public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos trustedGRUB: add support for HP laptops

Browse Source
This commit is contained in:
Thomas Strobel 2015-12-21 20:20:29 +01:00
parent d76c26e876
commit d856841ba4
3 changed files with 56 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/modules/system/boot/loader/grub/grub.nix
View File

@ -10,7 +10,10 @@ let
realGrub = if cfg.version == 1 then pkgs.grub realGrub = if cfg.version == 1 then pkgs.grub
else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; } else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }
else if cfg.enableTrustedBoot then pkgs.trustedGrub else if cfg.trustedBoot.enable
then if cfg.trustedBoot.isHPLaptop
then pkgs.trustedGrub-for-HP
else pkgs.trustedGrub
else pkgs.grub2; else pkgs.grub2;
grub = grub =
@ -369,7 +372,9 @@ in
''; '';
}; };
enableTrustedBoot = mkOption { trustedBoot = {
enable = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
description = '' description = ''
@ -384,11 +389,22 @@ in
type = types.string; type = types.string;
description = '' description = ''
Assertion that the target system has an activated TPM. It is a safety Assertion that the target system has an activated TPM. It is a safety
check before allowing the activation of 'enableTrustedBoot'. TrustedBoot check before allowing the activation of 'trustedBoot.enable'. TrustedBoot
WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available. WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
''; '';
}; };
isHPLaptop = mkOption {
default = false;
type = types.bool;
description = ''
Use a special version of TrustedGRUB that is needed by some HP laptops
and works only for the HP laptops.
'';
};
};
}; };
}; };
@ -452,19 +468,19 @@ in
message = "You cannot have duplicated devices in mirroredBoots"; message = "You cannot have duplicated devices in mirroredBoots";
} }
{ {
assertion = !cfg.enableTrustedBoot || cfg.version == 2; assertion = !cfg.trustedBoot.enable || cfg.version == 2;
message = "Trusted GRUB is only available for GRUB 2"; message = "Trusted GRUB is only available for GRUB 2";
} }
{ {
assertion = !cfg.efiSupport || !cfg.enableTrustedBoot; assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;
message = "Trusted GRUB does not have EFI support"; message = "Trusted GRUB does not have EFI support";
} }
{ {
assertion = !cfg.zfsSupport || !cfg.enableTrustedBoot; assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;
message = "Trusted GRUB does not have ZFS support"; message = "Trusted GRUB does not have ZFS support";
} }
{ {
assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated"; assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'."; message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
} }
] ++ flip concatMap cfg.mirroredBoots (args: [ ] ++ flip concatMap cfg.mirroredBoots (args: [

15
pkgs/tools/misc/grub/trusted.nix
View File

@ -1,5 +1,6 @@
{ stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake { stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake
, gettext, ncurses, libusb, freetype, qemu, devicemapper , gettext, ncurses, libusb, freetype, qemu, devicemapper
, for_HP_laptop ? false
}: }:
with stdenv.lib; with stdenv.lib;
@ -11,7 +12,7 @@ let
inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems); inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems);
version = "1.2.1"; version = if for_HP_laptop then "1.2.1" else "1.2.0";
unifont_bdf = fetchurl { unifont_bdf = fetchurl {
url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz"; url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";
@ -25,15 +26,21 @@ let
}; };
in ( in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "trustedGRUB2-${version}"; name = "trustedGRUB2-${version}";
src = fetchgit { src = if for_HP_laptop
then fetchgit {
url = "https://github.com/Sirrix-AG/TrustedGRUB2"; url = "https://github.com/Sirrix-AG/TrustedGRUB2";
rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41"; rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";
sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0"; sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";
}
else fetchgit {
url = "https://github.com/Sirrix-AG/TrustedGRUB2";
rev = "1ff54a5fbe02ea01df5a7de59b1e0201e08d4f76";
sha256 = "8c17bd7e14dd96ae9c4e98723f4e18ec6b21d45ac486ecf771447649829d0b34";
}; };
nativeBuildInputs = [ autogen flex bison python autoconf automake ]; nativeBuildInputs = [ autogen flex bison python autoconf automake ];
@ -89,4 +96,4 @@ stdenv.mkDerivation rec {
license = licenses.gpl3Plus; license = licenses.gpl3Plus;
platforms = platforms.gnu; platforms = platforms.gnu;
}; };
}) }

2
pkgs/top-level/all-packages.nix
View File

@ -1741,6 +1741,8 @@ let
trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { }; trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { };
trustedGrub-for-HP = callPackage_i686 ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };
grub2 = grub2_full; grub2 = grub2_full;
grub2_full = callPackage ../tools/misc/grub/2.0x.nix { }; grub2_full = callPackage ../tools/misc/grub/2.0x.nix { };