From c49522edb72a22e89e4bfdf994ce906c93546271 Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Tue, 7 Nov 2017 19:03:10 +0100 Subject: [PATCH] nixos/services.fwupd: allow adding trusted keys --- nixos/modules/services/hardware/fwupd.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/hardware/fwupd.nix b/nixos/modules/services/hardware/fwupd.nix index 672ecc93454..c28f5c0bbb5 100644 --- a/nixos/modules/services/hardware/fwupd.nix +++ b/nixos/modules/services/hardware/fwupd.nix @@ -14,6 +14,11 @@ let originalFiles = concatMap (d: map (f: "${d}/${f}") (listFiles "${pkgs.fwupd}/etc/${d}")) copiedDirs; mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; }; in listToAttrs (map mkEtcFile originalFiles); + extraTrustedKeys = + let + mkName = p: "pki/fwupd/${baseNameOf (toString p)}"; + mkEtcFile = p: nameValuePair (mkName p) { source = p; }; + in listToAttrs (map mkEtcFile cfg.extraTrustedKeys); in { ###### interface @@ -45,6 +50,15 @@ in { Allow blacklisting specific plugins ''; }; + + extraTrustedKeys = mkOption { + type = types.listOf types.path; + default = []; + example = literalExample "[ /etc/nixos/fwupd/myfirmware.pem ]"; + description = '' + Installing a public key allows firmware signed with a matching private key to be recognized as trusted, which may require less authentication to install than for untrusted files. By default trusted firmware can be upgraded (but not downgraded) without the user or administrator password. Only very few keys are installed by default. + ''; + }; }; }; @@ -61,7 +75,7 @@ in { BlacklistPlugins=${lib.concatStringsSep ";" cfg.blacklistPlugins} ''; }; - } // originalEtc; + } // originalEtc // extraTrustedKeys; services.dbus.packages = [ pkgs.fwupd ];