From ac2d98a55b513d04b867c1c6649ef8e8e7297e0b Mon Sep 17 00:00:00 2001 From: Martin Larsson Date: Thu, 15 Jan 2026 00:08:54 +0100 Subject: [PATCH] Setup secure boot on x86 linux using lanzaboote --- flake.lock | 124 ++++++++++++++++++++++++++++++++++++++- flake.nix | 7 +++ nix/system/linux_x86.nix | 14 ++++- 3 files changed, 142 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 5420450..63693d4 100644 --- a/flake.lock +++ b/flake.lock @@ -55,6 +55,21 @@ "type": "github" } }, + "crane": { + "locked": { + "lastModified": 1765145449, + "narHash": "sha256-aBVHGWWRzSpfL++LubA0CwOOQ64WNLegrYHwsVuVN7A=", + "owner": "ipetkov", + "repo": "crane", + "rev": "69f538cdce5955fcd47abfed4395dc6d5194c1c5", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, "flake-compat": { "locked": { "lastModified": 1746162366, @@ -71,6 +86,22 @@ } }, "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { "flake": false, "locked": { "lastModified": 1765121682, @@ -125,6 +156,28 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "pre-commit", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -193,6 +246,30 @@ "type": "github" } }, + "lanzaboote": { + "inputs": { + "crane": "crane", + "nixpkgs": [ + "nixpkgs" + ], + "pre-commit": "pre-commit", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1765382359, + "narHash": "sha256-RJmgVDzjRI18BWVogG6wpsl1UCuV6ui8qr4DJ1LfWZ8=", + "owner": "nix-community", + "repo": "lanzaboote", + "rev": "e8c096ade12ec9130ff931b0f0e25d2f1bc63607", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v1.0.0", + "repo": "lanzaboote", + "type": "github" + } + }, "nix-darwin": { "inputs": { "nixpkgs": [ @@ -234,7 +311,7 @@ }, "nixos-wsl": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "nixpkgs": "nixpkgs_4" }, "locked": { @@ -352,6 +429,29 @@ "type": "github" } }, + "pre-commit": { + "inputs": { + "flake-compat": "flake-compat_2", + "gitignore": "gitignore", + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765016596, + "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "apple-silicon-support": "apple-silicon-support", @@ -360,6 +460,7 @@ "homebrew-bundle": "homebrew-bundle", "homebrew-cask": "homebrew-cask", "homebrew-core": "homebrew-core", + "lanzaboote": "lanzaboote", "nix-darwin": "nix-darwin", "nix-homebrew": "nix-homebrew", "nixos-wsl": "nixos-wsl", @@ -367,6 +468,27 @@ "nur": "nur" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "lanzaboote", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1765075567, + "narHash": "sha256-KFDCdQcHJ0hE3Nt5Gm5enRIhmtEifAjpxgUQ3mzSJpA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "769156779b41e8787a46ca3d7d76443aaf68be6f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index bad65c9..fbd77d3 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,11 @@ # neovim.url = "github:LarssonMartin1998/neovim-flake"; nix-homebrew.url = "github:zhaofengli-wip/nix-homebrew"; + lanzaboote = { + url = "github:nix-community/lanzaboote/v1.0.0"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + homebrew-core = { url = "github:homebrew/homebrew-core"; flake = false; @@ -49,6 +54,7 @@ home-manager, nix-darwin, nixos-wsl, + lanzaboote, # neovim, colorsync, nix-homebrew, @@ -147,6 +153,7 @@ extraModules = [ ./nix/system/linux.nix ./nix/system/linux_x86.nix + lanzaboote.nixosModules.lanzaboote ]; }; diff --git a/nix/system/linux_x86.nix b/nix/system/linux_x86.nix index e7929bd..5aee95a 100644 --- a/nix/system/linux_x86.nix +++ b/nix/system/linux_x86.nix @@ -1,4 +1,4 @@ -{ ... }: +{ pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix @@ -7,13 +7,23 @@ boot = { loader = { - systemd-boot.enable = true; + systemd-boot.enable = lib.mkForce false; # lanzaboote replaces systemd-boot module efi.canTouchEfiVariables = true; }; + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; }; networking.hostName = "walnut-nixos"; + environment = { + systemPackages = with pkgs; [ + sbctl + ]; + }; + programs = { sway.extraOptions = [ "--unsupported-gpu"