pyrox.dev
1{ config, lib, ... }:
2with lib;
3let
4 cfg = config.hardware.cpu.amd.sev;
5 defaultGroup = "sev";
6in
7 with lib; {
8 options.hardware.cpu.amd.sev = {
9 enable = mkEnableOption (lib.mdDoc "access to the AMD SEV device");
10 user = mkOption {
11 description = lib.mdDoc "Owner to assign to the SEV device.";
12 type = types.str;
13 default = "root";
14 };
15 group = mkOption {
16 description = lib.mdDoc "Group to assign to the SEV device.";
17 type = types.str;
18 default = defaultGroup;
19 };
20 mode = mkOption {
21 description = lib.mdDoc "Mode to set for the SEV device.";
22 type = types.str;
23 default = "0660";
24 };
25 };
26
27 config = mkIf cfg.enable {
28 assertions = [
29 {
30 assertion = hasAttr cfg.user config.users.users;
31 message = "Given user does not exist";
32 }
33 {
34 assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups);
35 message = "Given group does not exist";
36 }
37 ];
38
39 boot.extraModprobeConfig = ''
40 options kvm_amd sev=1
41 '';
42
43 users.groups = optionalAttrs (cfg.group == defaultGroup) {
44 "${cfg.group}" = {};
45 };
46
47 services.udev.extraRules = with cfg; ''
48 KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}"
49 '';
50 };
51 }