-
-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly handle fwupd update capsules, take 2 #131
Properly handle fwupd update capsules, take 2 #131
Conversation
Thanks for bringing this back from the dead! :) Can you please run I've enabled lock file maintenance for Renovate, but it will take some time before the bot comes by again. |
It looks like https://github.com/RaitoBezarius/nixpkgs/tree/simplified-qemu-boot-disks (cc @RaitoBezarius) needs to be rebased since the checks actually use that branch rather than nixos-unstable-small Edit: I'll go ahead and convert to draft until this is done |
f86f723
to
7725510
Compare
Ugh, I need to get this merged. I will do it, apologies for the inconveniences. |
7725510
to
bd23ba5
Compare
No worries! I appreciate your work on this :) NixOS/nixpkgs#221155 just got merged and we'll want that too, so it'll be a bit before that hits nixos-unstable and then we'll need to update the flake inputs |
NixOS/nixpkgs#221155 has made it to nixos-unstable @RaitoBezarius What is the best option for using an updated nixpkgs input, given the tests are running from that one branch in your fork? (e.g. should that one branch just be rebased?) |
I will rebase that branch and push for the merge of
NixOS/nixpkgs#207039 so we won't need that branch
anymore.
I will take care of this tomorrow morning CEST.
So we can get this merged soon and unblock everyone on that.
Le mer. 15 mars 2023 à 21:21, Lily Foster ***@***.***> a
écrit :
… NixOS/nixpkgs#221155 <NixOS/nixpkgs#221155> has
made it to nixos-unstable
@RaitoBezarius <https://github.com/RaitoBezarius> What is the best option
for using an updated nixpkgs input, given the tests are running from that
one branch in your fork? (e.g. should that one branch just be rebased?)
—
Reply to this email directly, view it on GitHub
<#131 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACMZRFYP6VPMOHBGV2YA4LW4IQF7ANCNFSM6AAAAAAVZZCXTI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I've updated the branch for the The flake checks all pass and this otherwise should be good now! |
nix/modules/lanzaboote.nix
Outdated
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi"; | ||
serviceConfig.RuntimeDirectory = "fwupd-efi"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dasJ, just curious is serviceConfig.RuntimeDirectory
needed?
This seems to clash because the built-in unit already sets RuntimeDirectory
to motd.d
and so systemd appends them both separated by a :
, which fwupd doesn't understand how to process multiple runtime dirs (see here) and so assumes /run/fwupd-efi:/run/motd.d
is literal and makes the motd file in that suspicious-looking directory /run/fwupd-efi:/run/motd.d/85-fwupd
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah I think it was added initially to make sure that directory exists. Since it makes more problems than it solves, I've removed it and added a mkdir -p /run/fwupd-efi
to the pre-start script
Let me know if my analysis there is wrong @dasJ or if this is appropriate
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah that works as well but I hate the approach of doing mkdir/chmod/chown in prestart. That's why I did it this way. We could also set PrivateTmp
and just write to /tmp instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like /run
better than /tmp
(since it's supposed to be available for the entire lifetime of the daemon and isn't really temporary), but I'll try to think of options that don't use mkdir if you want
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah the more I think about it, having mkdir
is a bit unfortunate compared to having systemd manage the lifetime of the dir
That means the best option to keep /run
though is probably to either manually set env var RUNTIME_DIRECTORY
(which I'm not actually sure will even work with systemd) since fwupd can't otherwise handle that or creating another dummy unit that is WantedBy
(to weakly start with), PartOf
(to stop with), and Before
fwupd or something with that RuntimeDirectory
set and runs the signing itself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here's a diff for that latter option, for comparison:
diff --git a/nix/modules/lanzaboote.nix b/nix/modules/lanzaboote.nix
index 02f8f3f..f0e18b7 100644
--- a/nix/modules/lanzaboote.nix
+++ b/nix/modules/lanzaboote.nix
@@ -78,10 +78,23 @@ in
systemd.services.fwupd = lib.mkIf config.services.fwupd.enable {
# Tell fwupd to load its efi files from /run
environment.FWUPD_EFIAPPDIR = "/run/fwupd-efi";
+ };
+
+ systemd.services.fwupd-efi = lib.mkIf config.services.fwupd.enable {
+ description = "Sign fwupd EFI app";
+ # Exist with the lifetime of the fwupd service
+ wantedBy = [ "fwupd.service" ];
+ partOf = [ "fwupd.service" ];
+ before = [ "fwupd.service" ];
+ # Create runtime directory for signed efi app
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = true;
+ RuntimeDirectory = "fwupd-efi";
+ };
# Place the fwupd efi files in /run and sign them
- preStart = ''
- mkdir -p /run/fwupd-efi
- cp ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
+ script = ''
+ ln -s ${config.services.fwupd.package.fwupd-efi}/libexec/fwupd/efi/fwupd*.efi /run/fwupd-efi/
${pkgs.sbsigntool}/bin/sbsign --key '${cfg.privateKeyFile}' --cert '${cfg.publicKeyFile}' /run/fwupd-efi/fwupd*.efi
'';
};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've edited the above diff to actually work as intended. Thoughts on using it @dasJ?
Alternatively we could do the PrivateTmp
hack (which I'm really not sure I like the idea of) or we can just use StateDirectory
if we don't care if the signed file persists
Edit: Or we can leave the mkdir
if we really need -- I'm not sure what would be the "cleanest" option here
2f5b039
to
d95b9d2
Compare
Co-Authored-By: Janne Heß <janne@hess.ooo>
The nixpkgs-test input has been moved to the branch from NixOS/nixpkgs#207039.
Flake lock file updates: • Updated input 'nixpkgs-test': 'github:RaitoBezarius/nixpkgs/e51bf8cc8e2c75192e930ad83ed272938729e7be' (2022-12-23) → 'github:NixOS/nixpkgs/371d3778c4f9cee7d5cf014e6ce400d57366570f' (2023-03-16)
d95b9d2
to
fd956c4
Compare
I've rebased on latest All flake checks still pass locally for me |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This sounds sane to me; untested yet with our flake check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran the tests, everything seems fine. We should probably add a test suite for this at some point, unsure of how exactly to test it though.
This is a mostly verbatim copy of #113 (credit to @dasJ for most all of this) that has been updated to use NixOS/nixpkgs#220555 (which has hit nixos-unstable now). It has been successfully tested with a BIOS update (with secureboot enforcing) on a 12th-gen Framework
Also we probably should update the lockfile in this repo first (or let Renovate bot handle it), since this will probably fail eval without that PR