|
48 | 48 | pkgs.binutils |
49 | 49 | ] |
50 | 50 | ++ lib.optionals (boot == "BIOS") [ pkgs.gptfdisk ]; |
51 | | - text = lib.concatStrings [ |
52 | | - # Set environment |
53 | | - '' |
54 | | - boot_json=/nix/var/nix/profiles/system/boot.json |
55 | | - kernel=$(jq -r '."org.nixos.bootspec.v1".kernel' "$boot_json") |
56 | | - initrd=$(jq -r '."org.nixos.bootspec.v1".initrd' "$boot_json") |
57 | | - init=$(jq -r '."org.nixos.bootspec.v1".init' "$boot_json") |
58 | | - kernelParams=$(jq -r '."org.nixos.bootspec.v1".kernelParams | join(" ")' "$boot_json") |
59 | | -
|
60 | | - esp=/boot |
61 | | - tmp=$(mktemp -d) |
62 | | - '' |
63 | | -
|
64 | | - # Build UKI |
65 | | - '' |
66 | | - ukify build \ |
67 | | - --linux="$kernel" \ |
68 | | - --initrd="$initrd" \ |
69 | | - --cmdline="init=$init $kernelParams" \ |
70 | | - --uname "${config.boot.kernelPackages.kernel.modDirVersion}" \ |
71 | | - --os-release "@${config.system.build.etc}/etc/os-release" \ |
72 | | - --output="$tmp/uki.efi" |
73 | | - '' |
74 | | -
|
75 | | - # Sign UKI |
76 | | - '' |
77 | | - sbctl sign "$tmp/uki.efi" |
78 | | - '' |
79 | | -
|
80 | | - # Clean up ESP |
81 | | - '' |
82 | | - rm -rf "''${esp:?}/*" |
83 | | - '' |
84 | | -
|
85 | | - # Move UKI to ESP |
86 | | - '' |
87 | | - mkdir -p "$esp/EFI/BOOT" |
88 | | - mv "$tmp/uki.efi" "$esp/EFI/BOOT/BOOT${lib.toUpper config.nixpkgs.hostPlatform.efiArch}.EFI" |
89 | | - '' |
90 | | -
|
91 | | - # Emulate UEFI on BIOS to allow UKI booting |
92 | | - # https://github.com/NixOS/nixpkgs/issues/124132 |
93 | | - # https://wiki.archlinux.org/title/Clover#chainload_systemd-boot |
94 | | - (lib.optionalString (boot == "BIOS") '' |
95 | | - clover=${ |
96 | | - let |
97 | | - version = "5165"; |
98 | | - in |
99 | | - pkgs.fetchzip { |
100 | | - name = "clover-${version}"; |
101 | | - url = "https://github.com/CloverHackyColor/CloverBootloader/releases/download/${version}/CloverV2-${version}.zip"; |
102 | | - sha256 = "sha256-KbaSQMJWNkBwdFKbYALCTfw0XcL5Cnfb2uIDzLdiLI0="; |
| 51 | + text = |
| 52 | + let |
| 53 | + arch = lib.toUpper config.nixpkgs.hostPlatform.efiArch; |
| 54 | + in |
| 55 | + lib.concatStrings [ |
| 56 | + # Set environment |
| 57 | + '' |
| 58 | + boot_json=/nix/var/nix/profiles/system/boot.json |
| 59 | + kernel=$(jq -r '."org.nixos.bootspec.v1".kernel' "$boot_json") |
| 60 | + initrd=$(jq -r '."org.nixos.bootspec.v1".initrd' "$boot_json") |
| 61 | + init=$(jq -r '."org.nixos.bootspec.v1".init' "$boot_json") |
| 62 | + kernelParams=$(jq -r '."org.nixos.bootspec.v1".kernelParams | join(" ")' "$boot_json") |
| 63 | +
|
| 64 | + esp=/boot |
| 65 | + tmp=$(mktemp -d) |
| 66 | + '' |
| 67 | +
|
| 68 | + # Build UKI |
| 69 | + '' |
| 70 | + ukify build \ |
| 71 | + --linux="$kernel" \ |
| 72 | + --initrd="$initrd" \ |
| 73 | + --cmdline="init=$init $kernelParams" \ |
| 74 | + --uname "${config.boot.kernelPackages.kernel.modDirVersion}" \ |
| 75 | + --os-release "@${config.system.build.etc}/etc/os-release" \ |
| 76 | + --output="$tmp/uki.efi" |
| 77 | + '' |
| 78 | +
|
| 79 | + # Sign UKI |
| 80 | + '' |
| 81 | + sbctl sign "$tmp/uki.efi" |
| 82 | + '' |
| 83 | +
|
| 84 | + # Clean up ESP |
| 85 | + '' |
| 86 | + rm -rf "''${esp:?}/*" |
| 87 | + '' |
| 88 | +
|
| 89 | + # Move UKI to ESP |
| 90 | + '' |
| 91 | + mkdir -p "$esp/EFI/BOOT" |
| 92 | + mv "$tmp/uki.efi" "$esp/EFI/BOOT/BOOT${arch}.EFI" |
| 93 | + '' |
| 94 | +
|
| 95 | + # Emulate UEFI on BIOS to allow UKI booting |
| 96 | + # https://github.com/NixOS/nixpkgs/issues/124132 |
| 97 | + # https://wiki.archlinux.org/title/Clover#chainload_systemd-boot |
| 98 | + (lib.optionalString (boot == "BIOS") '' |
| 99 | + oc=${ |
| 100 | + let |
| 101 | + version = "1.0.6"; |
| 102 | + in |
| 103 | + pkgs.fetchzip { |
| 104 | + name = "open-core-${version}"; |
| 105 | + url = "https://github.com/acidanthera/OpenCorePkg/releases/download/${version}/OpenCore-${version}-RELEASE.zip"; |
| 106 | + sha256 = "sha256-+YcwRZ4mbbyh4Ivbk1bzLPFLlYtKUON0n+Co0+cp8c8="; |
| 107 | + stripRoot = false; |
| 108 | + } |
103 | 109 | } |
104 | | - } |
105 | | - boot0=$clover/BootSectors/boot0af |
106 | | - boot1=$clover/BootSectors/boot1f32 |
107 | | - boot2=$clover/Bootloaders/x64/boot7 |
108 | | - disks=(${ |
109 | | - lib.concatStringsSep " " (map (disk: disk.device) (lib.attrValues config.disko.devices.disk)) |
110 | | - }) |
111 | | -
|
112 | | - for disk in "''${disks[@]}"; do |
113 | | - partition="1" |
114 | | - case "$disk" in |
115 | | - *nvme*|*mmcblk*) |
116 | | - part="''${disk}p''${partition}" |
117 | | - ;; |
118 | | - *) |
119 | | - part="''${disk}''${partition}" |
120 | | - ;; |
121 | | - esac |
122 | | -
|
123 | | - sgdisk --attributes="''${partition}:set:2" "$disk" |
124 | | -
|
125 | | - dd if="$boot0" of="$disk" bs=1 count=440 conv=notrunc |
126 | | -
|
127 | | - cp "$boot1" "$tmp/new_PBR" |
128 | | - dd if="$part" of="$tmp/original_PBR" bs=512 count=1 conv=notrunc |
129 | | - dd if="$tmp/original_PBR" of="$tmp/new_PBR" skip=3 seek=3 bs=1 count=87 conv=notrunc |
130 | | - dd if="$tmp/new_PBR" of="$part" bs=512 count=1 conv=notrunc |
131 | | - rm "$tmp/new_PBR" "$tmp/original_PBR" |
132 | | - done |
133 | | -
|
134 | | - cp $boot2 "$esp/boot" |
135 | | - mkdir -p "$esp/EFI" |
136 | | - cp -a "$clover/EFI/CLOVER" "$esp/EFI/CLOVER" |
137 | | - cat << EOF > "$esp/EFI/CLOVER/config.plist" |
138 | | - <?xml version="1.0" encoding="UTF-8"?> |
139 | | - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
140 | | - <plist version="1.0"> |
141 | | - <dict> |
142 | | - <key>Boot</key> |
| 110 | + boot0=$oc/Utilities/LegacyBoot/boot0 |
| 111 | + boot1=$oc/Utilities/LegacyBoot/boot1f32 |
| 112 | + boot2=$oc/Utilities/LegacyBoot/boot${arch}-blockio |
| 113 | + disks=(${ |
| 114 | + lib.concatStringsSep " " (map (disk: disk.device) (lib.attrValues config.disko.devices.disk)) |
| 115 | + }) |
| 116 | +
|
| 117 | + for disk in "''${disks[@]}"; do |
| 118 | + partition="1" |
| 119 | + case "$disk" in |
| 120 | + *nvme*|*mmcblk*) |
| 121 | + part="''${disk}p''${partition}" |
| 122 | + ;; |
| 123 | + *) |
| 124 | + part="''${disk}''${partition}" |
| 125 | + ;; |
| 126 | + esac |
| 127 | +
|
| 128 | + sgdisk --attributes="''${partition}:set:2" "$disk" |
| 129 | +
|
| 130 | + dd if="$boot0" of="$disk" bs=1 count=446 conv=notrunc |
| 131 | +
|
| 132 | + cp "$boot1" "$tmp/new_PBR" |
| 133 | + dd if="$part" of="$tmp/original_PBR" count=1 |
| 134 | + dd if="$tmp/original_PBR" of="$tmp/new_PBR" skip=3 seek=3 bs=1 count=87 conv=notrunc |
| 135 | + dd if=/dev/random of="$tmp/new_PBR" skip=496 seek=496 bs=1 count=14 conv=notrunc |
| 136 | + dd if="$tmp/new_PBR" of="$part" |
| 137 | + rm "$tmp/new_PBR" "$tmp/original_PBR" |
| 138 | + done |
| 139 | +
|
| 140 | + cp $boot2 "$esp/boot" |
| 141 | + mkdir -p "$esp/EFI" |
| 142 | + cp -a "$oc/${arch}/EFI/OC" "$esp/EFI/OC" |
| 143 | + cat << EOF > "$esp/EFI/OC/config.plist" |
| 144 | + <?xml version="1.0" encoding="UTF-8"?> |
| 145 | + <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" |
| 146 | + "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> |
| 147 | + <plist version="1.0"> |
143 | 148 | <dict> |
144 | | - <key>DefaultVolume</key> |
145 | | - <string>EFI</string> |
146 | | - <key>DefaultLoader</key> |
147 | | - <string>\EFI\BOOT\BOOT${lib.toUpper config.nixpkgs.hostPlatform.efiArch}.EFI</string> |
148 | | - <key>Fast</key> |
149 | | - <true/> |
| 149 | + <key>Misc</key> |
| 150 | + <dict> |
| 151 | + <key>BlessOverride</key> |
| 152 | + <array> |
| 153 | + <string>\EFI\BOOT\BOOT${arch}.EFI</string> |
| 154 | + </array> |
| 155 | +
|
| 156 | + <key>Boot</key> |
| 157 | + <dict> |
| 158 | + <key>ShowPicker</key> |
| 159 | + <true/> |
| 160 | + <key>PickerMode</key> |
| 161 | + <string>External</string> |
| 162 | + </dict> |
| 163 | +
|
| 164 | + <key>Security</key> |
| 165 | + <dict> |
| 166 | + <key>ScanPolicy</key> |
| 167 | + <integer>0</integer> |
| 168 | + </dict> |
| 169 | + </dict> |
150 | 170 | </dict> |
151 | | - <key>GUI</key> |
152 | | - <dict> |
153 | | - <key>Custom</key> |
154 | | - <dict> |
155 | | - <key>Entries</key> |
156 | | - <array> |
157 | | - <dict> |
158 | | - <key>Hidden</key> |
159 | | - <false/> |
160 | | - <key>Disabled</key> |
161 | | - <false/> |
162 | | - <key>Volume</key> |
163 | | - <string>EFI</string> |
164 | | - <key>Path</key> |
165 | | - <string>\EFI\BOOT\BOOT${lib.toUpper config.nixpkgs.hostPlatform.efiArch}.EFI</string> |
166 | | - <key>Title</key> |
167 | | - <string>XnodeOS</string> |
168 | | - <key>Type</key> |
169 | | - <string>Linux</string> |
170 | | - </dict> |
171 | | - </array> |
172 | | - </dict> |
173 | | - </dict> |
174 | | - </dict> |
175 | | - </plist> |
176 | | - EOF |
177 | | - '') |
178 | | -
|
179 | | - # Update unattended disk decryption lock |
180 | | - (lib.optionalString (tpm == "2") '' |
181 | | - SYSTEMD_ESP_PATH="$esp" ${config.systemd.package}/lib/systemd/systemd-pcrlock make-policy --pcr=7 |
182 | | - '') |
183 | | -
|
184 | | - # Remove temporary files |
185 | | - '' |
186 | | - rm -rf "$tmp" |
187 | | - '' |
188 | | - ]; |
| 171 | + </plist> |
| 172 | + EOF |
| 173 | + '') |
| 174 | +
|
| 175 | + # Update unattended disk decryption lock |
| 176 | + (lib.optionalString (tpm == "2") '' |
| 177 | + SYSTEMD_ESP_PATH="$esp" ${config.systemd.package}/lib/systemd/systemd-pcrlock make-policy --pcr=7 |
| 178 | + '') |
| 179 | +
|
| 180 | + # Remove temporary files |
| 181 | + '' |
| 182 | + rm -rf "$tmp" |
| 183 | + '' |
| 184 | + ]; |
189 | 185 | } |
190 | 186 | )}"; |
191 | 187 | }; |
|
0 commit comments