set up secure boot on eclipse and do some tpm stuff

2024-12-04 16:09:14 -05:00 · 2024-12-04 16:09:14 -05:00 · c9b44fbf1f
commit c9b44fbf1f
parent d5db083507
4 changed files with 261 additions and 22 deletions
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -20,20 +20,21 @@
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Bootloader.
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    device = "nodev";
-    theme = pkgs.catppuccin-grub;
-    extraEntries = ''
-      menuentry "Firmware Setup" --class menu {
-        fwsetup
-      }
-    '';
-    extraFiles = {
-      "theme/icons/menu.png" = "/etc/nixos/assets/img/grub/menu.png";
-    };
-  };
+  boot.loader.systemd-boot.enable = true;
+  # boot.loader.grub = {
+  #   enable = true;
+  #   efiSupport = true;
+  #   device = "nodev";
+  #   theme = pkgs.catppuccin-grub;
+  #   extraEntries = ''
+  #     menuentry "Firmware Setup" --class menu {
+  #       fwsetup
+  #     }
+  #   '';
+  #   extraFiles = {
+  #     "theme/icons/menu.png" = "/etc/nixos/assets/img/grub/menu.png";
+  #   };
+  # };
  boot.loader.efi.canTouchEfiVariables = true;

  networking.hostName = hostname; # Define your hostname.
--- a/nixos/tpm.nix
+++ b/nixos/tpm.nix
@ -1,9 +1,17 @@
-{ user, ... }:
+{ user, lib, pkgs, ... }:
 {
+  environment.variables = {
+    TPM2_PKCS11_TCTI = lib.mkDefault "tabrmd:";
+  };
  security.tpm2 = {
    enable = true;
    pkcs11.enable = true;
    tctiEnvironment.enable = true;
  };
  users.users.${user}.extraGroups = [ "tss" ];
+
+  # secure boot configuration
+  environment.systemPackages = with pkgs; [
+    sbctl
+  ];
 }