diff options
author | Milan Pässler <milan@petabyte.dev> | 2021-01-02 17:58:44 +0100 |
---|---|---|
committer | Milan Pässler <milan@petabyte.dev> | 2021-01-02 17:58:44 +0100 |
commit | 624b4c2d5db5c6a8e181ef3f32f8c073607fde02 (patch) | |
tree | 75c0745f954ebf3cccee38f5d797f86ff47e0d27 | |
parent | 4dde3d592ca60d465896f63fec902ce748a4f5bf (diff) |
grub2: add signKey option
-rw-r--r-- | modules/grub2/default.nix | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/modules/grub2/default.nix b/modules/grub2/default.nix index 39fa13f73026..fb84c7726f40 100644 --- a/modules/grub2/default.nix +++ b/modules/grub2/default.nix @@ -8,7 +8,10 @@ let if cfg.asSecondaryPayload then "img/grub2" else "fallback/payload"; configText = (readFile ./files/grub.cfg) + cfg.extraConfig - + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg)) + + (optionalString (cfg.signKey != null) '' + trust (cbfsdisk)/etc/trusted.key + set check_signatures=enforce + '') + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg)) + (optionalString (cfg.users != { }) ((concatStringsSep "\n" (mapAttrsToList (n: u: '' ${ @@ -86,6 +89,11 @@ in { default = pkgs.coreboot-payload-grub2; }; + signKey = mkOption { + type = types.nullOr types.path; + default = null; + }; + extraPayloadModules = mkOption { type = types.listOf types.str; default = [ ]; @@ -118,6 +126,8 @@ in { "grub-mkfont --range=0x20-0x7E,0x2501-0x251F,0x2191-0x2193 --size=14 -o $out ${cfg.font}"); "etc/grub.cfg".src = cfg.configFile; "background.png".src = ./files/background.png; - }; + } // (optionalAttrs (cfg.signKey != null) { + "etc/trusted.key".src = cfg.signKey; + }); }; } |