From fb92fdd2ed4e8017087210c5322c5b3870a2141e Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Wed, 31 Jul 2024 03:36:31 +0000 Subject: [PATCH 1/3] add option lanzaboote.generateKeysIfNotExist generateKeysIfNotExist generates the PKI bundle if it doesn't already exist --- nix/modules/lanzaboote.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix index 2339a0e5..6260435a 100644 --- a/nix/modules/lanzaboote.nix +++ b/nix/modules/lanzaboote.nix @@ -22,6 +22,8 @@ in enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl"; + generateKeysIfNotExist = mkEnableOption "Autogenerates the PKI bundle if it doesn't exist"; + configurationLimit = mkOption { default = config.boot.loader.systemd-boot.configurationLimit; defaultText = "config.boot.loader.systemd-boot.configurationLimit"; @@ -123,6 +125,15 @@ in boot.loader.external = { enable = true; installHook = pkgs.writeShellScript "bootinstall" '' + ${optionalString cfg.generateKeysIfNotExist '' + if [ -f "${cfg.privateKeyFile}" ]; then + mkdir ${cfg.pkiBundle} + ${sbctlWithPki}/bin/sbctl create-keys \ + -d ${cfg.pkiBundle} \ + -e ${cfg.pkiBundle}/keys + fi + ''} + ${optionalString cfg.enrollKeys '' mkdir -p /tmp/pki cp -r ${cfg.pkiBundle}/* /tmp/pki From 271c7b696f52dfd2980f9518a165463869700d75 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Wed, 31 Jul 2024 04:14:22 +0000 Subject: [PATCH 2/3] fix logic issue in shell script --- nix/modules/lanzaboote.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix index 6260435a..44bd761e 100644 --- a/nix/modules/lanzaboote.nix +++ b/nix/modules/lanzaboote.nix @@ -126,8 +126,8 @@ in enable = true; installHook = pkgs.writeShellScript "bootinstall" '' ${optionalString cfg.generateKeysIfNotExist '' - if [ -f "${cfg.privateKeyFile}" ]; then - mkdir ${cfg.pkiBundle} + if [ ! -f "${cfg.privateKeyFile}" ]; then + mkdir -p ${cfg.pkiBundle} ${sbctlWithPki}/bin/sbctl create-keys \ -d ${cfg.pkiBundle} \ -e ${cfg.pkiBundle}/keys From 409c892f29266e23bebfddd920df7281d73ec159 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Wed, 21 Aug 2024 12:41:52 +0300 Subject: [PATCH 3/3] reformat description to match the template for mkEnableOption Co-authored-by: Gavin John --- nix/modules/lanzaboote.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix index 44bd761e..76b72083 100644 --- a/nix/modules/lanzaboote.nix +++ b/nix/modules/lanzaboote.nix @@ -22,7 +22,7 @@ in enrollKeys = mkEnableOption "Automatic enrollment of the keys using sbctl"; - generateKeysIfNotExist = mkEnableOption "Autogenerates the PKI bundle if it doesn't exist"; + generateKeysIfNotExist = mkEnableOption "autogeneration of the PKI bundle if it doesn't exist"; configurationLimit = mkOption { default = config.boot.loader.systemd-boot.configurationLimit;