pyrox.dev / nixpkgs
lol
fork atom

nixos/qemu-vm: add `virtualisation.tpm` for running TPM in QEMU infrastructure

Raito Bezarius 25872524 14cc2551

options
unified split
Changed files
+43 -1
nixos
modules
virtualisation
qemu-vm.nix
+43 -1
nixos/modules/virtualisation/qemu-vm.nix 
···

       
198

       
 

       
        fi


     

       
199

       
 

       
      ''}


     

       
200

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
201

       
 

       
      cd "$TMPDIR"


     

       
202

       
 

       



     

       
203

       
 

       
      ${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"}


     
···

       
862

       
 

       
      };


     

       
863

       
 

       
    };


     

       
864

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
865

       
 

       
    virtualisation.useDefaultFilesystems =


     

       
866

       
 

       
      mkOption {


     

       
867

       
 

       
        type = types.bool;


     
···

       
1027

       
 

       



     

       
1028

       
 

       
    boot.initrd.availableKernelModules =


     

       
1029

       
 

       
      optional cfg.writableStore "overlay"


     

       
1030

       
-

       
      ++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx";


     

       

       

       
     

       
1031

       
 

       



     

       
1032

       
 

       
    virtualisation.additionalPaths = [ config.system.build.toplevel ];


     

       
1033

       
 

       



     
···

       
1097

       
 

       
      ])


     

       
1098

       
 

       
      (mkIf (!cfg.graphics) [


     

       
1099

       
 

       
        "-nographic"


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
1100

       
 

       
      ])


     

       
1101

       
 

       
    ];


     

       
1102

       
 

       



     
···

       
198

       
 

       
        fi


     

       
199

       
 

       
      ''}


     

       
200

       
 

       



     

       
201

       
+

       
      ${lib.optionalString cfg.tpm.enable ''


     

       
202

       
+

       
        NIX_SWTPM_DIR=$(readlink -f "''${NIX_SWTPM_DIR:-${config.system.name}-swtpm}")


     

       
203

       
+

       
        mkdir -p "$NIX_SWTPM_DIR"


     

       
204

       
+

       
        ${lib.getExe cfg.tpm.package} \


     

       
205

       
+

       
          socket \


     

       
206

       
+

       
          --tpmstate dir="$NIX_SWTPM_DIR" \


     

       
207

       
+

       
          --ctrl type=unixio,path="$NIX_SWTPM_DIR"/socket \


     

       
208

       
+

       
          "--tpm2" 1>"$NIX_SWTPM_DIR"/stdout 2>"$NIX_SWTPM_DIR"/stderr &


     

       
209

       
+

       
      ''}


     

       
210

       
+

       



     

       
211

       
 

       
      cd "$TMPDIR"


     

       
212

       
 

       



     

       
213

       
 

       
      ${lib.optionalString (cfg.emptyDiskImages != []) "idx=0"}


     
···

       
872

       
 

       
      };


     

       
873

       
 

       
    };


     

       
874

       
 

       



     

       
875

       
+

       
    virtualisation.tpm = {


     

       
876

       
+

       
      enable = mkEnableOption "a TPM device in the virtual machine with a driver, using swtpm.";


     

       
877

       
+

       



     

       
878

       
+

       
      package = mkPackageOptionMD cfg.host.pkgs "swtpm" { };


     

       
879

       
+

       



     

       
880

       
+

       
      deviceModel = mkOption {


     

       
881

       
+

       
        type = types.str;


     

       
882

       
+

       
        default = ({


     

       
883

       
+

       
          "i686-linux" = "tpm-tis";


     

       
884

       
+

       
          "x86_64-linux" = "tpm-tis";


     

       
885

       
+

       
          "ppc64-linux" = "tpm-spapr";


     

       
886

       
+

       
          "armv7-linux" = "tpm-tis-device";


     

       
887

       
+

       
          "aarch64-linux" = "tpm-tis-device";


     

       
888

       
+

       
        }.${pkgs.hostPlatform.system} or (throw "Unsupported system for TPM2 emulation in QEMU"));


     

       
889

       
+

       
        defaultText = ''


     

       
890

       
+

       
          Based on the guest platform Linux system:


     

       
891

       
+

       



     

       
892

       
+

       
          - `tpm-tis` for (i686, x86_64)


     

       
893

       
+

       
          - `tpm-spapr` for ppc64


     

       
894

       
+

       
          - `tpm-tis-device` for (armv7, aarch64)


     

       
895

       
+

       
        '';


     

       
896

       
+

       
        example = "tpm-tis-device";


     

       
897

       
+

       
        description = lib.mdDoc "QEMU device model for the TPM, uses the appropriate default based on th guest platform system and the package passed.";


     

       
898

       
+

       
      };


     

       
899

       
+

       
    };


     

       
900

       
+

       



     

       
901

       
 

       
    virtualisation.useDefaultFilesystems =


     

       
902

       
 

       
      mkOption {


     

       
903

       
 

       
        type = types.bool;


     
···

       
1063

       
 

       



     

       
1064

       
 

       
    boot.initrd.availableKernelModules =


     

       
1065

       
 

       
      optional cfg.writableStore "overlay"


     

       
1066

       
+

       
      ++ optional (cfg.qemu.diskInterface == "scsi") "sym53c8xx"


     

       
1067

       
+

       
      ++ optional (cfg.tpm.enable) "tpm_tis";


     

       
1068

       
 

       



     

       
1069

       
 

       
    virtualisation.additionalPaths = [ config.system.build.toplevel ];


     

       
1070

       
 

       



     
···

       
1134

       
 

       
      ])


     

       
1135

       
 

       
      (mkIf (!cfg.graphics) [


     

       
1136

       
 

       
        "-nographic"


     

       
1137

       
+

       
      ])


     

       
1138

       
+

       
      (mkIf (cfg.tpm.enable) [


     

       
1139

       
+

       
        "-chardev socket,id=chrtpm,path=\"$NIX_SWTPM_DIR\"/socket"


     

       
1140

       
+

       
        "-tpmdev emulator,id=tpm_dev_0,chardev=chrtpm"


     

       
1141

       
+

       
        "-device ${cfg.tpm.deviceModel},tpmdev=tpm_dev_0"


     

       
1142

       
 

       
      ])


     

       
1143

       
 

       
    ];


     

       
1144