Enable TPM

2024-09-19 20:39:42 +00:00 · 2024-04-12 21:38:05 +02:00 · 2024-04-12 21:38:05 +02:00 · de2248452a
parent 74603055b8
commit de2248452a
4 changed files with 34 additions and 0 deletions
--- a/hosts/herugrim/default.nix
+++ b/hosts/herugrim/default.nix
@ -53,6 +53,7 @@
    device = {
      virtual-machine = false;
      cpu.type = "intel";
+      hasTPM = true;
    };

    home-manager = {
--- a/options/device/hardware.nix
+++ b/options/device/hardware.nix
@ -19,5 +19,11 @@ in
      default = false;
      description = "Is this system a virtual machine?";
    };
+
+    hasTPM = mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = "Does this device have a TPM (Trusted Platform Module)?"
+    }
  };
 }
--- a/system/hardware/default.nix
+++ b/system/hardware/default.nix
@ -1,5 +1,6 @@
 _: {
  imports = [
    ./cpu
+    ./tpm.nix
  ];
 }
--- a/system/hardware/tpm.nix
+++ b/system/hardware/tpm.nix
@ -0,0 +1,26 @@
+{ config, lib, pkgs, ... }: let
+  inherit (lib) mkIf;
+
+  enabled = config.device.hasTPM;
+in {
+  config = mkIf enabled {
+    security.tpm2 = {
+      # enable Trusted Platform Module 2 support
+      enable = true;
+
+      # enable Trusted Platform 2 userspace resource manager daemon
+      abrmd.enable = mkDefault false;
+
+      # The TCTI is the "Transmission Interface" that is used to communicate with a
+      # TPM. this option sets TCTI environment variables to the specified values if enabled
+      #  - TPM2TOOLS_TCTI
+      #  - TPM2_PKCS11_TCTI
+      tctiEnvironment.enable = mkDefault true;
+
+      # enable TPM2 PKCS#11 tool and shared library in system path
+      pkcs11.enable = mkDefault false;
+    };
+
+    environment.systemPackages = with pkgs; [ tpm2-tss tpm2-tools ];
+  };
+}