working lanzaboote secure boot with uefi shell

2025-12-10 00:43:56 -05:00 · 2024-06-17 22:16:31 -04:00 · 2024-06-17 22:16:31 -04:00 · f4f287acd1
commit f4f287acd1
parent 46e4e98668
3 changed files with 268 additions and 20 deletions
--- a/hosts/gerg-desktop/zfs.nix
+++ b/hosts/gerg-desktop/zfs.nix
@ -2,11 +2,51 @@
  config,
  lib,
  pkgs,
+  lanzaboote,
 }:
+let
+  windowsConf = ''
+    title  Windows
+    efi     /shellx64.efi
+    options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
+
+  '';
+in
 {
+  imports = [ lanzaboote.nixosModules.lanzaboote ];
+
+  environment.systemPackages = [ pkgs.sbctl ];
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/etc/secureboot";
+    configurationLimit = 10;
+    package = lib.mkForce (
+      pkgs.writeShellApplication {
+        name = "lzbt";
+        runtimeInputs = [
+          lanzaboote.packages.tool
+          pkgs.coreutils
+          pkgs.sbctl
+        ];
+        text = ''
+          set -o pipefail
+          lzbt "$@"
+          MP='${config.boot.loader.efi.efiSysMountPoint}'
+          cp -f '${pkgs.edk2-uefi-shell.efi}' "$MP/shellx64.efi"
+          mkdir -p "$MP/loader/entries"
+          sbctl sign -s "$MP/shellx64.efi"
+          cat << EOF > "$MP/loader/entries/windows.conf"
+          ${windowsConf}
+          EOF
+        '';
+      }
+    );
+  };

  #link some stuff
  systemd.tmpfiles.rules = [
+    "L+ /etc/secureboot - - - - /persist/secureboot"
    "L+ /etc/ssh/ssh_host_ed25519_key  - - - - /persist/ssh/ssh_host_ed25519_key"
    "L+ /etc/ssh/ssh_host_ed25519_key.pub  - - - - /persist/ssh/ssh_host_ed25519_key.pub"
    "L  /etc/nixos/flake.nix  - - - - /home/gerg/Projects/nixos/flake.nix"
@ -86,15 +126,9 @@
    };
    loader = {
      systemd-boot = {
-        enable = lib.mkForce true;
+        enable = lib.mkForce false;
        extraFiles."shellx64.efi" = pkgs.edk2-uefi-shell.efi;
-
-        extraEntries."windows.conf" = ''
-          title  Windows
-          efi     /shellx64.efi
-          options -nointerrupt -noconsolein -noconsoleout HD2d65535a1:EFI\Microsoft\Boot\Bootmgfw.efi
-        '';
-
+        extraEntries."windows.conf" = windowsConf;
      };
      grub.enable = lib.mkForce false;
      timeout = lib.mkForce 5;