nixos/qemu-vm: add virtualisation.tpm
for running TPM in QEMU infrastructure
This commit is contained in:
parent
14cc255189
commit
25872524f0
1 changed files with 43 additions and 1 deletions
|
@ -198,6 +198,16 @@ let
|
||||||
fi
|
fi
|
||||||
''}
|
''}
|
||||||
|
|
||||||
|
${lib.optionalString cfg.tpm.enable ''
|
||||||
|
NIX_SWTPM_DIR=$(readlink -f "''${NIX_SWTPM_DIR:-${config.system.name}-swtpm}")
|
||||||
|
mkdir -p "$NIX_SWTPM_DIR"
|
||||||
|
${lib.getExe cfg.tpm.package} \
|
||||||
|
socket \
|
||||||
|
--tpmstate dir="$NIX_SWTPM_DIR" \
|
||||||
|
--ctrl type=unixio,path="$NIX_SWTPM_DIR"/socket \
|
||||||
|
"--tpm2" 1>"$NIX_SWTPM_DIR"/stdout 2>"$NIX_SWTPM_DIR"/stderr &
|
||||||
|
''}
|
||||||
|
|
||||||
cd "$TMPDIR"
|
cd "$TMPDIR"
|
||||||
|
|
||||||
${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"}
|
${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"}
|
||||||
|
@ -862,6 +872,32 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
virtualisation.tpm = {
|
||||||
|
enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm.";
|
||||||
|
|
||||||
|
package = mkPackageOptionMD cfg.host.pkgs "swtpm" { };
|
||||||
|
|
||||||
|
deviceModel = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = ({
|
||||||
|
"i686-linux" = "tpm-tis";
|
||||||
|
"x86_64-linux" = "tpm-tis";
|
||||||
|
"ppc64-linux" = "tpm-spapr";
|
||||||
|
"armv7-linux" = "tpm-tis-device";
|
||||||
|
"aarch64-linux" = "tpm-tis-device";
|
||||||
|
}.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU"));
|
||||||
|
defaultText = ''
|
||||||
|
Based on the guest platform Linux system:
|
||||||
|
|
||||||
|
- `tpm-tis` for (i686, x86_64)
|
||||||
|
- `tpm-spapr` for ppc64
|
||||||
|
- `tpm-tis-device` for (armv7, aarch64)
|
||||||
|
'';
|
||||||
|
example = "tpm-tis-device";
|
||||||
|
description = lib.mdDoc "QEMU device model for the TPM, uses the appropriate default based on th guest platform system and the package passed.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
virtualisation.useDefaultFilesystems =
|
virtualisation.useDefaultFilesystems =
|
||||||
mkOption {
|
mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
|
@ -1027,7 +1063,8 @@ in
|
||||||
|
|
||||||
boot.initrd.availableKernelModules =
|
boot.initrd.availableKernelModules =
|
||||||
optional cfg.writableStore "overlay"
|
optional cfg.writableStore "overlay"
|
||||||
++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx";
|
++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx"
|
||||||
|
++ optional (cfg.tpm.enable) "tpm_tis";
|
||||||
|
|
||||||
virtualisation.additionalPaths = [ config.system.build.toplevel ];
|
virtualisation.additionalPaths = [ config.system.build.toplevel ];
|
||||||
|
|
||||||
|
@ -1098,6 +1135,11 @@ in
|
||||||
(mkIf (!cfg.graphics) [
|
(mkIf (!cfg.graphics) [
|
||||||
"-nographic"
|
"-nographic"
|
||||||
])
|
])
|
||||||
|
(mkIf (cfg.tpm.enable) [
|
||||||
|
"-chardev socket,id=chrtpm,path=\"$NIX_SWTPM_DIR\"/socket"
|
||||||
|
"-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm"
|
||||||
|
"-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0"
|
||||||
|
])
|
||||||
];
|
];
|
||||||
|
|
||||||
virtualisation.qemu.drives = mkMerge [
|
virtualisation.qemu.drives = mkMerge [
|
||||||
|
|
Loading…
Reference in a new issue