From a2c95202b6d68a5d6415abf770de320e9f160595 Mon Sep 17 00:00:00 2001 From: Manuel Thalmann Date: Fri, 20 Sep 2024 00:56:56 +0200 Subject: [PATCH] Allow enabling Secure Boot --- lib/modules/os.nix | 15 +++++++- profiles/machines/manuel/DerGeret/config.nix | 1 + .../machines/manuel/ManuSurface/config.nix | 1 + scripts/Arch/Config/SecureBoot/main.fish | 35 +++++++++++++++++++ scripts/Arch/Scripts/deploy.fish | 6 +++- 5 files changed, 56 insertions(+), 2 deletions(-) create mode 100755 scripts/Arch/Config/SecureBoot/main.fish diff --git a/lib/modules/os.nix b/lib/modules/os.nix index d5ed8e54..ff661b02 100644 --- a/lib/modules/os.nix +++ b/lib/modules/os.nix @@ -25,7 +25,20 @@ ]; }; - linuxVariant = osVariant.extendModules { }; + linuxVariant = osVariant.extendModules { + modules = [ + ({ ... }: { + options = { + secureBoot = mkOption { + type = types.bool; + description = "A value indicating whether the system supports Secure Boot."; + default = false; + }; + }; + }) + ]; + }; + windowsVariant = osVariant.extendModules { }; in { options = { diff --git a/profiles/machines/manuel/DerGeret/config.nix b/profiles/machines/manuel/DerGeret/config.nix index 3f67fcb6..c93b195b 100644 --- a/profiles/machines/manuel/DerGeret/config.nix +++ b/profiles/machines/manuel/DerGeret/config.nix @@ -6,6 +6,7 @@ config = { valhalla = { hostname = lib.mkDefault "der-geret"; + linux.secureBoot = true; windows = { dualboot = { diff --git a/profiles/machines/manuel/ManuSurface/config.nix b/profiles/machines/manuel/ManuSurface/config.nix index abce2810..5f59a796 100644 --- a/profiles/machines/manuel/ManuSurface/config.nix +++ b/profiles/machines/manuel/ManuSurface/config.nix @@ -6,6 +6,7 @@ config = { valhalla = { hostname = "manu-surface"; + linux.secureBoot = true; partition.os.deviceName = "nvme0n1"; }; }; diff --git a/scripts/Arch/Config/SecureBoot/main.fish b/scripts/Arch/Config/SecureBoot/main.fish new file mode 100755 index 00000000..be5c3fcc --- /dev/null +++ b/scripts/Arch/Config/SecureBoot/main.fish @@ -0,0 +1,35 @@ +#!/bin/env fish +begin + set -l dir (status dirname) + source "$dir/../../Scripts/software.fish" + + function installSW -V dir + yayinst secureboot-grub + end + + function configureSW -V dir + source "$dir/../../../Common/Scripts/config.fish" + set -l label (getConfig valhalla.boot.label) + set -l efiDir (getConfig valhalla.boot.efiMountPoint) + set -l bootNums (efibootmgr | sed "/$label/{ s/^.*Boot\([[:digit:]]\+\)\*.*\$/\1/; p; }; d") + + for bootNum in $bootNums + sudo efibootmgr --delete-bootnum --bootnum $bootNum + end + + sudo sed -i \ + -e "/esp=/{" \ + -e "a esp=\"$efiDir\"" \ + -e "d" \ + -e "}" \ + -e "/bootloader_id=/{" \ + -e "a bootloader_id=\"$label\"" \ + -e "d" \ + -e "}" \ + /etc/secureboot.conf + + sudo secure-grub-install + end + + runInstaller $argv +end diff --git a/scripts/Arch/Scripts/deploy.fish b/scripts/Arch/Scripts/deploy.fish index 30056674..b90b73a6 100644 --- a/scripts/Arch/Scripts/deploy.fish +++ b/scripts/Arch/Scripts/deploy.fish @@ -14,7 +14,11 @@ function deploySoftware -d "Deploys a the specified software action" -a action end ) - if collectionActive essential + if getConfig valhalla.linux.secureBoot --json | jq --exit-status > /dev/null + source "$dir/../Config/SecureBoot/main.fish" $argv + end + + and if collectionActive essential if $isInstall yayinst \ mkinitcpio-firmware \