Properly handle fwupd update capsules, take 2 #131
Conversation
|
Thanks for bringing this back from the dead! :) Can you please run I've enabled lock file maintenance for Renovate, but it will take some time before the bot comes by again. |
It looks like https://github.com/RaitoBezarius/nixpkgs/tree/simplified-qemu-boot-disks (cc @RaitoBezarius) needs to be rebased since the checks actually use that branch rather than nixos-unstable-small Edit: I'll go ahead and convert to draft until this is done |
lilyinstarlight
force-pushed
the
feature/fwupd
branch
from
f86f723
to
7725510
Compare
|
Ugh, I need to get this merged. I will do it, apologies for the inconveniences. |
lilyinstarlight
force-pushed
the
feature/fwupd
branch
from
7725510
to
bd23ba5
Compare
No worries! I appreciate your work on this :) NixOS/nixpkgs#221155 just got merged and we'll want that too, so it'll be a bit before that hits nixos-unstable and then we'll need to update the flake inputs |
|
NixOS/nixpkgs#221155 has made it to nixos-unstable @RaitoBezarius What is the best option for using an updated nixpkgs input, given the tests are running from that one branch in your fork? (e.g. should that one branch just be rebased?) |
|
I will rebase that branch and push for the merge of
NixOS/nixpkgs#207039 so we won't need that branch
anymore.
I will take care of this tomorrow morning CEST.
So we can get this merged soon and unblock everyone on that.
Le mer. 15 mars 2023 à 21:21, Lily Foster ***@***.***> a
écrit :
… NixOS/nixpkgs#221155 <NixOS/nixpkgs#221155> has
made it to nixos-unstable
@RaitoBezarius <https://github.com/RaitoBezarius> What is the best option
for using an updated nixpkgs input, given the tests are running from that
one branch in your fork? (e.g. should that one branch just be rebased?)
—
Reply to this email directly, view it on GitHub
<#131 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACMZRFYP6VPMOHBGV2YA4LW4IQF7ANCNFSM6AAAAAAVZZCXTI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I've updated the branch for the The flake checks all pass and this otherwise should be good now! |
nix/modules/lanzaboote.nix
Outdated
| environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi"; | ||
| serviceConfig.RuntimeDirectory = "fwupd-efi"; |
There was a problem hiding this comment.
@dasJ, just curious is serviceConfig.RuntimeDirectory needed?
This seems to clash because the built-in unit already sets RuntimeDirectory to motd.d and so systemd appends them both separated by a :, which fwupd doesn't understand how to process multiple runtime dirs (see here) and so assumes /run/fwupd-efi:/run/motd.d is literal and makes the motd file in that suspicious-looking directory /run/fwupd-efi:/run/motd.d/85-fwupd
There was a problem hiding this comment.
Ah I think it was added initially to make sure that directory exists. Since it makes more problems than it solves, I've removed it and added a mkdir -p /run/fwupd-efi to the pre-start script
Let me know if my analysis there is wrong @dasJ or if this is appropriate
There was a problem hiding this comment.
Yeah that works as well but I hate the approach of doing mkdir/chmod/chown in prestart. That's why I did it this way. We could also set PrivateTmp and just write to /tmp instead?
There was a problem hiding this comment.
I like /run better than /tmp (since it's supposed to be available for the entire lifetime of the daemon and isn't really temporary), but I'll try to think of options that don't use mkdir if you want
There was a problem hiding this comment.
Yeah the more I think about it, having mkdir is a bit unfortunate compared to having systemd manage the lifetime of the dir
That means the best option to keep /run though is probably to either manually set env var RUNTIME_DIRECTORY (which I'm not actually sure will even work with systemd) since fwupd can't otherwise handle that or creating another dummy unit that is WantedBy (to weakly start with), PartOf (to stop with), and Before fwupd or something with that RuntimeDirectory set and runs the signing itself
There was a problem hiding this comment.
Here's a diff for that latter option, for comparison:
diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index 02f8f3f..f0e18b7 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -78,10 +78,23 @@ in
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+ };
+
+ systemd.services.fwupd-efi = lib.mkIf config.services.fwupd.enable {
+ description = "Sign fwupd EFI app";
+ # Exist with the lifetime of the fwupd service
+ wantedBy = [ "fwupd.service" ];
+ partOf = [ "fwupd.service" ];
+ before = [ "fwupd.service" ];
+ # Create runtime directory for signed efi app
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ RuntimeDirectory = "fwupd-efi";
+ };
# Place the fwupd efi files in /run and sign them
- preStart = ''
- mkdir -p /run/fwupd-efi
- cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+ script = ''
+ ln -s ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};There was a problem hiding this comment.
I've edited the above diff to actually work as intended. Thoughts on using it @dasJ?
Alternatively we could do the PrivateTmp hack (which I'm really not sure I like the idea of) or we can just use StateDirectory if we don't care if the signed file persists
Edit: Or we can leave the mkdir if we really need -- I'm not sure what would be the "cleanest" option here
lilyinstarlight
force-pushed
the
feature/fwupd
branch
2 times, most recently
from
2f5b039
to
d95b9d2
Compare
Co-Authored-By: Janne Heß <janne@hess.ooo>
The nixpkgs-test input has been moved to the branch from NixOS/nixpkgs#207039.
Flake lock file updates:
• Updated input 'nixpkgs-test':
'github:RaitoBezarius/nixpkgs/e51bf8cc8e2c75192e930ad83ed272938729e7be' (2022-12-23)
→ 'github:NixOS/nixpkgs/371d3778c4f9cee7d5cf014e6ce400d57366570f' (2023-03-16)
lilyinstarlight
force-pushed
the
feature/fwupd
branch
from
d95b9d2
to
fd956c4
Compare
|
I've rebased on latest All flake checks still pass locally for me |
This is a mostly verbatim copy of #113 (credit to @dasJ for most all of this) that has been updated to use NixOS/nixpkgs#220555 (which has hit nixos-unstable now). It has been successfully tested with a BIOS update (with secureboot enforcing) on a 12th-gen Framework
Also we probably should update the lockfile in this repo first (or let Renovate bot handle it), since this will probably fail eval without that PR