The bootspec-secureboot from determinatesystems

Error out if any paths don't exist

This is especially important in the installer, where e.g. signing information being unavailable is Not Good. I wonder if there's a "validate" function we can use with clap's derive macro to make it do this for all PathBuf args.

Switch existing generators to use `boot.json` only

Ref: https://github.com/DeterminateSystems/collab/issues/16.

Add Nix installer to update-flake-lock action

https://github.com/DeterminateSystems/bootspec/blob/main/.github/workflows/update.yml

v3 removed the automatic installation of Nix, so we need to handle it ourselves now.

Support bootspec as merged

NixOS/rfcs#125 saw some changes before merging which aren't reflected in this implementation currently.

Update everything referencing the bootspec to take into account the changed specialisation field

`/boot` isn't necessarily the same as the ESP

Currently, we assume that the ESP is located at /boot, even though we attempt to auto-detect its true location using the NixOS boot.loader.efi.efiSysMountPoint option. It is possible that the option is set to e.g. /boot/EFI, but our code assumes /boot is the ESP (e.g. we write to EFI/ and loader/, but as one might notice, that would create /boot/EFI/EFI in this situation).

This may require some refactoring, or it may just require renaming the --esp installer option to --boot-path (and document that it should be passed the path that has or should have EFI/ and loader/ as subdirectories).

Implement some logging

Tell users what is going on in each step, perhaps with optional levels of verbosity.

Open source the repository.

There aren't really any secrets here, so let's go public.

Rename the repo to bootspec
Create a good README: https://www.makeareadme.com/
Double check compliance with the Git Repositories document
Push the corresponding branches from nixpkgs to our public nixpkgs fork
Open source the repo
Set up the automatic rebasing on the boot-spec branch in the public nixpkgs fork

Generalize Bootspec beyond NixOS toplevels

Hi,

I've been putting off creating my own installer for a while, not that that is particularly interesting on its own. But, it would be really neat to have a "Ultimate Custom NixOS Installer" that has:

my "installer" config for both aarch64 + x86_64 (systemd-boot will filter if the entries have their arch declared)
(ideally the new OSS fork of) memtest enabled

However, it looks like the bootspec/generator parts are very specific to NixOS generations, and maybe even specifically on the generations existed as "system" profiles. Is this a strict part of bootspec's design?

Instead of the current nixos module which seems to just always invoke the generator+installer in a single, automatic way, there would be an available API to say here's "the exact toplevels+extra-bootables that I want turned into a bootloader package". I think this would also go most of the way to making a cleaner method of creating images/installers, since you don't need to interactively boot the VM to do the final bootloader installation step.

We should produce nice errors if a key / cert file is missing

Right now we just say:

Error: "systemd-boot-entries/efi/nixos/2zk5lzb044p5bk6ii6zc2r4x71kb2ack.efi could not be signed"

which is true, but we have an easily detectable underlying condition :).

Accept a list of ESPs

I have two disks in a mirror, and it'd be cool to install the entries to both disks in case one fails.

Integrate the synthesize binary into the boot-json-only PRs

Now that they only support boot.jsons, we need to synthesize boot.jsons from generations that don't have one.

Passing profiles in argv breaks on lots of generations

Here is a small sample:

+ /nix/store/y8cginvrvarrm1x1axvivynv3rnajvqp-bootspec-unreleased/bin/generator /nix/var/nix/profiles/system-10-link /nix/var/nix/profiles/system-11-link /nix/var/nix/profiles/system-12-link /nix/var/nix/profiles/system-13-link /nix/var/nix/profiles/system-14-link /nix/var/nix/profiles/system-15-link /nix/var/nix/profiles/system-16-link /nix/var/nix/profiles/system-17-link /nix/var/nix/profiles/system-18-link /nix/var/nix/profiles/system-19-link /nix/var/nix/profiles/system-1-link /nix/var/nix/profiles/system-20-link /nix/var/nix/profiles/system-21-link /nix/var/nix/profiles/system-22-link /nix/var/nix/profiles/system-23-link /nix/var/nix/profiles/system-24-link /nix/var/nix/profiles/system-25-link /nix/var/nix/profiles/system-26-link /nix/var/nix/profiles/system-27-link /nix/var/nix/profiles/system-28-link /nix/var/nix/profiles/system-29-link /nix/var/nix/profiles/system-2-link /nix/var/nix/profiles/system-30-link /nix/var/nix/profiles/system-31-link /nix/var/nix/profiles/system-32-link /nix/var/nix/profiles/system-33-link /nix/var/nix/profiles/system-34-link /nix/var/nix/profiles/system-35-link /nix/var/nix/profiles/system-36-link /nix/var/nix/profiles/system-37-link /nix/var/nix/profiles/system-38-link /nix/var/nix/profiles/system-39-link /nix/var/nix/profiles/system-3-link /nix/var/nix/profiles/system-40-link /nix/var/nix/profiles/system-41-link /nix/var/nix/profiles/system-42-link /nix/var/nix/profiles/system-43-link /nix/var/nix/profiles/system-44-link /nix/var/nix/profiles/system-45-link /nix/var/nix/profiles/system-46-link /nix/var/nix/profiles/system-47-link /nix/var/nix/profiles/system-48-link /nix/var/nix/profiles/system-49-link /nix/var/nix/profiles/system-4-link /nix/var/nix/profiles/system-50-link /nix/var/nix/profiles/system-51-link /nix/var/nix/profiles/system-52-link /nix/var/nix/profiles/system-53-link /nix/var/nix/profiles/system-54-link /nix/var/nix/profiles/system-55-link /nix/var/nix/profiles/system-56-link /nix/var/nix/profiles/system-57-link /nix/var/nix/profiles/system-5-link /nix/var/nix/profiles/system-6-link /nix/var/nix/profiles/system-7-link /nix/var/nix/profiles/system-8-link /nix/var/nix/profiles/system-9-link --systemd-machine-id-setup /nix/store/q0881awy50g4srnnwasci37y2jk5sf99-systemd-249.5/bin/systemd-machine-id-setup --unified-efi --objcopy /nix/store/js66s0xwjnzg0ggi2lq9bcvlk6x2za13-binutils-2.35.2/bin/objcopy --systemd-efi-stub /nix/store/q0881awy50g4srnnwasci37y2jk5sf99-systemd-249.5/lib/systemd/boot/efi/linuxx64.efi.stub

and this is just ~50. These should probably be passed as a file.

Update existing generators to utilize `boot.json`

Ref: https://github.com/DeterminateSystems/collab/issues/16.

rebase action of your nixpkgs fork fails

https://github.com/DeterminateSystems/nixpkgs/actions/runs/3086507928

Update the generator and/or installer to use the new bootspec crate

(blocked by #17)

Document everything

Waiting for things to not be in so much flux before I dedicate time to writing documentation, so as to prevent wasting time and energy.

Split out a tool for generating a boot.json document from an existing generation

Implement GitHub Actions for CI

Validate things like cargo build, cargo test, cargo fmt, etc.

Experiment with a "hook" phase

To allow mutation of the files that will be installed prior to actually being copied to their final destination.

EFI files should be moved to a temporary directory (not on the ESP) one-by-one

Moving them all to the ESP at once uses an undesirably large amount of space -- it would be much more reasonable to move them one at a time.

Add a contributing document

Should have a checkbox for "pls add/update tests" and "pls add/update docs" (which includes a README).

fwupdd breaks bootloader installation

Skipping "/boot/EFI/systemd/systemd-bootx64.efi", since same boot loader version in place already.
Skipping "/boot/EFI/BOOT/BOOTX64.EFI", since same boot loader version in place already.
Error: Os { code: 21, kind: IsADirectory, message: "Is a directory" }
...
grahamc@hyperchicken:~/projects/github.com/grahamc/hyperchicken/ > ls /boot/EFI/nixos/fw
fwupd-e8292593-e66e-4878-b051-f152535ab130.cap

it seems to be trying to delete the fw directory.

Support `bootctl install`

This way first-time users have a usable boot

Port `installer` to `clap-v3`

Automatic --help generation is nice because then I don't have to...

Support booting through a signed shim

As an initial step towards full compatibility with Microsoft keys.

Don't read and write to the same exact filename when signing

https://github.com/DeterminateSystems/bootspec/blob/e0394a0c805b92fb07dfeb488454f0a8dea6efb6/installer/src/secure_boot.rs#L23-L25

Create an example which uses secureboot

Modify module to make secure boot easier (document + options); add usage to readme; links to resources

Removing old files by `installer` fails when it encounteres a directory

Installer fails to remove old leftover directories when it's removing old files from ESP.

++ mktemp -d -t tmp.XXXXXXXXXX
+ scratch=/tmp/tmp.tSP6NVgf2Z
+ trap finish EXIT
+ cd /tmp/tmp.tSP6NVgf2Z
+ /nix/store/qnzhdp1kkkjg28gfmvfj1p45jws88ffi-bootspec-secureboot-unreleased/bin/generator /nix/var/nix/profiles/system-28-link /nix/var/nix/profiles/system-29-link /nix/var/nix/profiles/system-30-link /nix/var/nix/profiles/system-31-link /nix/var/nix/profiles/system-32-link /nix/var/nix/profiles/system-33-link /nix/var/nix/profiles/system-34-link /nix/var/nix/profiles/system-35-link /nix/var/nix/profiles/system-36-link /nix/var/nix/profiles/system-37-link /nix/var/nix/profiles/system-38-link /nix/var/nix/profiles/system-39-link /nix/var/nix/profiles/system-40-link /nix/var/nix/profiles/system-41-link /nix/var/nix/profiles/system-42-link /nix/var/nix/profiles/system-43-link /nix/var/nix/profiles/system-44-link /nix/var/nix/profiles/system-45-link /nix/var/nix/profiles/system-46-link /nix/var/nix/profiles/system-47-link /nix/var/nix/profiles/system-48-link /nix/var/nix/profiles/system-49-link /nix/var/nix/profiles/system-50-link /nix/var/nix/profiles/system-51-link /nix/var/nix/profiles/system-52-link /nix/var/nix/profiles/system-53-link /nix/var/nix/profiles/system-54-link /nix/var/nix/profiles/system-55-link /nix/var/nix/profiles/system-56-link /nix/var/nix/profiles/system-57-link /nix/var/nix/profiles/system-58-link /nix/var/nix/profiles/system-59-link /nix/var/nix/profiles/system-60-link /nix/var/nix/profiles/system-61-link /nix/var/nix/profiles/system-62-link /nix/var/nix/profiles/system-63-link /nix/var/nix/profiles/system-64-link --systemd-machine-id-setup /nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/bin/systemd-machine-id-setup --unified-efi --objcopy /nix/store/cz52w8xf3i1d3xvzpzd9abf7rvpl9017-binutils-2.38/bin/objcopy --systemd-efi-stub /nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/lib/systemd/boot/efi/linuxx64.efi.stub
+ /nix/store/qnzhdp1kkkjg28gfmvfj1p45jws88ffi-bootspec-secureboot-unreleased/bin/installer --toplevel=/nix/store/q2ja0jrcgxbwbfhn4yhfj40718m8h8yn-nixos-system-microlith-22.11pre-git --verbosity --verbosity --verbosity --verbosity --esp /boot --console-mode 1 --timeout 5 --bootctl /nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/bin/bootctl --generated-entries ./systemd-boot-entries --signing-key /home/ar/secureboot-v2/DB.key --signing-cert /home/ar/secureboot-v2/DB.crt --unified-efi --sbsign /nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign --sbverify /nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbverify
TRACE beginning systemd-boot install process
DEBUG dry_run? false
TRACE getting list of generations
DEBUG generations_len: 37
TRACE started updating / installing
TRACE updating systemd-boot
TRACE checking systemd version
DEBUG running `/nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/bin/bootctl` with args `["--version"]`
TRACE parsing `bootctl --version` output
INFO  updating systemd-boot to 250.4
DEBUG running `/nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/bin/bootctl` with args `["update", "--path", "/boot"]`
Skipping "/boot/EFI/systemd/systemd-bootx64.efi", since same boot loader version in place already.
Skipping "/boot/EFI/BOOT/BOOTX64.EFI", since same boot loader version in place already.
INFO  failed to run `/nix/store/h8gadrivdrl2rh71v38ly22ihmffl6k0-systemd-250.4/bin/bootctl` with args `["update", "--path", "/boot"]`
TRACE signing efi files
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "/boot/EFI/systemd/systemd-bootx64.efi", "/boot/EFI/systemd/systemd-bootx64.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "/boot/EFI/BOOT/BOOTX64.EFI", "/boot/EFI/BOOT/BOOTX64.EFI"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/00b0yk20k0qmh3wyh4w802ps54v9lwq7.efi", "systemd-boot-entries/EFI/nixos/00b0yk20k0qmh3wyh4w802ps54v9lwq7.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/0kn672c9y65p68kdb7r83y8pq1s5g44a.efi", "systemd-boot-entries/EFI/nixos/0kn672c9y65p68kdb7r83y8pq1s5g44a.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/14b96yxd7rbb0cxry7mpb8hrjambdwfm.efi", "systemd-boot-entries/EFI/nixos/14b96yxd7rbb0cxry7mpb8hrjambdwfm.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/293qqca77k4gslvs4v0jkz5flv306gfn.efi", "systemd-boot-entries/EFI/nixos/293qqca77k4gslvs4v0jkz5flv306gfn.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/2i9cv6ifrlckminpznscc569zva0jacg.efi", "systemd-boot-entries/EFI/nixos/2i9cv6ifrlckminpznscc569zva0jacg.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/3chi1ab8zhyxdhdhxqw7af75fijmqn3z.efi", "systemd-boot-entries/EFI/nixos/3chi1ab8zhyxdhdhxqw7af75fijmqn3z.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/48dsp780d7bib0lk534dwifl5532yxrd.efi", "systemd-boot-entries/EFI/nixos/48dsp780d7bib0lk534dwifl5532yxrd.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/4hryhkrm46lvr9lh64agrrhc01cmsqzj.efi", "systemd-boot-entries/EFI/nixos/4hryhkrm46lvr9lh64agrrhc01cmsqzj.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/5b1gk77xalnzmdm3csybj5x5p16ffldj.efi", "systemd-boot-entries/EFI/nixos/5b1gk77xalnzmdm3csybj5x5p16ffldj.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/66id2rw27x38908fm8s59km8zqqpkp9p.efi", "systemd-boot-entries/EFI/nixos/66id2rw27x38908fm8s59km8zqqpkp9p.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/7fwmfly76w9dvfd5jpk7ppg5rxfa681m.efi", "systemd-boot-entries/EFI/nixos/7fwmfly76w9dvfd5jpk7ppg5rxfa681m.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/82k0ikc39zihq6ff7p2ycrjj9plplsiz.efi", "systemd-boot-entries/EFI/nixos/82k0ikc39zihq6ff7p2ycrjj9plplsiz.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/8j38i3lfjill907bh2b85243sx729lgs.efi", "systemd-boot-entries/EFI/nixos/8j38i3lfjill907bh2b85243sx729lgs.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/a302yg31yj7fgqi48s0lya13ssbrh8pw.efi", "systemd-boot-entries/EFI/nixos/a302yg31yj7fgqi48s0lya13ssbrh8pw.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/agf0w2ii59y1dvs82fqqjf6b20lv2xmh.efi", "systemd-boot-entries/EFI/nixos/agf0w2ii59y1dvs82fqqjf6b20lv2xmh.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/b671vaqnqdfw7qbsd7ma8svy4ai6qn2v.efi", "systemd-boot-entries/EFI/nixos/b671vaqnqdfw7qbsd7ma8svy4ai6qn2v.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/d16rgfn451nnz67ljv9rn9hw9s80wik3.efi", "systemd-boot-entries/EFI/nixos/d16rgfn451nnz67ljv9rn9hw9s80wik3.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/dsbgv9hw9xsllfd3k89fw72cqk6hv9ba.efi", "systemd-boot-entries/EFI/nixos/dsbgv9hw9xsllfd3k89fw72cqk6hv9ba.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/hgqziwyfqz4jwkr0s0ysnrh1gyz8kwbx.efi", "systemd-boot-entries/EFI/nixos/hgqziwyfqz4jwkr0s0ysnrh1gyz8kwbx.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/ig9jpgi8rdw5n0z1aly0jqrcbmz8vm76.efi", "systemd-boot-entries/EFI/nixos/ig9jpgi8rdw5n0z1aly0jqrcbmz8vm76.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/jmpsgf7ah5p4p491ddfyn0y5a4vvy5aw.efi", "systemd-boot-entries/EFI/nixos/jmpsgf7ah5p4p491ddfyn0y5a4vvy5aw.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/k2igvsg04mcx3jm5x7yv24xfl4y20r0h.efi", "systemd-boot-entries/EFI/nixos/k2igvsg04mcx3jm5x7yv24xfl4y20r0h.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/lsfy86y4kyxr4l3a358vgzjzl4w0pgn0.efi", "systemd-boot-entries/EFI/nixos/lsfy86y4kyxr4l3a358vgzjzl4w0pgn0.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/n38jg7v663w93rblq4szw8f53kipm84q.efi", "systemd-boot-entries/EFI/nixos/n38jg7v663w93rblq4szw8f53kipm84q.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/nxh0dxh8xld9nxzgfvmil5k1acxj2mmb.efi", "systemd-boot-entries/EFI/nixos/nxh0dxh8xld9nxzgfvmil5k1acxj2mmb.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/q2ja0jrcgxbwbfhn4yhfj40718m8h8yn.efi", "systemd-boot-entries/EFI/nixos/q2ja0jrcgxbwbfhn4yhfj40718m8h8yn.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/rnmr98wr5pg72ix86dnzhwa3cbinrrj4.efi", "systemd-boot-entries/EFI/nixos/rnmr98wr5pg72ix86dnzhwa3cbinrrj4.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/sd7md1qh0zvcs7dm7c3nsjwlb40s365y.efi", "systemd-boot-entries/EFI/nixos/sd7md1qh0zvcs7dm7c3nsjwlb40s365y.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/srvfxhl2aqslhqw5py3xm4vayzxk0fmb.efi", "systemd-boot-entries/EFI/nixos/srvfxhl2aqslhqw5py3xm4vayzxk0fmb.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/sw2ckr7vm80z0glqv7yk9z0pcjpa3rhb.efi", "systemd-boot-entries/EFI/nixos/sw2ckr7vm80z0glqv7yk9z0pcjpa3rhb.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/v96s29hqxmvaap4x5kzax0430iy61yq3.efi", "systemd-boot-entries/EFI/nixos/v96s29hqxmvaap4x5kzax0430iy61yq3.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/vgnsnsw4c1sxbrv0i835f6cdylpshzdc.efi", "systemd-boot-entries/EFI/nixos/vgnsnsw4c1sxbrv0i835f6cdylpshzdc.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/w4fnxcjij33pq3hilnvvdn2l1qyj3rn4.efi", "systemd-boot-entries/EFI/nixos/w4fnxcjij33pq3hilnvvdn2l1qyj3rn4.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/wy916wjf1w08k88j4ww38pr26p4x733a.efi", "systemd-boot-entries/EFI/nixos/wy916wjf1w08k88j4ww38pr26p4x733a.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/x8d4qm02inmpch4n8w9jbzkix51jbi4v.efi", "systemd-boot-entries/EFI/nixos/x8d4qm02inmpch4n8w9jbzkix51jbi4v.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/yv2l4pwlhyv477mm5hydy17mw0lv2sbc.efi", "systemd-boot-entries/EFI/nixos/yv2l4pwlhyv477mm5hydy17mw0lv2sbc.efi"]`
DEBUG running `/nix/store/8z8i2aszlahiscd3izhprya25fvr6dsf-sbsigntool-0.9.4/bin/sbsign` with args `["--key", "/home/ar/secureboot-v2/DB.key", "--cert", "/home/ar/secureboot-v2/DB.crt", "--output", "systemd-boot-entries/EFI/nixos/z23nzk8f6qk44pan8cys2a4z84lvy1dv.efi", "systemd-boot-entries/EFI/nixos/z23nzk8f6qk44pan8cys2a4z84lvy1dv.efi"]`
TRACE pruning paths: ["./systemd-boot-entries", "/boot"]
DEBUG removing old entries / kernels / initrds from './systemd-boot-entries'
TRACE removing old files
DEBUG calculating required filenames
TRACE required files calculated: [
    "srvfxhl2aqslhqw5py3xm4vayzxk0fmb.efi",
    "nixos-generation-28.conf",
    "293qqca77k4gslvs4v0jkz5flv306gfn.efi",
    "nixos-generation-29.conf",
    "jmpsgf7ah5p4p491ddfyn0y5a4vvy5aw.efi",
    "nixos-generation-30.conf",
    "sd7md1qh0zvcs7dm7c3nsjwlb40s365y.efi",
    "nixos-generation-31.conf",
    "8j38i3lfjill907bh2b85243sx729lgs.efi",
    "nixos-generation-32.conf",
    "00b0yk20k0qmh3wyh4w802ps54v9lwq7.efi",
    "nixos-generation-33.conf",
    "v96s29hqxmvaap4x5kzax0430iy61yq3.efi",
    "nixos-generation-34.conf",
    "x8d4qm02inmpch4n8w9jbzkix51jbi4v.efi",
    "nixos-generation-35.conf",
    "z23nzk8f6qk44pan8cys2a4z84lvy1dv.efi",
    "nixos-generation-36.conf",
    "yv2l4pwlhyv477mm5hydy17mw0lv2sbc.efi",
    "nixos-generation-37.conf",
    "rnmr98wr5pg72ix86dnzhwa3cbinrrj4.efi",
    "nixos-generation-38.conf",
    "ig9jpgi8rdw5n0z1aly0jqrcbmz8vm76.efi",
    "nixos-generation-39.conf",
    "48dsp780d7bib0lk534dwifl5532yxrd.efi",
    "nixos-generation-40.conf",
    "4hryhkrm46lvr9lh64agrrhc01cmsqzj.efi",
    "nixos-generation-41.conf",
    "66id2rw27x38908fm8s59km8zqqpkp9p.efi",
    "nixos-generation-42.conf",
    "b671vaqnqdfw7qbsd7ma8svy4ai6qn2v.efi",
    "nixos-generation-43.conf",
    "a302yg31yj7fgqi48s0lya13ssbrh8pw.efi",
    "nixos-generation-44.conf",
    "dsbgv9hw9xsllfd3k89fw72cqk6hv9ba.efi",
    "nixos-generation-45.conf",
    "14b96yxd7rbb0cxry7mpb8hrjambdwfm.efi",
    "nixos-generation-46.conf",
    "agf0w2ii59y1dvs82fqqjf6b20lv2xmh.efi",
    "nixos-generation-47.conf",
    "lsfy86y4kyxr4l3a358vgzjzl4w0pgn0.efi",
    "nixos-generation-48.conf",
    "5b1gk77xalnzmdm3csybj5x5p16ffldj.efi",
    "nixos-generation-49.conf",
    "nxh0dxh8xld9nxzgfvmil5k1acxj2mmb.efi",
    "nixos-generation-50.conf",
    "k2igvsg04mcx3jm5x7yv24xfl4y20r0h.efi",
    "nixos-generation-51.conf",
    "vgnsnsw4c1sxbrv0i835f6cdylpshzdc.efi",
    "nixos-generation-52.conf",
    "sw2ckr7vm80z0glqv7yk9z0pcjpa3rhb.efi",
    "nixos-generation-53.conf",
    "hgqziwyfqz4jwkr0s0ysnrh1gyz8kwbx.efi",
    "nixos-generation-54.conf",
    "3chi1ab8zhyxdhdhxqw7af75fijmqn3z.efi",
    "nixos-generation-55.conf",
    "n38jg7v663w93rblq4szw8f53kipm84q.efi",
    "nixos-generation-56.conf",
    "wy916wjf1w08k88j4ww38pr26p4x733a.efi",
    "nixos-generation-57.conf",
    "0kn672c9y65p68kdb7r83y8pq1s5g44a.efi",
    "nixos-generation-58.conf",
    "82k0ikc39zihq6ff7p2ycrjj9plplsiz.efi",
    "nixos-generation-59.conf",
    "d16rgfn451nnz67ljv9rn9hw9s80wik3.efi",
    "nixos-generation-60.conf",
    "7fwmfly76w9dvfd5jpk7ppg5rxfa681m.efi",
    "nixos-generation-61.conf",
    "2i9cv6ifrlckminpznscc569zva0jacg.efi",
    "nixos-generation-62.conf",
    "w4fnxcjij33pq3hilnvvdn2l1qyj3rn4.efi",
    "nixos-generation-63.conf",
    "q2ja0jrcgxbwbfhn4yhfj40718m8h8yn.efi",
    "nixos-generation-64.conf",
]
DEBUG removing old entries
DEBUG removing old kernels / initrds
DEBUG removing old entries / kernels / initrds from '/boot'
TRACE removing old files
DEBUG calculating required filenames
TRACE required files calculated: [
    "srvfxhl2aqslhqw5py3xm4vayzxk0fmb.efi",
    "nixos-generation-28.conf",
    "293qqca77k4gslvs4v0jkz5flv306gfn.efi",
    "nixos-generation-29.conf",
    "jmpsgf7ah5p4p491ddfyn0y5a4vvy5aw.efi",
    "nixos-generation-30.conf",
    "sd7md1qh0zvcs7dm7c3nsjwlb40s365y.efi",
    "nixos-generation-31.conf",
    "8j38i3lfjill907bh2b85243sx729lgs.efi",
    "nixos-generation-32.conf",
    "00b0yk20k0qmh3wyh4w802ps54v9lwq7.efi",
    "nixos-generation-33.conf",
    "v96s29hqxmvaap4x5kzax0430iy61yq3.efi",
    "nixos-generation-34.conf",
    "x8d4qm02inmpch4n8w9jbzkix51jbi4v.efi",
    "nixos-generation-35.conf",
    "z23nzk8f6qk44pan8cys2a4z84lvy1dv.efi",
    "nixos-generation-36.conf",
    "yv2l4pwlhyv477mm5hydy17mw0lv2sbc.efi",
    "nixos-generation-37.conf",
    "rnmr98wr5pg72ix86dnzhwa3cbinrrj4.efi",
    "nixos-generation-38.conf",
    "ig9jpgi8rdw5n0z1aly0jqrcbmz8vm76.efi",
    "nixos-generation-39.conf",
    "48dsp780d7bib0lk534dwifl5532yxrd.efi",
    "nixos-generation-40.conf",
    "4hryhkrm46lvr9lh64agrrhc01cmsqzj.efi",
    "nixos-generation-41.conf",
    "66id2rw27x38908fm8s59km8zqqpkp9p.efi",
    "nixos-generation-42.conf",
    "b671vaqnqdfw7qbsd7ma8svy4ai6qn2v.efi",
    "nixos-generation-43.conf",
    "a302yg31yj7fgqi48s0lya13ssbrh8pw.efi",
    "nixos-generation-44.conf",
    "dsbgv9hw9xsllfd3k89fw72cqk6hv9ba.efi",
    "nixos-generation-45.conf",
    "14b96yxd7rbb0cxry7mpb8hrjambdwfm.efi",
    "nixos-generation-46.conf",
    "agf0w2ii59y1dvs82fqqjf6b20lv2xmh.efi",
    "nixos-generation-47.conf",
    "lsfy86y4kyxr4l3a358vgzjzl4w0pgn0.efi",
    "nixos-generation-48.conf",
    "5b1gk77xalnzmdm3csybj5x5p16ffldj.efi",
    "nixos-generation-49.conf",
    "nxh0dxh8xld9nxzgfvmil5k1acxj2mmb.efi",
    "nixos-generation-50.conf",
    "k2igvsg04mcx3jm5x7yv24xfl4y20r0h.efi",
    "nixos-generation-51.conf",
    "vgnsnsw4c1sxbrv0i835f6cdylpshzdc.efi",
    "nixos-generation-52.conf",
    "sw2ckr7vm80z0glqv7yk9z0pcjpa3rhb.efi",
    "nixos-generation-53.conf",
    "hgqziwyfqz4jwkr0s0ysnrh1gyz8kwbx.efi",
    "nixos-generation-54.conf",
    "3chi1ab8zhyxdhdhxqw7af75fijmqn3z.efi",
    "nixos-generation-55.conf",
    "n38jg7v663w93rblq4szw8f53kipm84q.efi",
    "nixos-generation-56.conf",
    "wy916wjf1w08k88j4ww38pr26p4x733a.efi",
    "nixos-generation-57.conf",
    "0kn672c9y65p68kdb7r83y8pq1s5g44a.efi",
    "nixos-generation-58.conf",
    "82k0ikc39zihq6ff7p2ycrjj9plplsiz.efi",
    "nixos-generation-59.conf",
    "d16rgfn451nnz67ljv9rn9hw9s80wik3.efi",
    "nixos-generation-60.conf",
    "7fwmfly76w9dvfd5jpk7ppg5rxfa681m.efi",
    "nixos-generation-61.conf",
    "2i9cv6ifrlckminpznscc569zva0jacg.efi",
    "nixos-generation-62.conf",
    "w4fnxcjij33pq3hilnvvdn2l1qyj3rn4.efi",
    "nixos-generation-63.conf",
    "q2ja0jrcgxbwbfhn4yhfj40718m8h8yn.efi",
    "nixos-generation-64.conf",
]
DEBUG removing old entries
DEBUG removing old kernels / initrds
TRACE removing kernel/initrd file "/boot/EFI/nixos/.extra-files"
Error: Os { code: 21, kind: IsADirectory, message: "Is a directory" }
+ finish
+ rm -rf /tmp/tmp.tSP6NVgf2Z
Error while activating new configuration.

On a side note, the error message without extra --verbosity isn't very helpful - doesn't say what was the problematic file name.

bootspec-secureboot/installer/src/systemd_boot/mod.rs

Lines 168 to 171 in 222da4e

    
           if !required_filenames.iter().any(|e| e == name) { 
        
               trace!("removing kernel/initrd file {:?}", f); 
        
               fs::remove_file(f)?; 
        
           }

bootspec-secureboot/installer/src/systemd_boot/mod.rs

Lines 157 to 160 in 222da4e

    
           if !required_filenames.iter().any(|e| e == name) { 
        
               trace!("removing entry file {:?}", f); 
        
               fs::remove_file(f)?; 
        
           }

No more unwraps or expects

Also, there should probably be some better error handling -- would be nice if there was some way to differentiate between fatal and not-so-fatal errors.

Originally posted by @cole-h in #1 (comment)

If we have a lot of potentially-non-fatal errors, maybe we could change return signatures to be Result<(), Vec<Error>>, and report all non-fatal errors at the end?

Update the systemd generator to use boot.json

Bootspec-secureboot cannot generate bootable EFI executables with systemd 254.

Bootspec-secureboot cannot work with systemd 254.3 and the newest master branch of nixpkgs. The generated unified kernel images are no longer valid. This may be caused by some updates of systemd-stub, see also systemd/systemd#28419 and dracutdevs/dracut#2431. Seems like the offset of cpio archives when doing objdump should be altered.
Relavent code.

Create `boot.json` document in `config.system.build.toplevel` output

Ref: https://github.com/DeterminateSystems/collab/issues/16.

Structure based on: https://gist.github.com/cole-h/2ef35178b30e0e5690bdaa3b78c574a1#file-all-ideas-rs-L155-L184

Get most of the data at eval time rather than through jq build steps -- will likely mean some stuff absconding from the generation data structure (e.g. build_time and generation).

	if !required_filenames.iter().any(\|e\| e == name) {
	trace!("removing kernel/initrd file {:?}", f);
	fs::remove_file(f)?;
	}

	if !required_filenames.iter().any(\|e\| e == name) {
	trace!("removing entry file {:?}", f);
	fs::remove_file(f)?;
	}

determinatesystems / bootspec-secureboot Goto Github PK

bootspec-secureboot's People

Contributors

Stargazers

Watchers

Forkers

bootspec-secureboot's Issues

Recommend Projects

Recommend Topics

Recommend Org