1 files changed, 12 insertions, 2 deletions

diff --git a/modules/grub2/default.nix b/modules/grub2/default.nix
index 39fa13f73026..fb84c7726f40 100644
--- a/modules/grub2/default.nix
+++ b/modules/grub2/default.nix
@@ -8,7 +8,10 @@ let
     if cfg.asSecondaryPayload then "img/grub2" else "fallback/payload";
 
   configText = (readFile ./files/grub.cfg) + cfg.extraConfig
-    + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
+    + (optionalString (cfg.signKey != null) ''
+      trust (cbfsdisk)/etc/trusted.key
+      set check_signatures=enforce
+    '') + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
     + (optionalString (cfg.users != { }) ((concatStringsSep "\n" (mapAttrsToList
       (n: u: ''
         ${
@@ -86,6 +89,11 @@ in {
       default = pkgs.coreboot-payload-grub2;
     };
 
+    signKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
     extraPayloadModules = mkOption {
       type = types.listOf types.str;
       default = [ ];
@@ -118,6 +126,8 @@ in {
           "grub-mkfont --range=0x20-0x7E,0x2501-0x251F,0x2191-0x2193 --size=14 -o $out ${cfg.font}");
       "etc/grub.cfg".src = cfg.configFile;
       "background.png".src = ./files/background.png;
-    };
+    } // (optionalAttrs (cfg.signKey != null) {
+      "etc/trusted.key".src = cfg.signKey;
+    });
   };
 }