Add documentation and script for secure boot
This commit is contained in:
parent
e70f04a451
commit
3bae7e8912
4 changed files with 56 additions and 4 deletions
27
packages/dotfiles-enroll-tpm/default.nix
Normal file
27
packages/dotfiles-enroll-tpm/default.nix
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
{
|
||||
writeShellApplication,
|
||||
systemd,
|
||||
nix,
|
||||
self,
|
||||
}:
|
||||
writeShellApplication {
|
||||
name = "dotfiles-enroll-tpm";
|
||||
meta.description = ''
|
||||
Enroll TPM PCR registers to unlock luks disk.
|
||||
|
||||
Uses the following registers for measured boot:
|
||||
- PCR 0: Core system firmware executable code
|
||||
- PCR 2: Extended or pluggable executable code
|
||||
- PCR 7: SecureBoot state
|
||||
- PCR 12: Kernel command line, system credentials and system configuration images
|
||||
'';
|
||||
runtimeInputs = [
|
||||
systemd
|
||||
nix
|
||||
];
|
||||
text = ''
|
||||
LUKS_DEVICE="$(nix eval --raw "${self}#nixosConfigurations.$HOSTNAME.config.disko.devices.mdadm.raid_system.content.device")"
|
||||
echo -en "Determined disko configured LUKS device at $LUKS_DEVICE.\nWould you like to continue? [ENTER]" && read -r
|
||||
/run/wrappers/bin/sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 "$LUKS_DEVICE"
|
||||
'';
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue