jetson-orin: enroll UEFI secure boot keys from certs

Author: vadika

modules/reference/hardware/jetpack/nvidia-jetson-orin/default.nix

@@ -6,6 +6,7 @@
   imports = [
     ./partition-template.nix
     ./jetson-orin.nix
+    ./secureboot.nix
 
     ./pci-passthrough-common.nix
 

modules/reference/hardware/jetpack/nvidia-jetson-orin/jetson-orin.nix

@@ -49,6 +49,8 @@ in
   };
 
   config = mkIf cfg.enable {
+    ghaf.hardware.nvidia.orin.secureboot.enable = lib.mkDefault true;
+
     hardware.nvidia-jetpack.kernel.version = "${cfg.kernelVersion}";
     nixpkgs.hostPlatform.system = "aarch64-linux";
 

modules/reference/hardware/jetpack/nvidia-jetson-orin/secureboot.nix

@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2022-2026 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ghaf.hardware.nvidia.orin.secureboot;
+
+  eslFromCert = name: cert: pkgs.runCommand name { nativeBuildInputs = [ pkgs.buildPackages.efitools ]; } ''
+    ${pkgs.buildPackages.efitools}/bin/cert-to-efi-sig-list ${cert} $out
+  '';
+
+  keysDir = cfg.keysSource;
+
+  pkEsl = eslFromCert "PK.esl" "${keysDir}/PK.crt";
+  kekEsl = eslFromCert "KEK.esl" "${keysDir}/KEK.crt";
+  dbEsl = eslFromCert "db.esl" "${keysDir}/db.crt";
+in
+{
+  options.ghaf.hardware.nvidia.orin.secureboot = {
+    enable = lib.mkEnableOption "UEFI Secure Boot key enrollment for Jetson Orin";
+
+    keysSource = lib.mkOption {
+      type = lib.types.path;
+      default = ../../../../secureboot/keys;
+      description = "Directory containing PK.crt, KEK.crt and db.crt used to generate ESLs.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    hardware.nvidia-jetpack.firmware.uefi.secureBoot = {
+      enrollDefaultKeys = true;
+      defaultPkEslFile = pkEsl;
+      defaultKekEslFile = kekEsl;
+      defaultDbEslFile = dbEsl;
+    };
+  };
+}