hosts/jericho: enable secure boot with lanzaboote

This commit is contained in:
Max Headroom 2023-01-12 23:58:33 +01:00
parent b1d21c2f96
commit b04d2f7efa
3 changed files with 48 additions and 1 deletions

View file

@ -0,0 +1,18 @@
{ config, inputs, ... }:
{
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
age.secrets.secureBootKey.file = ../../../secrets/secure-boot-private-key-jericho.age;
boot.lanzaboote = {
enable = true;
configurationLimit = 50;
publicKeyFile = ./secure-boot/db.pem;
# BUG: the bootloader installation runs before/without the activation script,
# so this key may not exist unless the system has been activated beforehand.
privateKeyFile = config.age.secrets.secureBootKey.path;
};
}

View file

@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE+TCCAuGgAwIBAgIRAKeYRMV7Va8InQlau+W84swwDQYJKoZIhvcNAQELBQAw
LjEVMBMGA1UEBhMMRGF0YWJhc2UgS2V5MRUwEwYDVQQDEwxEYXRhYmFzZSBLZXkw
HhcNMjMwMTExMjE0MDEzWhcNMjgwMTExMjE0MDEzWjAuMRUwEwYDVQQGEwxEYXRh
YmFzZSBLZXkxFTATBgNVBAMTDERhdGFiYXNlIEtleTCCAiIwDQYJKoZIhvcNAQEB
BQADggIPADCCAgoCggIBALG4gvuyX8lX0HhbLxEkKmEh1ikjR6XxGhWEHePa+xhC
aCHpPdG4R4Q3U/PGNteaxhoFCRTo6TkUcU/WtoYb3CNcDZ51mtUHtY9KFY5A5Yki
yPnNT0W+LFP+vz9B1U+soHp1EA6HgbB/CGWvhmMHwZSzhMsOTsad7nZaiaBfzUmU
p6y616XfI2RzpIlctxQGWNOL0lpdOqCW247ujJdubezvuoXw5gS+6yUi5ssegPdu
UuQkZvgO9yNawISSPNNLj7TbmOC19mQ0q3KcangCCt8/93bbjdtlWMwaDoiWCtL5
e7+Fo/MlhRovcmcz2wPGUr4tn/64mTuMWHhK9CvyIPS3hf7oNGZEWeSdvp8ppaM5
OtocRkDmJjSS+45iEU+d6TTWMrK6s+Mx9UWWJDn/HqRnlmxW4E2eFRhuFRW6/SaB
SbY3X36GMzByj84A4qKwkUGBCK9UZnflXiPv/KSumyg5wmQU4ulAirpMsGP6o78F
vKE8j8avHfC70LPuv9o+pgecp9F7Kg5f6ywGPfXSxv054znV6ZMxpUa0NjLEMp57
2PVfd3EeifgY4M4T5/wQulp8vxN9ipqD/toro16gRB2/Cb1o5FtwV9Fe4/ndVfUA
m8bnG2zo0iLU15L1iTW4vdDZp40BZhzptaz2Xuykqum+BK+8idNtZ8xG5Fy+rED3
AgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAIJSY
Lp9/84FJv0/QSBJwI9Ly6p2lobaaZqsUVrOHYqz1Q6VU3zhhTbIYsdfiq/RJY/Dq
w7qPPHwDN9+MgeKPN89q/kXZcZGxO+mT+eAjNBzJUJ3dUfuuoDRgQQEzVd9jUmEA
F39SPZWoa4lefLNdKk7tGu/8T6wmXk03q/RHsG4xWHn4fLdg9XHI4g5o2W9Vorf/
Y2Tz+oQTSipRrqX7lZ0xHGriWp4qTHikBsunzZ/krupSCvAahzG+fDnNYuNHj1FX
/bsITw/2NU7xzJXIRI2+VPTRIppSyZ5hvRBrwfA7mVdRq2HjT0wIRfjnppJvNrOQ
iBKZb/q7shy7bq35SSLpnAQk4ne0BAqPbJP31UxZZ7lzSvynGCUQDwM7A50OkGLC
V9+ov+44+0NN7gCvXhhd8uPuunBTa9zv2gcnoBIy51KvBTxFZ4LOHeU9esPc7W/z
qVaU+yOP3lUJI0Ou285zkP1xhkJyLqv2WlfuXbNxBi3ZmAckrQTjh2llOjSBdy8F
Ce14ni9ybLiIouiEFtBEvDN4jMudDpL04zCuT9amkfznooQsak3T7QrvHl52qLDp
HLOtegwnn8M1ivoqmM6eValayBKN/2gFjHpHmZQmf7J636UNvs6FIvpsPznj+L7a
uJmcfil84qaqDLTNQJfIAyPvOqdnwFO8FiNuAQE=
-----END CERTIFICATE-----

View file

@ -7,6 +7,7 @@
./extras/fprint.nix
./extras/i915-dp-hdmi-always-full-color-patch.nix
./extras/kernel-clr.nix
./extras/lanzaboote.nix
./extras/thermal.nix
(import ../../users "desktop").users.max
inputs.nixos-hardware.nixosModules.dell-xps-13-7390
@ -19,7 +20,6 @@
ignoreConfigErrors = true;
});
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "jericho";