diff options
| author | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 22:24:21 +1100 |
|---|---|---|
| committer | KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au> | 2026-01-07 22:24:21 +1100 |
| commit | 8c95bb353556ceb51e5a135da08753e005c8baa7 (patch) | |
| tree | 08e640b81c72b912634e5496972ab336f1393fa7 | |
| parent | d324d5d4176f06945582eb3f8a9a31bceddf3907 (diff) | |
tpm2
| -rw-r--r-- | labsrv01/configuration.nix | 2 | ||||
| -rw-r--r-- | labsrv01/secureboot.nix | 23 |
2 files changed, 25 insertions, 0 deletions
diff --git a/labsrv01/configuration.nix b/labsrv01/configuration.nix index 0642b65..dbb679f 100644 --- a/labsrv01/configuration.nix +++ b/labsrv01/configuration.nix @@ -108,6 +108,8 @@ ]; }; + services.fwupd.enable = true; + environment.systemPackages = with pkgs; [ sbctl ]; diff --git a/labsrv01/secureboot.nix b/labsrv01/secureboot.nix index cc8ec2e..29bff21 100644 --- a/labsrv01/secureboot.nix +++ b/labsrv01/secureboot.nix @@ -2,8 +2,27 @@ inputs, lib, pkgs, + config, ... }: +let + sb-do-enroll-keys = pkgs.writeShellApplication { + name = "sb-do-enroll-keys"; + text = '' + set -ex; + ${pkgs.sbctl}/bin/sbctl enroll-keys + ''; + }; + sb-do-enroll-tpm = pkgs.writeShellApplication { + name = "sb-do-enroll-tpm"; + runtimeInputs = [ pkgs.tpm2-tss ]; + text = '' + set -ex; + LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}" + ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}" + ''; + }; +in { imports = [ inputs.lanzaboote.nixosModules.lanzaboote @@ -11,6 +30,8 @@ environment.systemPackages = [ pkgs.sbctl + sb-do-enroll-keys + sb-do-enroll-tpm ]; # Lanzaboote currently replaces the systemd-boot module. @@ -18,6 +39,8 @@ # generated at installation time. So we force it to false # for now. boot.loader.systemd-boot.enable = lib.mkForce false; + boot.initrd.systemd.enable = true; + boot.initrd.systemd.tpm2.enable = true; boot.lanzaboote = { enable = true; |