Merge pull request #9077 from ts468/upstream.tcsd

tcsd module: expose firmwarePCRs and kernelPCRs
2015-08-02 03:47:06 +03:00 · 2015-08-02 03:47:06 +03:00 · b563775994
commit b563775994
parent 479a43cf74 aa63d4299f
1 changed files with 18 additions and 6 deletions
--- a/nixos/modules/services/hardware/tcsd.nix
+++ b/nixos/modules/services/hardware/tcsd.nix
@ -17,8 +17,8 @@ let
    # what is available directly from the PCR registers.
    firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
    kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
-    #firmware_pcrs = 0,1,2,3,4,5,6,7
-    #kernel_pcrs = 10,11
+    firmware_pcrs = ${cfg.firmwarePCRs}
+    kernel_pcrs = ${cfg.kernelPCRs}
    platform_cred = ${cfg.platformCred}
    conformance_cred = ${cfg.conformanceCred}
    endorsement_cred = ${cfg.endorsementCred}
@ -69,6 +69,18 @@ in
        '';
      };

+      firmwarePCRs = mkOption {
+        default = "0,1,2,3,4,5,6,7";
+        type = types.string;
+        description = "PCR indices used in the TPM for firmware measurements.";
+      };
+
+      kernelPCRs = mkOption {
+        default = "10,11";
+        type = types.string;
+        description = "PCR indices used in the TPM for kernel measurements.";
+      };
+
      platformCred = mkOption {
        default = "${cfg.stateDir}/platform.cert";
        type = types.path;