···

       
10
       
10
       
 
       


     

       
11
       
11
       
 
       
  realGrub = if cfg.version == 1 then pkgs.grub

     

       
12
       
12
       
 
       
    else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }

     

       
13
       
13
       
-
       
    else if cfg.enableTrustedBoot then pkgs.trustedGrub

     

       
14
       
14
       
-
       
           else pkgs.grub2;

     

       
13
       
13
       
+
       
    else if cfg.trustedBoot.enable

     

       
14
       
14
       
+
       
         then if cfg.trustedBoot.isHPLaptop

     

       
15
       
15
       
+
       
              then pkgs.trustedGrub-for-HP

     

       
16
       
16
       
+
       
              else pkgs.trustedGrub

     

       
17
       
17
       
+
       
         else pkgs.grub2;

     

       
15
       
18
       
 
       


     

       
16
       
19
       
 
       
  grub =

     

       
17
       
20
       
 
       
    # Don't include GRUB if we're only generating a GRUB menu (e.g.,

     
···

       
369
       
372
       
 
       
        '';

     

       
370
       
373
       
 
       
      };

     

       
371
       
374
       
 
       


     

       
372
       
372
       
-
       
      enableTrustedBoot = mkOption {

     

       
373
       
373
       
-
       
        default = false;

     

       
374
       
374
       
-
       
        type = types.bool;

     

       
375
       
375
       
-
       
        description = ''

     

       
376
       
376
       
-
       
          Enable trusted boot. GRUB will measure all critical components during

     

       
377
       
377
       
-
       
          the boot process to offer TCG (TPM) support.

     

       
378
       
378
       
-
       
        '';

     

       
379
       
379
       
-
       
      };

     

       
375
       
375
       
+
       
      trustedBoot = {

     

       
376
       
376
       
+
       


     

       
377
       
377
       
+
       
        enable = mkOption {

     

       
378
       
378
       
+
       
          default = false;

     

       
379
       
379
       
+
       
          type = types.bool;

     

       
380
       
380
       
+
       
          description = ''

     

       
381
       
381
       
+
       
            Enable trusted boot. GRUB will measure all critical components during

     

       
382
       
382
       
+
       
            the boot process to offer TCG (TPM) support.

     

       
383
       
383
       
+
       
          '';

     

       
384
       
384
       
+
       
        };

     

       
385
       
385
       
+
       


     

       
386
       
386
       
+
       
        systemHasTPM = mkOption {

     

       
387
       
387
       
+
       
          default = "";

     

       
388
       
388
       
+
       
          example = "YES_TPM_is_activated";

     

       
389
       
389
       
+
       
          type = types.string;

     

       
390
       
390
       
+
       
          description = ''

     

       
391
       
391
       
+
       
            Assertion that the target system has an activated TPM. It is a safety

     

       
392
       
392
       
+
       
            check before allowing the activation of 'trustedBoot.enable'. TrustedBoot

     

       
393
       
393
       
+
       
            WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

     

       
394
       
394
       
+
       
          '';

     

       
395
       
395
       
+
       
        };

     

       
396
       
396
       
+
       


     

       
397
       
397
       
+
       
        isHPLaptop = mkOption {

     

       
398
       
398
       
+
       
          default = false;

     

       
399
       
399
       
+
       
          type = types.bool;

     

       
400
       
400
       
+
       
          description = ''

     

       
401
       
401
       
+
       
            Use a special version of TrustedGRUB that is needed by some HP laptops

     

       
402
       
402
       
+
       
            and works only for the HP laptops.

     

       
403
       
403
       
+
       
          '';

     

       
404
       
404
       
+
       
        };

     

       
380
       
405
       
 
       


     

       
381
       
381
       
-
       
      systemHasTPM = mkOption {

     

       
382
       
382
       
-
       
        default = "";

     

       
383
       
383
       
-
       
        example = "YES_TPM_is_activated";

     

       
384
       
384
       
-
       
        type = types.string;

     

       
385
       
385
       
-
       
        description = ''

     

       
386
       
386
       
-
       
          Assertion that the target system has an activated TPM. It is a safety

     

       
387
       
387
       
-
       
          check before allowing the activation of 'enableTrustedBoot'. TrustedBoot

     

       
388
       
388
       
-
       
          WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

     

       
389
       
389
       
-
       
        '';

     

       
390
       
406
       
 
       
      };

     

       
391
       
407
       
 
       


     

       
392
       
408
       
 
       
    };

     
···

       
452
       
468
       
 
       
          message = "You cannot have duplicated devices in mirroredBoots";

     

       
453
       
469
       
 
       
        }

     

       
454
       
470
       
 
       
        {

     

       
455
       
455
       
-
       
          assertion = !cfg.enableTrustedBoot || cfg.version == 2;

     

       
471
       
471
       
+
       
          assertion = !cfg.trustedBoot.enable || cfg.version == 2;

     

       
456
       
472
       
 
       
          message = "Trusted GRUB is only available for GRUB 2";

     

       
457
       
473
       
 
       
        }

     

       
458
       
474
       
 
       
        {

     

       
459
       
459
       
-
       
          assertion = !cfg.efiSupport || !cfg.enableTrustedBoot;

     

       
475
       
475
       
+
       
          assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;

     

       
460
       
476
       
 
       
          message = "Trusted GRUB does not have EFI support";

     

       
461
       
477
       
 
       
        }

     

       
462
       
478
       
 
       
        {

     

       
463
       
463
       
-
       
          assertion = !cfg.zfsSupport || !cfg.enableTrustedBoot;

     

       
479
       
479
       
+
       
          assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;

     

       
464
       
480
       
 
       
          message = "Trusted GRUB does not have ZFS support";

     

       
465
       
481
       
 
       
        }

     

       
466
       
482
       
 
       
        {

     

       
467
       
467
       
-
       
          assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated";

     

       
483
       
483
       
+
       
          assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";

     

       
468
       
484
       
 
       
          message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";

     

       
469
       
485
       
 
       
        }

     

       
470
       
486
       
 
       
      ] ++ flip concatMap cfg.mirroredBoots (args: [

     

···

       
1
       
1
       
 
       
{ stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake

     

       
2
       
2
       
 
       
, gettext, ncurses, libusb, freetype, qemu, devicemapper

     

       
3
       
3
       
+
       
, for_HP_laptop ? false

     

       
3
       
4
       
 
       
}:

     

       
4
       
5
       
 
       


     

       
5
       
6
       
 
       
with stdenv.lib;

     
···

       
11
       
12
       
 
       


     

       
12
       
13
       
 
       
  inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems);

     

       
13
       
14
       
 
       


     

       
14
       
14
       
-
       
  version = "1.2.1";

     

       
15
       
15
       
+
       
  version = if for_HP_laptop then "1.2.1" else "1.2.0";

     

       
15
       
16
       
 
       


     

       
16
       
17
       
 
       
  unifont_bdf = fetchurl {

     

       
17
       
18
       
 
       
    url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";

     
···

       
25
       
26
       
 
       


     

       
26
       
27
       
 
       
  };

     

       
27
       
28
       
 
       


     

       
28
       
28
       
-
       
in (

     

       
29
       
29
       
+
       
in

     

       
29
       
30
       
 
       


     

       
30
       
31
       
 
       
stdenv.mkDerivation rec {

     

       
31
       
32
       
 
       
  name = "trustedGRUB2-${version}";

     

       
32
       
33
       
 
       


     

       
33
       
33
       
-
       
  src = fetchgit {

     

       
34
       
34
       
-
       
    url = "https://github.com/Sirrix-AG/TrustedGRUB2";

     

       
35
       
35
       
-
       
    rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";

     

       
36
       
36
       
-
       
    sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";

     

       
37
       
37
       
-
       
  };

     

       
34
       
34
       
+
       
  src = if for_HP_laptop

     

       
35
       
35
       
+
       
        then fetchgit {

     

       
36
       
36
       
+
       
          url = "https://github.com/Sirrix-AG/TrustedGRUB2";

     

       
37
       
37
       
+
       
          rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";

     

       
38
       
38
       
+
       
          sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";

     

       
39
       
39
       
+
       
        }

     

       
40
       
40
       
+
       
        else fetchgit {

     

       
41
       
41
       
+
       
          url = "https://github.com/Sirrix-AG/TrustedGRUB2";

     

       
42
       
42
       
+
       
          rev = "1ff54a5fbe02ea01df5a7de59b1e0201e08d4f76";

     

       
43
       
43
       
+
       
          sha256 = "8c17bd7e14dd96ae9c4e98723f4e18ec6b21d45ac486ecf771447649829d0b34";

     

       
44
       
44
       
+
       
        };

     

       
38
       
45
       
 
       


     

       
39
       
46
       
 
       
  nativeBuildInputs = [ autogen flex bison python autoconf automake ];

     

       
40
       
47
       
 
       
  buildInputs = [ ncurses libusb freetype gettext devicemapper ]

     
···

       
89
       
96
       
 
       
    license = licenses.gpl3Plus;

     

       
90
       
97
       
 
       
    platforms = platforms.gnu;

     

       
91
       
98
       
 
       
  };

     

       
92
       
92
       
-
       
})

     

       
99
       
99
       
+
       
}

     

···

       
1741
       
1741
       
 
       


     

       
1742
       
1742
       
 
       
  trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { };

     

       
1743
       
1743
       
 
       


     

       
1744
       
1744
       
+
       
  trustedGrub-for-HP = callPackage_i686 ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };

     

       
1745
       
1745
       
+
       


     

       
1744
       
1746
       
 
       
  grub2 = grub2_full;

     

       
1745
       
1747
       
 
       


     

       
1746
       
1748
       
 
       
  grub2_full = callPackage ../tools/misc/grub/2.0x.nix { };