27 lines
904 B
Nix
27 lines
904 B
Nix
{
|
|
writeShellApplication,
|
|
systemd,
|
|
nix,
|
|
self,
|
|
}:
|
|
writeShellApplication {
|
|
name = "dotfiles-enroll-tpm";
|
|
meta.description = ''
|
|
Enroll TPM PCR registers to unlock luks disk.
|
|
|
|
Uses the following registers for measured boot:
|
|
- PCR 0: Core system firmware executable code
|
|
- PCR 2: Extended or pluggable executable code
|
|
- PCR 7: SecureBoot state
|
|
- PCR 12: Kernel command line, system credentials and system configuration images
|
|
'';
|
|
runtimeInputs = [
|
|
systemd
|
|
nix
|
|
];
|
|
text = ''
|
|
LUKS_DEVICE="$(nix eval --raw "${self}#nixosConfigurations.$HOSTNAME.config.disko.devices.mdadm.raid_system.content.device")"
|
|
echo -en "Determined disko configured LUKS device at $LUKS_DEVICE.\nWould you like to continue? [ENTER]" && read -r
|
|
/run/wrappers/bin/sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2 "$LUKS_DEVICE"
|
|
'';
|
|
}
|