-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnixos-module.nix
124 lines (121 loc) · 3.82 KB
/
nixos-module.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
{
config,
pkgs,
lib,
...
}:
let
cfg = config.tinyboot;
in
{
options.tinyboot =
with lib;
mkOption {
type = types.submoduleWith {
specialArgs.pkgs = pkgs;
modules = [
./options.nix
(
{ lib, ... }:
{
options = with lib; {
enable = mkEnableOption "tinyboot bootloader";
maxFailedBootAttempts = mkOption {
type = types.int;
default = 3;
};
};
}
)
];
};
default = { };
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
boot.kernelPatches =
with lib.kernel;
with (whenHelpers config.boot.kernelPackages.kernel.version);
[
pkgs.kernelPatches.ima_tpm_early_init
{
name = "enable-ima";
patch = null;
extraStructuredConfig =
{
IMA = yes;
TCG_TIS_SPI = yes;
IMA_DEFAULT_HASH_SHA256 = yes;
}
// lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
# helpful for early TPM initialization on x86_64 chromebooks
SPI_INTEL_PCI = yes;
MFD_INTEL_LPSS_ACPI = yes;
MFD_INTEL_LPSS_PCI = yes;
};
}
{
name = "allow-flashrom";
patch = null;
extraStructuredConfig.IO_STRICT_DEVMEM = lib.kernel.no;
}
];
boot.loader.supportsInitrdSecrets = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.bootspec.enable = true;
boot.loader.external = lib.mkIf (with config.system.switch; enable || enableNg) {
enable = true;
installHook = toString [
(lib.getExe' pkgs.tinybootTools "tboot-nixos-install")
"--esp-mnt=${config.boot.loader.efi.efiSysMountPoint}"
"--private-key=${cfg.verifiedBoot.tbootPrivateKey}"
"--public-key=${cfg.verifiedBoot.tbootPublicCertificate}"
"--timeout=${toString config.boot.loader.timeout}"
"--max-tries=${toString cfg.maxFailedBootAttempts}"
];
};
systemd.generators.tboot-bless-boot-generator = lib.getExe' pkgs.tinybootTools "tboot-bless-boot-generator";
systemd.services.tboot-bless-boot = {
description = "Mark the current boot loader entry as good";
documentation = [ "https://github.com/jmbaur/tinyboot" ];
requires = [ "boot-complete.target" ];
conflicts = [ "shutdown.target" ];
before = [ "shutdown.target" ];
after = [
"local-fs.target"
"boot-complete.target"
];
unitConfig.DefaultDependencies = false;
restartIfChanged = false; # Only run at boot
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${lib.getExe' pkgs.tinybootTools "tboot-bless-boot"} --esp-mnt=${config.boot.loader.efi.efiSysMountPoint} good";
};
};
}
(lib.mkIf cfg.coreboot.enable {
environment.systemPackages = with pkgs; [
cbmem
cbfstool
];
programs.flashrom = {
enable = true;
package = lib.mkDefault cfg.flashrom.package;
};
system.build = {
inherit (cfg.tinyboot.build) firmware;
};
boot.kernelPackages = lib.mkDefault (pkgs.linuxPackagesFor cfg.linux.package);
boot.kernelPatches = [
{
name = "enable-coreboot";
patch = null;
extraStructuredConfig.GOOGLE_FIRMWARE = lib.kernel.yes;
}
];
})
]
);
}