Skip to content

Commit

Permalink
Add extraInstallCommands option
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmbaur
jmbaur committed Feb 15, 2025
1 parent bc45a03 commit 0a28921
Showing 1 changed file with 71 additions and 62 deletions.
133 changes: 71 additions & 62 deletions nixos-module.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,72 +8,81 @@ let
cfg = config.tinyboot;
in
{
options.tinyboot =
with lib;
mkOption {
type = types.submoduleWith {
specialArgs.pkgs = pkgs;
modules = [
./options.nix
(
{ lib, ... }:
{
options = with lib; {
enable = mkEnableOption "tinyboot bootloader";
maxFailedBootAttempts = mkOption {
type = types.int;
default = 3;
};
};
}
)
];
};
default = { };
options.tinyboot = lib.mkOption {
type = lib.types.submoduleWith {
specialArgs.pkgs = pkgs;
modules = [
./options.nix
{
options = {
enable = lib.mkEnableOption "tinyboot bootloader";
extraInstallCommands = lib.mkOption {
type = lib.types.lines;
default = "";
};
maxFailedBootAttempts = lib.mkOption {
type = lib.types.int;
default = 3;
};
};
}
];
};
default = { };
};
config = lib.mkIf cfg.enable (
lib.mkMerge [
{
boot.kernelPatches =
with lib.kernel;
with (whenHelpers config.boot.kernelPackages.kernel.version);
[
pkgs.kernelPatches.ima_tpm_early_init
{
name = "enable-ima";
patch = null;
extraStructuredConfig =
{
IMA = yes;
TCG_TIS_SPI = yes;
IMA_DEFAULT_HASH_SHA256 = yes;
}
// lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
# helpful for early TPM initialization on x86_64 chromebooks
SPI_INTEL_PCI = yes;
MFD_INTEL_LPSS_ACPI = yes;
MFD_INTEL_LPSS_PCI = yes;
};
}
{
name = "allow-flashrom";
patch = null;
extraStructuredConfig.IO_STRICT_DEVMEM = lib.kernel.no;
}
];
assertions = [
{
assertion = config.boot.bootspec.enable;
message = "Bootloader install program depends on bootspec";
}
];

boot.kernelPatches = [
pkgs.kernelPatches.ima_tpm_early_init
{
name = "enable-ima";
patch = null;
extraStructuredConfig =
{
IMA = lib.kernel.yes;
TCG_TIS_SPI = lib.kernel.yes;
IMA_DEFAULT_HASH_SHA256 = lib.kernel.yes;
}
// lib.optionalAttrs pkgs.stdenv.hostPlatform.isx86_64 {
# helpful for early TPM initialization on x86_64 chromebooks
SPI_INTEL_PCI = lib.kernel.yes;
MFD_INTEL_LPSS_ACPI = lib.kernel.yes;
MFD_INTEL_LPSS_PCI = lib.kernel.yes;
};
}
{
name = "allow-flashrom";
patch = null;
extraStructuredConfig.IO_STRICT_DEVMEM = lib.kernel.no;
}
];
boot.loader.supportsInitrdSecrets = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.bootspec.enable = true;
boot.loader.external = lib.mkIf (with config.system.switch; enable || enableNg) {
boot.loader.external = {
enable = true;
installHook = toString [
(lib.getExe' pkgs.tinybootTools "tboot-nixos-install")
"--esp-mnt=${config.boot.loader.efi.efiSysMountPoint}"
"--private-key=${cfg.verifiedBoot.tbootPrivateKey}"
"--public-key=${cfg.verifiedBoot.tbootPublicCertificate}"
"--timeout=${toString config.boot.loader.timeout}"
"--max-tries=${toString cfg.maxFailedBootAttempts}"
];
installHook = pkgs.writeScript "install-bls.sh" ''
#!${pkgs.runtimeShell}
${
toString [
(lib.getExe' pkgs.tinybootTools "tboot-nixos-install")
"--esp-mnt=${config.boot.loader.efi.efiSysMountPoint}"
"--private-key=${cfg.verifiedBoot.tbootPrivateKey}"
"--public-key=${cfg.verifiedBoot.tbootPublicCertificate}"
"--timeout=${toString config.boot.loader.timeout}"
"--max-tries=${toString cfg.maxFailedBootAttempts}"
]
} "$@"
${cfg.extraInstallCommands}
'';

};
systemd.generators.tboot-bless-boot-generator = lib.getExe' pkgs.tinybootTools "tboot-bless-boot-generator";
systemd.services.tboot-bless-boot = {
Expand All @@ -96,9 +105,9 @@ in
};
}
(lib.mkIf cfg.coreboot.enable {
environment.systemPackages = with pkgs; [
cbmem
cbfstool
environment.systemPackages = [
pkgs.cbmem
pkgs.cbfstool
];

programs.flashrom = {
Expand Down

0 comments on commit 0a28921

Please sign in to comment.