5b+D0RnjzqUjL4LRfdwtWxEDnbyWakRpBedBjK2pw1nzd
+9XTBg6yM7xZTDJ1kHeNshba4h9bLLRpqgiDfbg3p8z/G8l+S1MG/iX0rSNeo5yHo
+AFrLdApwoRoKKsVQeIg8AlT5o2VVW1epdlzXONLDiGYFCn1S3ZgDobrx3B0+LyIR
+c4I4FIelFcMCwZLWNSvd1+QHKxPvtQIDAQABAoICAQCr522Qzkw3EY04bmGecuFZ
+cQKx/QrhbCyagyLKri4rYYJVJvssC5UYZyOAplxAcclM7iBNoFEBnau6hEYxxIg6
+f3crfdWneVrQ4snB/UxW6AeVe/tgDKss0HOxYUVbVzUSj5RaySq2HDuL9zTbXwb1
+n9ly48W/MmGiUDZAhcAcNVVFYdP3tW6cuUZ/8Ai8jywiRDhlwwH1BYoVp5wdtwSK
+8RBHoqUDGyP6yImi5gAeKkRWoO/iQvGUv0Je7qE27KiDziEd7oIgsX7y6m1MoArI
+CIwW0M2TPkLG/8/ePf/pAwEnGnt2HmZqkkc8tDhNDN+T8AHT8sTVb6hu7jaLkTs+
+aZ5iw8uUBLPTPNMX5Oz0SW/Pijxsh2+9kKCjf/5CIs6BqhcUXZlfdRm/bFGfAq1N
+ivhyP//U2yt+MHhZoTMj5vYBeIw7Ee5bMBmicFOb2wMVZINOXaU1p+gG9CqWxPS4
+din+YwIX4tpESjRK7LX+969wikEqo8cLfelW6lmH3Bh80YgfcJb7D3lKp7B/sqND
+BliHMRC1461XMTT+4iWHzJ6UjP1twD8ebL3vxsBOfgKWEuMz6AcAYIrYyTuq8b4j
+MuPcgL18BFFlt+qB+x7991VzOGWrW2TgP/D52rT9Px37x3WA0RDiuCROKfpWtsfQ
+r73mN24FWu8vqqO2teSWQQKCAQEA9aKnIzQx2OVu5v30KbkLW+DgRBYNKsfjKEcL
+jJgoIIhUaatjr/Tot2NJVDLXV+yUyfByFWO/hGNwNMHnLEnl7NkE2gvnU3bD+PzJ
+pWGJPgdi9IBdnoqG5brBngQUrtgV75UFVLPFffsIC5B4mMuPRjhGp5xvvbiTNrgD
+hQ2Bh3fQKWBkcz7ijHkcOTXvn5RbqKIZSsHR9pC5JRPpLOWXTQzHz5YmUDaxsPFB
+XIOL7tXRrXlS0YSzdYVqxkuiUEWU06URXu3fmTM/rPvmwKBpEwOimaK0fvCagQB1
+XDUZzfkeHFnIhNpsX9WADuXi7lqoPQZa8ZBjKwzHtB4iRQpBRQKCAQEA0WNmZuz1
+86wXk58vkcxJW8si0X90RkgGtXaMH9o3VB9jaSYPe5LRjhwfnJ9Ba2gVTN9EJLce
+lzD+7fBHHVb/+kJjvNS6ME9L1R/GQGjKp1gTTJNfX9tNSMeWUU+349T9VFweh6vs
+HMhNd6/aGSZVVipoxfwpWiWl8UPJMe+692rXkWp2Q3OOlp55hXJ9BEC05R+gvSkS
+Z7vosXt2DEQowgsxO6pvWgjzg+BudFFXOTAhRsKLVFqq8KBeQV3AdIdtkYAYgj1Y
+KnKgyve5Ngbo3b6XqAs6/roxTCm71oRW043FxZSMIuAZpkCSzpVA0uSSDout0/+i
+MLf8OSaRUGUDsQKCAQA6dFap/gXOw+q8dbrhIvQdDUrRaR4BDEh2kVGiR6Nk+ox8
+CRlUCkhHPA17SA4PEnHmDJ5ZkL9G1hMhuvM0ivF4h7yr1yFZr227lwy1mpx6cm+O
+F+4viG/Jw8PHwtjZMvslZKU8HvvkmxSzC9JnKioSX9oQkR3WXFJMN0Y/J5OnlU+o
+SRQeiNyI6VlaFAfORhP58XlrXOyGbLJirHZVBN4Yq+3w7J55gEqQ/Ri812E5mRCo
+47JdweKjGPjr75vU1nowU5vqp1kKsDN7CwdC1+mpaLgNL7ccbk2WXXGQW+KkLaCI
+xqT9WK1psPkkkniKmHBo9VY3HlE7MXNk3bbyDxqxAoIBACeboupDVr8SRZ9yFECD
+ITlQ8rQoZOlKhKJc22LHF4I9McPZJEKe4i78mOo6odhcZvMUpMJBNXMqHH8L3Zfq
+Nh+z4UP+BX5P8atOCGV0rSj8myH4Gql6RWNIBeI5rzJUvtrvVgMZ/V7wcN78D8iE
+HM5g1VLmQThBOOOri+p7S6WzuzVRqy9VM5rAPYKFxqpARze0ROajV0zyGbFBBnKJ
+jiAul9COi+O/H7lJgftUy6gQt6q38D0zrXQ5EbtRra8dUxeb4Ib6bawR5OKf+5QB
+uJkBjZSHE1DODbc3icWpYPdBsTCPyfZq588wFdUoHIwIGqzPtUEN8TNACmERL5nC
+kfECggEAQ8Y/NxDGju89NcgjPaeoZ9caxMmpXl9+77IESFfWeeUP+cLXhyvf3X23
+KjYlfF9Ok7ZLh/r04FxA/W0e2+Gyjlvyk6sE3opgizk9wV7XwwDH5v2C0F9jABrZ
+EkxuVjqR1utj3/WuWkpVl9GNprcX5GzGtDjlRNy/ZSX7u5kB7uwFircdvlqzF6Jp
+9nqsizR29dYj7QSPKyiBcqZaoxolNQkOh8aXNso6HDIXyFr0/tGnZh8IC0o/LZdC
+Ksv281tFsACnU7eOPIkCbsuetiag7BDvRIOXXmTaMt9/VI4X94x3uPgzXA+NsCAL
+7Ftk0PrOk+MsXS+8K9hR2j8Bx2Y18w==
+-----END PRIVATE KEY-----

nixos/tests/fixtures/uefi-keys/keys/PK/PK.pem

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+TCCAuGgAwIBAgIRAOuskmCCGswzOJ0Cwzibjg8wDQYJKoZIhvcNAQELBQAw
+LjEVMBMGA1UEBhMMUGxhdGZvcm0gS2V5MRUwEwYDVQQDEwxQbGF0Zm9ybSBLZXkw
+HhcNMjIxMTIzMTI1NjUxWhcNMjcxMTIzMTI1NjUxWjAuMRUwEwYDVQQGEwxQbGF0
+Zm9ybSBLZXkxFTATBgNVBAMTDFBsYXRmb3JtIEtleTCCAiIwDQYJKoZIhvcNAQEB
+BQADggIPADCCAgoCggIBAMjpKpvw/nC5xekuRQpcaQDyWIRR4y+Ud/0dEG4Cn9a6
+ZC8swViC3YlP4P3Nr2qv330103yvphcj3d7dbhxq9x20gaZxN0TkAJOKPsbQrEJm
+TULbZ19fylruI2O5fM4GrSb1dCguhKyCX+sMdA/jAwLyxSI2plP061FW6ZecCm+l
+k7bJWHzEbb3idXiYYACMI9p5iB1hMI+2u1RVan3z/DqW5fnxBQQh3tZTWv0bxoOq
+WQ4bqwuDT7kBCpspTZXiHOaKzIRpIV0+rPHzHh9HTY0ki8AgTlKfT7F9CMLWf1ci
+GV2JfK1KISO1X98b5zmrewsiBjMSAS3E/03fntJcClwE9dkHt+M5i95dPfqYM+6u
+Dsz/zqq3TP4tztmWAKkeCSq2Xa9KCM/onggpMYI8oMO/VwPaYTttZXtD8W8GujMS
+G3qf+F+VTUcbWxrUPv2XcCnoF9sJsL88jiA9KfLWW+2/QyY68SFoqflv4PRGePOp
+SMvgtF93C1bEQOdvJZqRGkF50GMranDWfN31dMGDrIzvFlMMnWQd42yFtriH1sst
+GmqCIN9uDenzP8byX5LUwb+JfStI16jnIegAWst0CnChGgoqxVB4iDwCVPmjZVVb
+V6l2XNc40sOIZgUKfVLdmAOhuvHcHT4vIhFzgjgUh6UVwwLBktY1K93X5AcrE++1
+AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEATfQK
+DfqXHnd/n4bdoLqAnXb6hvqKmjtDLBPVWp8Jzj6Ew6y2FULLUYkH3DEx0kfedQjO
+kD4h3LoYuHoqkcQ0dNI8RZ1v2oTBljadOTdZyjvtQJvBTtHzSTyrDl+e4CpME0zf
+Y8/7tXoXvhxxOiU0CcHeBlVJBdUmgmbGIb4CYlHFLv9L3CKc4RY1r9tIynLXtMWB
+FLNT8CE71BtF65pQkNpyPpTzLYyaDpvX8hy95gov7O+5jxl6MRCbL/h/BMBEBRbm
+qq20gYwpElPJ9TlNi0ynsAVG1K1miI89ejdHywLTt72q0VL0MOHpKFmAGKvuBVIA
+9RFD6tjMIA0P86gbDS+EgFJShuO/SAPftpuLAo/ZxF6lToPllox9wn3V9EWCMh94
+W/GfHI+PmxE+kEOnRgW1qMl1a+s8d7w3FwKqr4LaNIw4jX/Kmdjii5BGoVBYDt8X
+5jUliJBr5Fc2J7GfQFt03FpRp+h9d+Fra0ftRM7V4moCEMTHpR30xbxbt67Mgayi
+SY9UU0WSopaqTh4ye4gj8NbhNVJ8IQlgJhYwzfvrMuaIOoDL1OoTY/ruqYYert8Y
+BVi8EjEvVKTGfLEnuKBK+irrU9YuGmJjw2D6GQ4aJV7DN5dTZZmTvAhK5kevhFQF
+jN+7vSSp9LYMiJ+y5sL/sToVe5oaP3Wv04mu7CM=
+-----END CERTIFICATE-----

nixos/tests/fixtures/uefi-keys/keys/db/db.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCuLZZ9CwqagpEH
+iqjdXXa8X31h/oTTcAN63uNE0Vk1Kd5aMEzEzhrpJH1acqj6cfGMsRLsVi+a9MU8
+cXzKZhjs9rUufypMwClSBZ5H9S11mJDF0vO2WBT+6pbeU/gH/XJc44CFbY5ISQJx
+f4JiQ86pKrGPjFq0SspqcEl/Cveexb5LjSK3qIR21m+j+Av+7ILWARFhgCzjteZy
+KHhmU+HBp6eNDHM/+sWgJwHwTDhtKgP2yMVZZa5ISHHNwYUoUYZlS/F2R18XEtdX
+OIVJswLXTSq4ZdpdwNwLHSW7lbDfagDDGdfvQZEE/9Kus/XKDom/vGgO/dFihRfm
+21Q0YK+oGjCtdjKhmt1JChX9aQspR8SzWj7cTxVNdYNSCtM+Ozk8Uyfd4x9Md4Nb
+spXPM0bPCm5q8tj0sBENwhJ6Cgw+MoraN334Yd6ccklC+3hzRQj4FcugVGrx5vQy
+jH8gdNIgBn+bvakkhs38uH3E1zK7drG1v92HzlyyrX9DslE8eU2WWr3KhlNdASxi
+taRt7r3Z9drX/ChlF6McfAv9DVrUEilZHSLao7yjT8dVIKSx2djbbXxgtEz+L6aY
+aY99PZvgO/yLUvFKLuXZ7J33BOionstownfpmRxL6QtdxeTuniKzkyol7uIenrco
+eqmF/sKhRvHsPMrydqFYcOD5GcNNcwIDAQABAoICAEvsNTfGU1XsaflmmJr9fZ84
+5HeNsSpVHj813s0FkCQbXv/jI+N5j8Nmk3mUl1Grz0WrffskylV6MmtZcLLs9Bp+
+o5Vj+vU/ogNNzaPCHJGw8hI5FOC73lMLwL2izm/1Kx+QT1pZ2fZqVLVShmv88J1O
+rd1LqdIC896XmYHWLv+3ZG6cU7DItQz0Be/sVJZHU/SivIfKjkan6I6EU48PK031
+nZRfA/G0huZ7el3ba5EyCk5NT7DbILADXA/7NebQOov3IYaUL7/oB5POYFMyw59D
+1MZSJ3BMe94gU21EH7gTBcgFgNmas/MA7D4Y1Z/A3IyGPLmkK9wM9dE8c6TtLEOb
+JdOe5tQeuFQPzSxcqPeIUsvFQqTh/dtOhTi8UdHcBEljxNkqrp3HJalEeRJF+sbB
+TxKIypniG2fQMyfvivvbTjtRkJbKhjnQtIbtxFrLfQbwMzCaqlxkT4xJMAf3FXvK
+KAdq+YSd2JZ+rJcFG5H/V7LIuAyHY/dMCIkTFjoPQla1JSEZwKDcp7Mr3c01QG7T
+j4UT+E7DVD+Ec4a6KK8wKoQYOjK6yFrxgyrmhWgwtkk0ayn+mm25CwHbaxEJ+qI1
+fSs0N2dnAkFtZAdU8AxK9r536RX8oBGktPW7okyRQbksCyNncfxKTBKbQ25QKgZC
+A2/FxFa1A4Fkin+Rl2sZAoIBAQDVF1pKyVjQT9Ko6so0Cosf2qmYKI0rCU6eKVpw
+hulknUcDwln4yOQuR8sv688dyAMBS3eoufAogXY/Fnw2JuUQnmtqeM8kZjf0Bku7
+DR2TwMOgdLrwlVyqEyHhOc54s5ZVf0PJZYvwJJLqw7AIRtNgYnjoBlQBhlIwNqCo
+X8YTnuZZbcDDyP1YEVH9rBBs4JzSOeuf6fbUZqJJouYqsuSkf5WwZPsZEsYy80fk
+Py0S2tEvK6aFBPq7TBjZlX91RTOW+US5i499dgg5P9JeN7NaEL5CEFvutFXI8nyj
+8o1MjRe0wuPiDMrC2G+93UHLfr8bBVpJ3QlCMQyNPS87kmvfAoIBAQDRQEzPNmR1
+hd14YGuVqnz4I1q0tD5OPUoWLMysPiu5lPuORHvz8jJuJATq6va1u8ODPKvCzY/D
+54D35RgNKzm6rblxLPt5KXUk4vc7KAnjt+VWEm7L1ysqL62TjBGtSCxxQrcmpULM
+QgyxQ8aYkwkaB/5VbVJBhzb9PGdS0tAvmxSOeVIv2p4OYd7skJd6YC6TtKHzFBl5
+JdnoQS7HfYbgj0xNpuodw5OPCAGSLBZz3Ls05MQGwQ1TYxD3UehNPSjdwwsVSsbe
+MWrF965evKH45caAA6KDLn1YhYqRuM91SLLI/edmg/FO1RkUEEc3BFfshBvvQRGC
+j+iYu4a6eJDtAoIBAF5YMIncC45vSP2wtkXERUSdM2lCyv266SvtczVPBhad68sm
+SV900lILR1K4PMMawvnXx+rUKBhG+WuFMQlovxJUkYpaYpvjBfLstqria633MqXg
+CMRr3NMQFXf6eAfIu06vQfvxEbwI9WMrsMx5TyzlbFKOOrNSHSFrjkX94VzehW4i
+wa3tVv2e7YY6oCsUZ1pMep4aoEX6CvA/R1iwS7rpIgUvMF0xir8UJ0hPEE3Aw8z2
+rotGYRx73KS5I+1v7h9xzZO4zpblo051i1ZbovTFZPcq9wkAntqRQc30ncq+zTgi
+8XIr57nMyexuAatvOn1kKU16p5a+0KfX5wmhElECggEBAJcWLl+Pjoms1nSMaiHu
+r70bCetgGXy0lEHepwnW+gtNnzTiDf3d6rvMFiDo9qnRoSGpNPu7IQr6pQxYxjz7
+8PrxZOxq5khdvs+bcZetGTbrGRREyuszuV8EffgDMuBDNJOy8DtfKBQDvNZhcYvI
+3tGE5AcaoEHgN7wxWQlcXiWBfB5DSyxyVZ1c3XFCFZ2uxPKxgh3ZbWskAWrJZdV0
+tWZ/EUEgO/qxtGGaDkhUvQF7Z1CRvViDG/QRm7Z31ZuvhUpaAi6lh2H3nHjElYqh
++PGWNvVHqpe9gZPhGGSPZHvyueSWL/a9Xgblpu3tsv3ujO2hlenyuYnkDrX48RbC
+5yECggEBAJVglEc0odkzt5uYcxorFWw0r+gnMS/iyX9zJyLMCvZ4+/NLmAGQ6Qbs
+yJK9ryzS1obexq/+7SrTa/iHIBQLvM9eaCSJaAC+w6jRJQC4VRDwtO5c8e8ek3gF
+7DzQisGsIqhxrlZLEv8YyPaf9SgAMaLuM0w8xXD54jgcbLZlfNmdHyYHIcM0ZDPK
++4QhtV2YE1MKEIplMhXdxmCpeHqBMEfX5MYUUZb09Ffl7hRzCZc30NWpLnZ73iNq
++px6CR5rq1lnfLu+bIZvVeDBtWM0/vIeFZDKceEa1hkOIS8Z5hzA52OFP7pZKt+O
+3cEKjh9NywA7eLWDxRxEf/vq3vdWeFY=
+-----END PRIVATE KEY-----