mirror/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-29 07:32:58 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

nixos/systemd: Factor out tpm2 support into separate module

Browse Source
This commit is contained in:
Will Fancher 2024-09-19 04:10:56 -04:00
parent 75ac2a58e9
commit 5034450095
5 changed files with 79 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/module-list.nix
View File

@ -1636,6 +1636,7 @@
./system/boot/systemd/sysupdate.nix ./system/boot/systemd/sysupdate.nix
./system/boot/systemd/sysusers.nix ./system/boot/systemd/sysusers.nix
./system/boot/systemd/tmpfiles.nix ./system/boot/systemd/tmpfiles.nix
./system/boot/systemd/tpm2.nix
./system/boot/systemd/user.nix ./system/boot/systemd/user.nix
./system/boot/systemd/userdbd.nix ./system/boot/systemd/userdbd.nix
./system/boot/systemd/homed.nix ./system/boot/systemd/homed.nix

2
nixos/modules/system/boot/luksroot.nix
View File

@ -1088,6 +1088,8 @@ in
storePaths = [ storePaths = [
"${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup" "${config.boot.initrd.systemd.package}/bin/systemd-cryptsetup"
"${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-cryptsetup-generator" "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-cryptsetup-generator"
] ++ lib.optionals config.boot.initrd.systemd.tpm2.enable [
"${config.boot.initrd.systemd.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so"
]; ];
}; };

2
nixos/modules/system/boot/systemd.nix
View File

@ -37,8 +37,6 @@ let
"cryptsetup.target" "cryptsetup.target"
"cryptsetup-pre.target" "cryptsetup-pre.target"
"remote-cryptsetup.target" "remote-cryptsetup.target"
] ++ optionals cfg.package.withTpm2Tss [
"tpm2.target"
] ++ [ ] ++ [
"sigpwr.target" "sigpwr.target"
"timers.target" "timers.target"

18
nixos/modules/system/boot/systemd/initrd.nix
View File

@ -68,7 +68,6 @@ let
"systemd-reboot.service" "systemd-reboot.service"
"systemd-sysctl.service" "systemd-sysctl.service"
"timers.target" "timers.target"
"tpm2.target"
"umount.target" "umount.target"
"systemd-bsod.service" "systemd-bsod.service"
] ++ cfg.additionalUpstreamUnits; ] ++ cfg.additionalUpstreamUnits;
@ -349,15 +348,6 @@ in {
visible = "shallow"; visible = "shallow";
description = "Definition of slice configurations."; description = "Definition of slice configurations.";
}; };
enableTpm2 = mkOption {
default = cfg.package.withTpm2Tss;
defaultText = "boot.initrd.systemd.package.withTpm2Tss";
type = types.bool;
description = ''
Whether to enable TPM2 support in the initrd.
'';
};
}; };
config = mkIf (config.boot.initrd.enable && cfg.enable) { config = mkIf (config.boot.initrd.enable && cfg.enable) {
@ -394,9 +384,7 @@ in {
# systemd needs this for some features # systemd needs this for some features
"autofs" "autofs"
# systemd-cryptenroll # systemd-cryptenroll
] ++ lib.optional cfg.enableTpm2 "tpm-tis" ] ++ lib.optional cfg.package.withEfi "efivarfs";
++ lib.optional (cfg.enableTpm2 && !(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)) "tpm-crb"
++ lib.optional cfg.package.withEfi "efivarfs";
boot.kernelParams = [ boot.kernelParams = [
"root=${config.boot.initrd.systemd.root}" "root=${config.boot.initrd.systemd.root}"
@ -495,10 +483,6 @@ in {
# so NSS can look up usernames # so NSS can look up usernames
"${pkgs.glibc}/lib/libnss_files.so.2" "${pkgs.glibc}/lib/libnss_files.so.2"
] ++ optionals (cfg.package.withCryptsetup && cfg.enableTpm2) [
# tpm2 support
"${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so"
pkgs.tpm2-tss
] ++ optionals cfg.package.withCryptsetup [ ] ++ optionals cfg.package.withCryptsetup [
# fido2 support # fido2 support
"${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so" "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"

75
nixos/modules/system/boot/systemd/tpm2.nix Normal file
View File

@ -0,0 +1,75 @@
{
lib,
config,
pkgs,
...
}:
{
meta.maintainers = [ lib.maintainers.elvishjerricco ];
imports = [
(lib.mkRenamedOptionModule
[
"boot"
"initrd"
"systemd"
"enableTpm2"
]
[
"boot"
"initrd"
"systemd"
"tpm2"
"enable"
]
)
];
options = {
systemd.tpm2.enable = lib.mkEnableOption "systemd TPM2 support" // {
default = config.systemd.package.withTpm2Tss;
defaultText = "systemd.package.withTpm2Tss";
};
boot.initrd.systemd.tpm2.enable = lib.mkEnableOption "systemd initrd TPM2 support" // {
default = config.boot.initrd.systemd.package.withTpm2Tss;
defaultText = "boot.initrd.systemd.package.withTpm2Tss";
};
};
# TODO: pcrphase, pcrextend, pcrfs, pcrmachine
config = lib.mkMerge [
# Stage 2
(
let
cfg = config.systemd;
in
lib.mkIf cfg.tpm2.enable {
systemd.additionalUpstreamSystemUnits = [
"tpm2.target"
];
}
)
# Stage 1
(
let
cfg = config.boot.initrd.systemd;
in
lib.mkIf cfg.tpm2.enable {
boot.initrd.systemd.additionalUpstreamUnits = [
"tpm2.target"
];
boot.initrd.availableKernelModules =
[ "tpm-tis" ]
++ lib.optional (
!(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)
) "tpm-crb";
boot.initrd.systemd.storePaths = [
pkgs.tpm2-tss
];
}
)
];
}