patos/utils/qemu-uefi-tpm.nix

{
  config,
  pkgs,
  ...
}:
pkgs.writeShellApplication {
  name = "qemu-uefi-tpm";

  runtimeInputs = with pkgs; [
    qemu
    swtpm
  ];

  text =
    let
      tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
    in
    ''
      set -ex
      state="/tmp/patos-qemu-$USER"
      rm -rf "$state"
      mkdir -m 700 "$state"
      qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G

      swtpm socket -d --tpmstate dir="$state" \
        --ctrl type=unixio,path="$state/swtpm-sock" \
        --tpm2 \
        --log level=20

      qemu-system-x86_64 \
        -enable-kvm \
        -machine q35,accel=kvm \
        -cpu host \
        -smp 8 \
        -m 4G \
        -display none \
        -chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
        -serial chardev:char0 \
        -mon chardev=char0 \
        -drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
        -drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
        -chardev socket,id=chrtpm,path="$state/swtpm-sock" \
        -tpmdev emulator,id=tpm0,chardev=chrtpm \
        -device tpm-tis,tpmdev=tpm0 \
        -netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
        -device virtio-net-pci,netdev=net00 \
        -drive "format=qcow2,file=$state/disk.qcow2"
    '';
}
Image building take 2 We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/ 2024-11-11 23:02:38 +01:00			`{`
			`config,`
			`pkgs,`
			`...`
			`}:`
			`pkgs.writeShellApplication {`
			`name = "qemu-uefi-tpm";`

			`runtimeInputs = with pkgs; [`
			`qemu`
			`swtpm`
			`];`

			`text =`
			`let`
			`tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };`
			`in`
			`''`
			`set -ex`
			`state="/tmp/patos-qemu-$USER"`
			`rm -rf "$state"`
			`mkdir -m 700 "$state"`
			`qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G`

			`swtpm socket -d --tpmstate dir="$state" \`
			`--ctrl type=unixio,path="$state/swtpm-sock" \`
			`--tpm2 \`
			`--log level=20`

			`qemu-system-x86_64 \`
			`-enable-kvm \`
			`-machine q35,accel=kvm \`
			`-cpu host \`
			`-smp 8 \`
			`-m 4G \`
			`-display none \`
			`-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \`
			`-serial chardev:char0 \`
			`-mon chardev=char0 \`
			`-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \`
			`-drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \`
			`-chardev socket,id=chrtpm,path="$state/swtpm-sock" \`
			`-tpmdev emulator,id=tpm0,chardev=chrtpm \`
			`-device tpm-tis,tpmdev=tpm0 \`
			`-netdev id=net00,type=user,hostfwd=tcp::2222-:22 \`
			`-device virtio-net-pci,netdev=net00 \`
			`-drive "format=qcow2,file=$state/disk.qcow2"`
			`'';`
			`}`