-
Notifications
You must be signed in to change notification settings - Fork 39
/
ipxe.nix
104 lines (96 loc) · 2.89 KB
/
ipxe.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{ pkgs, config, ... }:
let
ipxe_script = pkgs.writeText "script.ipxe" ''
#!ipxe
:restart
menu iPXE boot menu
item normal Boot normally
item loop Start iPXE shell
item off Shutdown
item reset Reboot
choose --default normal --timeout 5000 res || goto restart
goto ''${res}
:off
poweroff
goto off
:reset
reboot
goto reset
:normal
imgfree
imgfetch tftp://10.0.2.2/kernel root=/root.squashfs console=tty0 console=ttyS0 panic=-1 ${toString config.boot.kernelParams} || goto normal
imgfetch tftp://10.0.2.2/initrd || goto normal
imgfetch tftp://10.0.2.2/root.squashfs root.squashfs || goto normal
imgverify kernel tftp://10.0.2.2/kernel.sig
imgverify initrd tftp://10.0.2.2/initrd.sig
imgverify root.squashfs tftp://10.0.2.2/root.squashfs.sig
imgselect kernel
boot
:loop
login || goto cancelled
iseq ''${password} hunter2 && goto is_correct ||
echo password wrong
sleep 5
goto loop
:cancelled
echo you gave up, goodbye
sleep 5
poweroff
goto cancelled
:is_correct
shell
'';
ftpdir = pkgs.runCommand "ftpdir" { buildInputs = [ pkgs.openssl ]; } ''
mkdir $out
ln -sv ${config.system.build.dist}/kernel $out/
ln -sv ${config.system.build.dist}/initrd $out/
ln -sv ${config.system.build.dist}/root.squashfs $out/
ln -sv ${ipxe_script} $out/script.ipxe
function signit {
openssl cms -sign -binary -noattr -in $1 -signer ${./ca/codesign.crt} -inkey ${./ca/codesign.key} -certfile ${./ca/root.pem} -outform DER -out ''${1}.sig
}
signit $out/kernel
signit $out/initrd
signit $out/script.ipxe
signit $out/root.squashfs
'';
ipxe = pkgs.lib.overrideDerivation pkgs.ipxe (x: {
script = pkgs.writeText "embed.ipxe" ''
#!ipxe
imgtrust --permanent
dhcp
imgfetch tftp://10.0.2.2/script.ipxe
imgverify script.ipxe tftp://10.0.2.2/script.ipxe.sig
chain script.ipxe
echo temporary debug shell
shell
'';
ca_cert = ./ca/root.pem;
nativeBuildInputs = x.nativeBuildInputs ++ [ pkgs.openssl ];
makeFlags = x.makeFlags ++ [
''EMBED=''${script}''
''TRUST=''${ca_cert}''
"CERT=${./ca/codesign.crt},${./ca/root.pem}"
#"bin-i386-efi/ipxe.efi" "bin-i386-efi/ipxe.efidrv"
];
enabledOptions = x.enabledOptions ++ [ "CONSOLE_SERIAL" "POWEROFF_CMD" "IMAGE_TRUST_CMD" ];
});
testipxe = pkgs.writeScript "runner" ''
#!${pkgs.stdenv.shell}
exec ${pkgs.qemu_kvm}/bin/qemu-kvm -name not-os -m 512 \
-kernel ${ipxe}/ipxe.lkrn \
-net nic,vlan=0,model=virtio \
-net user,vlan=0,net=10.0.2.0/24,host=10.0.2.2,dns=10.0.2.3,hostfwd=tcp::2222-:22,tftp=${ftpdir} \
-net dump,vlan=0 \
-device virtio-rng-pci -serial stdio
'';
in
{
options = {
};
config = {
system.build = {
inherit ipxe_script ftpdir ipxe testipxe;
};
};
}