From 3f52185de86ebe49ad46d9aee13d00f39e71a202 Mon Sep 17 00:00:00 2001 From: Enno Richter Date: Mon, 3 Jul 2023 14:36:07 +0200 Subject: [PATCH] boot.initrd.systemd: make TPM2 modules optional --- nixos/modules/system/boot/systemd/initrd.nix | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 3f40a5b2dfa..1b9584cb57b 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -333,6 +333,14 @@ in { visible = "shallow"; description = lib.mdDoc "Definition of slice configurations."; }; + + enableTpm2 = mkOption { + default = true; + type = types.bool; + description = lib.mdDoc '' + Whether to enable TPM2 support in the initrd. + ''; + }; }; config = mkIf (config.boot.initrd.enable && cfg.enable) { @@ -342,8 +350,8 @@ in { # systemd needs this for some features "autofs4" # systemd-cryptenroll - "tpm-tis" - ] ++ lib.optional (pkgs.stdenv.hostPlatform.system != "riscv64-linux") "tpm-crb"; + ] ++ lib.optional cfg.enableTpm2 "tpm-tis" + ++ lib.optional (cfg.enableTpm2 && pkgs.stdenv.hostPlatform.system != "riscv64-linux") "tpm-crb"; boot.initrd.systemd = { initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages; @@ -421,11 +429,11 @@ in { # so NSS can look up usernames "${pkgs.glibc}/lib/libnss_files.so.2" - ] ++ optionals cfg.package.withCryptsetup [ + ] ++ optionals (cfg.package.withCryptsetup && cfg.enableTpm2) [ # tpm2 support "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so" pkgs.tpm2-tss - + ] ++ optionals cfg.package.withCryptsetup [ # fido2 support "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so" "${pkgs.libfido2}/lib/libfido2.so.1"