nixos/modules/hardware/cpu/amd-sev.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / hardware / cpu / amd-sev.nix
at 25.11-pre 2.5 kB view raw
 1{
 2  config,
 3  options,
 4  lib,
 5  ...
 6}:
 7let
 8  cfgSev = config.hardware.cpu.amd.sev;
 9  cfgSevGuest = config.hardware.cpu.amd.sevGuest;
10
11  optionsFor = device: group: {
12    enable = lib.mkEnableOption "access to the AMD ${device} device";
13    user = lib.mkOption {
14      description = "Owner to assign to the ${device} device.";
15      type = lib.types.str;
16      default = "root";
17    };
18    group = lib.mkOption {
19      description = "Group to assign to the ${device} device.";
20      type = lib.types.str;
21      default = group;
22    };
23    mode = lib.mkOption {
24      description = "Mode to set for the ${device} device.";
25      type = lib.types.str;
26      default = "0660";
27    };
28  };
29in
30with lib;
31{
32  options.hardware.cpu.amd.sev = optionsFor "SEV" "sev";
33
34  options.hardware.cpu.amd.sevGuest = optionsFor "SEV guest" "sev-guest";
35
36  config = lib.mkMerge [
37    # /dev/sev
38    (lib.mkIf cfgSev.enable {
39      assertions = [
40        {
41          assertion = lib.hasAttr cfgSev.user config.users.users;
42          message = "Given user does not exist";
43        }
44        {
45          assertion =
46            (cfgSev.group == options.hardware.cpu.amd.sev.group.default)
47            || (lib.hasAttr cfgSev.group config.users.groups);
48          message = "Given group does not exist";
49        }
50      ];
51
52      boot.extraModprobeConfig = ''
53        options kvm_amd sev=1
54      '';
55
56      users.groups = lib.optionalAttrs (cfgSev.group == options.hardware.cpu.amd.sev.group.default) {
57        "${cfgSev.group}" = { };
58      };
59
60      services.udev.extraRules = with cfgSev; ''
61        KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}"
62      '';
63    })
64
65    # /dev/sev-guest
66    (lib.mkIf cfgSevGuest.enable {
67      assertions = [
68        {
69          assertion = lib.hasAttr cfgSevGuest.user config.users.users;
70          message = "Given user does not exist";
71        }
72        {
73          assertion =
74            (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default)
75            || (lib.hasAttr cfgSevGuest.group config.users.groups);
76          message = "Given group does not exist";
77        }
78      ];
79
80      users.groups =
81        lib.optionalAttrs (cfgSevGuest.group == options.hardware.cpu.amd.sevGuest.group.default)
82          {
83            "${cfgSevGuest.group}" = { };
84          };
85
86      services.udev.extraRules = with cfgSevGuest; ''
87        KERNEL=="sev-guest", OWNER="${user}", GROUP="${group}", MODE="${mode}"
88      '';
89    })
90  ];
91}