jetson-orin: fix secureboot cert inputs for remote builds

vadika · vadika · commit da8dcbabae8f · 2026-03-23T16:08:20.000Z
Signed-off-by: vadik likholetov &lt;vadikas@gmail.com&gt;
diff --git a/modules/reference/hardware/jetpack/nvidia-jetson-orin/secureboot.nix b/modules/reference/hardware/jetpack/nvidia-jetson-orin/secureboot.nix
@@ -12,21 +12,24 @@ let
 
   eslFromCert =
     name: cert:
-    pkgs.runCommand name { nativeBuildInputs = [ pkgs.buildPackages.efitools ]; } ''
-      certPath=${lib.escapeShellArg (toString cert)}
+    pkgs.runCommand name
+      {
+        nativeBuildInputs = [ pkgs.buildPackages.efitools ];
+        certPath = cert;
+      }
+      ''
+        if [ ! -s "$certPath" ]; then
+          echo "Missing or empty UEFI secure boot certificate: $certPath" >&2
+          exit 1
+        fi
 
-      if [ ! -s "$certPath" ]; then
-        echo "Missing or empty UEFI secure boot certificate: $certPath" >&2
-        exit 1
-      fi
+        ${pkgs.buildPackages.efitools}/bin/cert-to-efi-sig-list "$certPath" "$out"
 
-      ${pkgs.buildPackages.efitools}/bin/cert-to-efi-sig-list "$certPath" "$out"
-
-      if [ "$(wc -c < "$out")" -le 44 ]; then
-        echo "Generated ESL ${name} from $certPath is empty" >&2
-        exit 1
-      fi
-    '';
+        if [ "$(wc -c < "$out")" -le 44 ]; then
+          echo "Generated ESL ${name} from $certPath is empty" >&2
+          exit 1
+        fi
+      '';
 
   keysDir = cfg.keysSource;
 
