pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #8654 from ts468/upstream.trusted_grub_integration

grub installation: integrate trustedGRUB + fix broken equality check

William A. Kennington III c38a9b60 bdc77d27

options
unified split
Changed files
+39 -7
nixos
modules
system
boot
loader
grub
grub.nix
install-grub.pl
+28 -1
nixos/modules/system/boot/loader/grub/grub.nix 
···

       
10

       
10

       
 

       



     

       
11

       
11

       
 

       
  realGrub = if cfg.version == 1 then pkgs.grub


     

       
12

       
12

       
 

       
    else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }


     

       
13

       

       
-

       
    else pkgs.grub2;


     

       

       
13

       
+

       
    else if cfg.enableTrustedboot then pkgs.trustedGrub


     

       

       
14

       
+

       
           else pkgs.grub2;


     

       
14

       
15

       
 

       



     

       
15

       
16

       
 

       
  grub =


     

       
16

       
17

       
 

       
    # Don't include GRUB if we're only generating a GRUB menu (e.g.,


     
···

       
37

       
38

       
 

       
      grub = f grub;


     

       
38

       
39

       
 

       
      grubTarget = f (grub.grubTarget or "");


     

       
39

       
40

       
 

       
      shell = "${pkgs.stdenv.shell}";


     

       

       
41

       
+

       
      fullName = (builtins.parseDrvName realGrub.name).name;


     

       
40

       
42

       
 

       
      fullVersion = (builtins.parseDrvName realGrub.name).version;


     

       
41

       
43

       
 

       
      grubEfi = f grubEfi;


     

       
42

       
44

       
 

       
      grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else "";


     
···

       
367

       
369

       
 

       
        '';


     

       
368

       
370

       
 

       
      };


     

       
369

       
371

       
 

       



     

       

       
372

       
+

       
      enableTrustedboot = mkOption {


     

       

       
373

       
+

       
        default = false;


     

       

       
374

       
+

       
        type = types.bool;


     

       

       
375

       
+

       
        description = ''


     

       

       
376

       
+

       
          Enable trusted boot. Grub will measure all critical components during


     

       

       
377

       
+

       
          the boot process to offer TCG (TPM) support.


     

       

       
378

       
+

       
        '';


     

       

       
379

       
+

       
      };


     

       

       
380

       
+

       



     

       
370

       
381

       
 

       
    };


     

       
371

       
382

       
 

       



     

       
372

       
383

       
 

       
  };


     
···

       
428

       
439

       
 

       
        {


     

       
429

       
440

       
 

       
          assertion = all (c: c < 2) (mapAttrsToList (_: c: c) bootDeviceCounters);


     

       
430

       
441

       
 

       
          message = "You cannot have duplicated devices in mirroredBoots";


     

       

       
442

       
+

       
        }


     

       

       
443

       
+

       
        {


     

       

       
444

       
+

       
          assertion = !cfg.enableTrustedboot || cfg.version == 2;


     

       

       
445

       
+

       
          message = "Trusted GRUB is only available for GRUB 2";


     

       

       
446

       
+

       
        }


     

       

       
447

       
+

       
        {


     

       

       
448

       
+

       
          assertion = !cfg.efiSupport || !cfg.enableTrustedboot;


     

       

       
449

       
+

       
          message = "Trusted GRUB does not have EFI support";


     

       

       
450

       
+

       
        }


     

       

       
451

       
+

       
        {


     

       

       
452

       
+

       
          assertion = !cfg.zfsSupport || !cfg.enableTrustedboot;


     

       

       
453

       
+

       
          message = "Trusted GRUB does not have ZFS support";


     

       

       
454

       
+

       
        }


     

       

       
455

       
+

       
        {


     

       

       
456

       
+

       
          assertion = !cfg.enableTrustedboot;


     

       

       
457

       
+

       
          message = "Trusted GRUB can break your system. Remove assertion if you want to test trustedGRUB nevertheless.";


     

       
431

       
458

       
 

       
        }


     

       
432

       
459

       
 

       
      ] ++ flip concatMap cfg.mirroredBoots (args: [


     

       
433

       
460

       
 

       
        {
+11 -6
nixos/modules/system/boot/loader/grub/install-grub.pl 
···

       
433

       
433

       
 

       
#


     

       
434

       
434

       
 

       



     

       
435

       
435

       
 

       
struct(GrubState => {


     

       

       
436

       
+

       
    name => '$',


     

       
436

       
437

       
 

       
    version => '$',


     

       
437

       
438

       
 

       
    efi => '$',


     

       
438

       
439

       
 

       
    devices => '$',


     

       
439

       
440

       
 

       
    efiMountPoint => '$',


     

       
440

       
441

       
 

       
});


     

       
441

       
442

       
 

       
sub readGrubState {


     

       
442

       

       
-

       
    my $defaultGrubState = GrubState->new(version => "", efi => "", devices => "", efiMountPoint => "" );


     

       

       
443

       
+

       
    my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "" );


     

       
443

       
444

       
 

       
    open FILE, "<$bootPath/grub/state" or return $defaultGrubState;


     

       
444

       
445

       
 

       
    local $/ = "\n";


     

       

       
446

       
+

       
    my $name = <FILE>;


     

       

       
447

       
+

       
    chomp($name);


     

       
445

       
448

       
 

       
    my $version = <FILE>;


     

       
446

       
449

       
 

       
    chomp($version);


     

       
447

       
450

       
 

       
    my $efi = <FILE>;


     
···

       
451

       
454

       
 

       
    my $efiMountPoint = <FILE>;


     

       
452

       
455

       
 

       
    chomp($efiMountPoint);


     

       
453

       
456

       
 

       
    close FILE;


     

       
454

       

       
-

       
    my $grubState = GrubState->new(version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint );


     

       

       
457

       
+

       
    my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint );


     

       
455

       
458

       
 

       
    return $grubState


     

       
456

       
459

       
 

       
}


     

       
457

       
460

       
 

       



     
···

       
497

       
500

       
 

       
my @prevDeviceTargets = split/:/, $prevGrubState->devices;


     

       
498

       
501

       
 

       



     

       
499

       
502

       
 

       
my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference() );


     

       
500

       

       
-

       
my $versionDiffer = (get("fullVersion") eq \$prevGrubState->version);


     

       
501

       

       
-

       
my $efiDiffer = ($efiTarget eq \$prevGrubState->efi);


     

       
502

       

       
-

       
my $efiMountPointDiffer = ($efiSysMountPoint eq \$prevGrubState->efiMountPoint);


     

       
503

       

       
-

       
my $requireNewInstall = $devicesDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1");


     

       

       
503

       
+

       
my $nameDiffer = !(get("fullName") eq $prevGrubState->name);


     

       

       
504

       
+

       
my $versionDiffer = !(get("fullVersion") eq $prevGrubState->version);


     

       

       
505

       
+

       
my $efiDiffer = !($efiTarget eq $prevGrubState->efi);


     

       

       
506

       
+

       
my $efiMountPointDiffer = !($efiSysMountPoint eq $prevGrubState->efiMountPoint);


     

       

       
507

       
+

       
my $requireNewInstall = $devicesDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1");


     

       
504

       
508

       
 

       



     

       
505

       
509

       
 

       
# install a symlink so that grub can detect the boot drive when set


     

       
506

       
510

       
 

       
# as the root directory


     
···

       
543

       
547

       
 

       
# update GRUB state file


     

       
544

       
548

       
 

       
if ($requireNewInstall != 0) {


     

       
545

       
549

       
 

       
    open FILE, ">$bootPath/grub/state" or die "cannot create $bootPath/grub/state: $!\n";


     

       

       
550

       
+

       
    print FILE get("fullName"), "\n" or die;


     

       
546

       
551

       
 

       
    print FILE get("fullVersion"), "\n" or die;


     

       
547

       
552

       
 

       
    print FILE $efiTarget, "\n" or die;


     

       
548

       
553

       
 

       
    print FILE join( ":", @deviceTargets ), "\n" or die;