boot/secure-boot/shim: add boot entry for MokManager

linyinfeng · Feb 13, 2024 · a920075 · a920075
1 parent 36ea4b6
commit a920075
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/nixos/modules/boot/secure-boot/shim.nix b/nixos/modules/boot/secure-boot/shim.nix
@@ -63,7 +63,17 @@
  efibootmgr --quiet --delete-bootnum --label "${cfg.bootEntry.label}" || true
  echo "creating boot entry..."
  efibootmgr --quiet --create --label "${cfg.bootEntry.label}" \
- --disk "$disk" --part "$part" --loader '\${lib.replaceStrings ["/"] ["\\"] cfg.directory}\shimx64.efi'
+ --disk "$disk" --part "$part" --loader '\${lib.replaceStrings ["/"] ["\\"] cfg.directory}\shim${cfg.archSuffix}.efi'
+ ''
+ + lib.optionalString cfg.mokManager.addEntry ''
+ echo "creating MokManager boot entry..."
+ mkdir --parents "${efiSysMountPoint}/loader/entries"
+ cat >"${efiSysMountPoint}/loader/entries/mok-manager.conf" <<EOF
+ title MokManager
+ version ${cfg.package.version}
+ sort-key mokmanager
+ efi /${cfg.directory}/mm${cfg.archSuffix}.efi
+ EOF
  '';
  };
  singEfiFile = pkgs.writeShellApplication {
@@ -128,6 +138,9 @@ in {
  type = lib.types.str;
  };
  };
+ mokManager = {
+ addEntry = lib.mkEnableOption "MokManager boot entry";
+ };
  };
  };
  config = lib.mkIf cfg.enable {

diff --git a/nixos/profiles/boot/secure-boot/default.nix b/nixos/profiles/boot/secure-boot/default.nix
@@ -100,6 +100,7 @@ in {
  install = true;
  label = "Linux Boot Manager";
  };
+ mokManager.addEntry = true;
  };
  # install-shim after lzbt
  boot.lanzaboote.package = lib.mkForce (pkgs.writeShellApplication {