From 11dfbee0a4a2309515608a890e91d4d1a2a43626 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Wed, 30 Nov 2022 18:12:13 +0100 Subject: nixos/activation/bootspec: add bootspec chapter in NixOS manual --- nixos/doc/manual/development/bootspec.chapter.md | 36 ++++++++++++++++++++++++ nixos/doc/manual/development/development.xml | 1 + 2 files changed, 37 insertions(+) create mode 100644 nixos/doc/manual/development/bootspec.chapter.md (limited to 'nixos/doc/manual/development') diff --git a/nixos/doc/manual/development/bootspec.chapter.md b/nixos/doc/manual/development/bootspec.chapter.md new file mode 100644 index 00000000000..96c12f24e7f --- /dev/null +++ b/nixos/doc/manual/development/bootspec.chapter.md @@ -0,0 +1,36 @@ +# Experimental feature: Bootspec {#sec-experimental-bootspec} + +Bootspec is a experimental feature, introduced in the [RFC-0125 proposal](https://github.com/NixOS/rfcs/pull/125), the reference implementation can be found [there](https://github.com/NixOS/nixpkgs/pull/172237) in order to standardize bootloader support +and advanced boot workflows such as SecureBoot and potentially more. + +You can enable the creation of bootspec documents through [`boot.bootspec.enable = true`](options.html#opt-boot.bootspec.enable), which will prompt a warning until [RFC-0125](https://github.com/NixOS/rfcs/pull/125) is officially merged. + +## Schema {#sec-experimental-bootspec-schema} + +The bootspec schema is versioned and validated against [a CUE schema file](https://cuelang.org/) which should considered as the source of truth for your applications. + +You will find the current version [here](../../../modules/system/activation/bootspec.cue). + +## Extensions mechanism {#sec-experimental-bootspec-extensions} + +Bootspec cannot account for all usecases. + +For this purpose, Bootspec offers a generic extension facility [`boot.bootspec.extensions`](options.html#opt-boot.bootspec.extensions) which can be used to inject any data needed for your usecases. + +An example for SecureBoot is to get the Nix store path to `/etc/os-release` in order to bake it into a unified kernel image: + +```nix +{ config, lib, ... }: { + boot.bootspec.extensions = { + "org.secureboot.osRelease" = config.environment.etc."os-release".source; + }; +} +``` + +To reduce incompatibility and prevent names from clashing between applications, it is **highly recommended** to use a unique namespace for your extensions. + +## External bootloaders {#sec-experimental-bootspec-external-bootloaders} + +It is possible to enable your own bootloader through [`boot.loader.external.installHook`](options.html#opt-boot.loader.external.installHook) which can wrap an existing bootloader. + +Currently, there is no good story to compose existing bootloaders to enrich their features, e.g. SecureBoot, etc. It will be necessary to reimplement or reuse existing parts. diff --git a/nixos/doc/manual/development/development.xml b/nixos/doc/manual/development/development.xml index 624ee393165..949468c9021 100644 --- a/nixos/doc/manual/development/development.xml +++ b/nixos/doc/manual/development/development.xml @@ -12,6 +12,7 @@ + -- cgit 1.4.1