Skip to content

Commit

Permalink
feat: enable TPM2
Browse files Browse the repository at this point in the history
  • Loading branch information
@Lehmanator
Lehmanator committed Jul 24, 2024
1 parent f4a837b commit d2134b2
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 9 deletions.
5 changes: 4 additions & 1 deletion nixos/hosts/fw/configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,10 @@
];
boot.loader.efi.efiSysMountPoint = "/boot/efi";
console.useXkbConfig = true;
hardware.enableAllFirmware = true;
hardware = {
enableAllFirmware = true;
framework.enableKmod = true;
};
networking.hostName = "fw";

# --- Users ---
Expand Down
3 changes: 3 additions & 0 deletions nixos/hosts/fw/hardware-configuration.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
hardware = {
enableRedistributableFirmware = lib.mkDefault true;
cpu.intel.updateMicrocode = lib.mkDefault true;
framework.enableKmod = lib.mkDefault true;

# Sensors
sensor.iio.enable = true;
Expand All @@ -53,4 +54,6 @@

nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

environment.systemPackages = [pkgs.fw-ectool];
}
3 changes: 3 additions & 0 deletions nixos/profiles/hardware/fwupd.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,8 @@
services.fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];

# Might be necessary once to make the update succeed
# uefiCapsuleSettings.DisableCapsuleUpdateOnDisk = true;
};
}
30 changes: 22 additions & 8 deletions nixos/profiles/hardware/tpm2.nix
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,25 @@
{ config, lib, pkgs, user, ... }: {
#
# https://nixos.wiki/wiki/TPM
#
security.tpm2 = {
enable = true;
#applyUdevRules = true;
#abrmd.enable = true;
#abrmd.package = pkgs.tpm2-abrmd;
pkcs11.enable = lib.mkDefault false; # Temporarily disable to fix build
# pkcs11.enable = lib.mkDefault false; # Temporarily disable to fix build
pkcs11.enable = true;
#pkcs11.package = pkgs.tpm2-pkcs11;
#tctiEnvironment = {
# enable = true;
# interface = "device"; # device | tabrmd
# deviceConf = "/dev/tpmrm0";
# tabrmdConf = "bus_name=com.intel.tss2.Tabrmd";
#};
tctiEnvironment = {
enable = true;
# interface = "device"; # device | tabrmd
# deviceConf = "/dev/tpmrm0";
# tabrmdConf = "bus_name=com.intel.tss2.Tabrmd";
};
#tssGroup = "tss";
#tssUser = if config.security.tpm2.abrmd.enable then "tss" else "root";
};

#services.tcsd = {
# enable = true;
# firmwarePCRs = "0,1,2,3,4,5,6,7";
Expand All @@ -23,8 +28,17 @@
# endorsementCred = "${config.services.tcsd.stateDir}/endorsement.cert";
# platformCred = "${config.services.tcsd.stateDir}/platform.cert";
#};
users.extraGroups.${config.security.tpm2.tssGroup}.members = [ user ];

# users.extraGroups.${config.security.tpm2.tssGroup}.members = [ user ];
users.users.${user}.extraGroups = ["tss"];

boot.initrd.systemd.enableTpm2 = lib.mkDefault config.security.tpm2.enable;
# virtualisation.tpm.enable = lib.mkDefault config.security.tpm2.enable;

environment.systemPackages = [
pkgs.tpm2-tss
# (pkgs.writeShellScript "tpm-setup" ''
# systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/nvme0n1p2
# '')
];
}

0 comments on commit d2134b2

Please sign in to comment.