[DO NOT MERGE] fix: do not emit a temporary initrd location if it's n…

…ot needed We should wait on the upstream PR to be merged so we can get rid of the flake reference.
nix-community · Jan 4, 2024 · 5dad068 · 5dad068
1 parent 2c46efc
commit 5dad068
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 17 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -2,7 +2,7 @@
   description = "Secure Boot for NixOS";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:RaitoBezarius/nixpkgs/initrd-secrets";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";

diff --git a/rust/tool/systemd/src/install.rs b/rust/tool/systemd/src/install.rs
@@ -210,17 +210,27 @@ impl<S: LanzabooteSigner> Installer<S> {
             .context("Failed to install the kernel.")?;
 
         // Assemble and install the initrd, and record its path on the ESP.
-        let initrd_location = tempdir
-            .write_secure_file(
-                fs::read(
-                    bootspec
-                        .initrd
-                        .as_ref()
-                        .context("Lanzaboote does not support missing initrd yet.")?,
+        // It is not needed to write the initrd in a temporary directory
+        // if we do not have any initrd secret.
+        let initrd_location = if bootspec.initrd_secrets.is_some() {
+            tempdir
+                .write_secure_file(
+                    fs::read(
+                        bootspec
+                            .initrd
+                            .as_ref()
+                            .context("Lanzaboote does not support missing initrd yet.")?,
+                    )
+                    .context("Failed to read the initrd.")?,
                 )
-                .context("Failed to read the initrd.")?,
-            )
-            .context("Failed to copy the initrd to the temporary directory.")?;
+                .context("Failed to copy the initrd to the temporary directory.")?
+        } else {
+            bootspec
+                .initrd
+                .clone()
+                .expect("Lanzaboote does not support missing initrd yet.")
+        };
+
         if let Some(initrd_secrets_script) = &bootspec.initrd_secrets {
             append_initrd_secrets(initrd_secrets_script, &initrd_location, generation.version)?;
         }