From 7a8980193d94a15bf4d7267d846e5b69c61fa413 Mon Sep 17 00:00:00 2001 From: Thomas Strobel Date: Mon, 5 Oct 2015 13:45:20 +0200 Subject: [PATCH] nixos grub: trustedBoot: introduce safety check that TPM is available --- nixos/modules/system/boot/loader/grub/grub.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 0b349749244f..ce3efc3cd7cd 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -378,6 +378,17 @@ in ''; }; + systemHasTPM = mkOption { + default = ""; + example = "YES_TPM_is_activated"; + type = types.string; + description = '' + Assertion that the target system has an activated TPM. It is a safety + check before allowing the activation of 'enableTrustedBoot'. TrustedBoot + WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available. + ''; + }; + }; }; @@ -453,8 +464,8 @@ in message = "Trusted GRUB does not have ZFS support"; } { - assertion = !cfg.enableTrustedBoot; - message = "Trusted GRUB can break your system. Remove assertion if you want to test trustedGRUB nevertheless."; + assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated"; + message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'."; } ] ++ flip concatMap cfg.mirroredBoots (args: [ {