diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-02-26 06:01:38 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-26 06:01:38 +0000 |
commit | bdbd5d00f5611dbae595af91be71e1ec378acfc8 (patch) | |
tree | 369942900ff39a243e726c48721bbe579ac692c0 /nixos | |
parent | cff7e061886f353b183145806ecf68d1c5c6b578 (diff) | |
parent | f15b82bea76d197f6c5973535f920a4ee7e096e9 (diff) | |
download | nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar.gz nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar.bz2 nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar.lz nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar.xz nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.tar.zst nixlib-bdbd5d00f5611dbae595af91be71e1ec378acfc8.zip |
Merge staging-next into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/lib/make-disk-image.nix | 3 | ||||
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 6 | ||||
-rw-r--r-- | nixos/tests/systemd-boot.nix | 26 |
3 files changed, 35 insertions, 0 deletions
diff --git a/nixos/lib/make-disk-image.nix b/nixos/lib/make-disk-image.nix index 1a33abd01ea1..047e72e2ac0d 100644 --- a/nixos/lib/make-disk-image.nix +++ b/nixos/lib/make-disk-image.nix @@ -536,6 +536,9 @@ let format' = format; in let concatStringsSep " " (lib.optional useEFIBoot "-drive if=pflash,format=raw,unit=0,readonly=on,file=${efiFirmware}" ++ lib.optionals touchEFIVars [ "-drive if=pflash,format=raw,unit=1,file=$efiVars" + ] ++ lib.optionals (OVMF.systemManagementModeRequired or false) [ + "-machine" "q35,smm=on" + "-global" "driver=cfi.pflash01,property=secure,value=on" ] ); inherit memSize; diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 55a214325118..75ba6dacc122 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -877,9 +877,11 @@ in type = types.package; default = (pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; + systemManagementModeRequired = cfg.useSecureBoot; }).fd; defaultText = ''(pkgs.OVMF.override { secureBoot = cfg.useSecureBoot; + systemManagementModeRequired = cfg.useSecureBoot; }).fd''; description = lib.mdDoc "OVMF firmware package, defaults to OVMF configured with secure boot if needed."; @@ -1183,6 +1185,10 @@ in "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm" "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0" ]) + (mkIf (cfg.efi.OVMF.systemManagementModeRequired or false) [ + "-machine" "q35,smm=on" + "-global" "driver=cfi.pflash01,property=secure,value=on" + ]) ]; virtualisation.qemu.drives = mkMerge [ diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index c0b37a230df0..ce3245f3d862 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -39,6 +39,32 @@ in ''; }; + # Test that systemd-boot works with secure boot + secureBoot = makeTest { + name = "systemd-boot-secure-boot"; + + nodes.machine = { + imports = [ common ]; + environment.systemPackages = [ pkgs.sbctl ]; + virtualisation.useSecureBoot = true; + }; + + testScript = '' + machine.start(allow_reboot=True) + machine.wait_for_unit("multi-user.target") + + machine.succeed("sbctl create-keys") + machine.succeed("sbctl enroll-keys --yes-this-might-brick-my-machine") + machine.succeed('sbctl sign /boot/EFI/systemd/systemd-bootx64.efi') + machine.succeed('sbctl sign /boot/EFI/BOOT/BOOTX64.EFI') + machine.succeed('sbctl sign /boot/EFI/nixos/*bzImage.efi') + + machine.reboot() + + assert "Secure Boot: enabled (user)" in machine.succeed("bootctl status") + ''; + }; + # Check that specialisations create corresponding boot entries. specialisation = makeTest { name = "systemd-boot-specialisation"; |