From 624b4c2d5db5c6a8e181ef3f32f8c073607fde02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20P=C3=A4ssler?= <milan@petabyte.dev>
Date: Sat, 2 Jan 2021 17:58:44 +0100
Subject: grub2: add signKey option

---
 modules/grub2/default.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/modules/grub2/default.nix b/modules/grub2/default.nix
index 39fa13f73026..fb84c7726f40 100644
--- a/modules/grub2/default.nix
+++ b/modules/grub2/default.nix
@@ -8,7 +8,10 @@ let
     if cfg.asSecondaryPayload then "img/grub2" else "fallback/payload";
 
   configText = (readFile ./files/grub.cfg) + cfg.extraConfig
-    + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
+    + (optionalString (cfg.signKey != null) ''
+      trust (cbfsdisk)/etc/trusted.key
+      set check_signatures=enforce
+    '') + (optionalString (cfg.scanDevices) (readFile ./files/grub-scan.cfg))
     + (optionalString (cfg.users != { }) ((concatStringsSep "\n" (mapAttrsToList
       (n: u: ''
         ${
@@ -86,6 +89,11 @@ in {
       default = pkgs.coreboot-payload-grub2;
     };
 
+    signKey = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+    };
+
     extraPayloadModules = mkOption {
       type = types.listOf types.str;
       default = [ ];
@@ -118,6 +126,8 @@ in {
           "grub-mkfont --range=0x20-0x7E,0x2501-0x251F,0x2191-0x2193 --size=14 -o $out ${cfg.font}");
       "etc/grub.cfg".src = cfg.configFile;
       "background.png".src = ./files/background.png;
-    };
+    } // (optionalAttrs (cfg.signKey != null) {
+      "etc/trusted.key".src = cfg.signKey;
+    });
   };
 }
-- 
cgit v1.2.3