feat: Add microvm.credentialFiles for passing credentials to guests

checks/default.nix

@@ -115,6 +115,37 @@ let
         imports = [ "${modulesPath}/profiles/hardened.nix" ];
       }) ];
     } ]
+
+    [ {
+      # no
+      id = null;
+    } {
+      id = "credentials";
+      modules = [ ({ config, pkgs, ... }: {
+        # This is the guest vm config
+        microvm.credentialFiles.SECRET_BOOTSRAP_KEY = "/etc/microvm-bootstrap.secret";
+        microvm.testing.enableTest = builtins.elem config.microvm.hypervisor [
+          # Hypervisors that support systemd credentials
+          "qemu"
+        ];
+        # TODO: need to somehow have the test harness check for the success or failure of this service.
+        systemd.services.test-secret-availability = {
+          serviceConfig = {
+            ImportCredential = "SECRET_BOOTSRAP_KEY";
+            Restart = "no";
+          };
+          path = [ pkgs.gnugrep pkgs.coreutils ];
+          script = ''
+            cat $CREDENTIALS_DIRECTORY/SECRET_BOOTSRAP_KEY | grep -q "i am super secret"
+            if [ $? -ne 0 ]; then
+              echo "Secret not found at $CREDENTIALS_DIRECTORY/SECRET_BOOTSRAP_KEY"
+              exit 1
+            fi
+          '';
+        };
+      }) ];
+    } ]
+
   ];
 
   allVariants =

checks/vm.nix

@@ -17,6 +17,8 @@
       # Must be big enough for the store overlay volume
       virtualisation.diskSize = 4096;
 
+      environment.etc."microvm-bootstrap.secret".text  = "i am super secret";
+
       microvm.vms."${system}-${hypervisor}-example".flake = self;
     };
     testScript = ''

lib/runners/qemu.nix

@@ -39,7 +39,7 @@ let
   qemu = overrideQemu (if microvmConfig.cpu == null then
     pkgs.qemu_kvm else pkgs.buildPackages.qemu_full);
 
-  inherit (microvmConfig) hostName cpu vcpu mem balloonMem deflateOnOOM user interfaces shares socket forwardPorts devices vsock graphics storeOnDisk kernel initrdPath storeDisk;
+  inherit (microvmConfig) hostName cpu vcpu mem balloonMem deflateOnOOM user interfaces shares socket forwardPorts devices vsock graphics storeOnDisk kernel initrdPath storeDisk credentialFiles;
   inherit (microvmConfig.qemu) machine extraArgs serialConsole;
 
   inherit (import ../. { inherit (pkgs) lib; }) withDriveLetters;
@@ -146,6 +146,8 @@ let
     then "console=ttyAMA0"
     else "";
 
+  systemdCredentialStrings = lib.mapAttrsToList (name: path: "name=opt/io.systemd.credentials/${name},file=${path}" ) credentialFiles;
+  fwCfgOptions = systemdCredentialStrings;
 
 in
 lib.warnIf (mem == 2048) ''
@@ -173,6 +175,9 @@ lib.warnIf (mem == 2048) ''
       "-chardev" "stdio,id=stdio,signal=off"
       "-device" "virtio-rng-${devType}"
     ] ++
+    lib.optionals (fwCfgOptions != [])  [
+      "-fw_cfg" (lib.concatStringsSep "," fwCfgOptions)
+    ] ++
     lib.optionals serialConsole [
       "-serial" "chardev:stdio"
     ] ++

nixos-modules/microvm/options.nix

@@ -602,6 +602,18 @@ in
       description = "Flags to pass to gensquashfs";
       default = [ "-c" "zstd" "-j" "$NIX_BUILD_CORES" ];
     };
+
+    credentialFiles = mkOption {
+      type = with types; attrsOf path;
+      description = ''
+        Key-value pairs of credential files that will be loaded into the vm using systemd's io.systemd.credential feature.
+      '';
+      example = literalExpression /* nix */ ''
+        {
+          SOPS_AGE_KEY = "/run/secrets/guest_microvm_age_key";
+        }
+      '';
+    };
   };
 
   config = lib.mkMerge [ {