From 11bc7eb4378a8672861a5deec97826ba3294af59 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Fri, 3 Apr 2026 19:31:34 -0600
Subject: sys/boot: impermanence: add support for an independent 'trust'
 persistent storage

---
 sys/boot/secure-boot.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'sys/boot/secure-boot.nix')

diff --git a/sys/boot/secure-boot.nix b/sys/boot/secure-boot.nix
index b13ab7c..150ff92 100644
--- a/sys/boot/secure-boot.nix
+++ b/sys/boot/secure-boot.nix
@@ -46,6 +46,13 @@ in {
       pkgs.sbctl
     ];
 
-    local.boot.impermanence.directories = [pkiBundle];
+    local.boot.impermanence.trust.directories = [
+      {
+        directory = pkiBundle;
+        user = "root";
+        group = "root";
+        mode = "u=rwx,g=,o=";
+      }
+    ];
   };
 }
-- 
cgit v1.2.3