Daniel Lundin
c59ea29957
All checks were successful
ci/woodpecker/pr/ci Pipeline was successful
We want verity protected partitions as well as encrypted state/data along with verified boot. This PR integrates Peter Marshall's awesome little Nixlet project as a starting point, especially the nice testing scaffolding will be super helpful! ✨ https://github.com/petm5/nixlet/
49 lines
1.3 KiB
Nix
49 lines
1.3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}:
|
|
pkgs.writeShellApplication {
|
|
name = "qemu-uefi-tpm";
|
|
|
|
runtimeInputs = with pkgs; [
|
|
qemu
|
|
swtpm
|
|
];
|
|
|
|
text =
|
|
let
|
|
tpmOVMF = pkgs.OVMF.override { tpmSupport = true; };
|
|
in
|
|
''
|
|
set -ex
|
|
state="/tmp/patos-qemu-$USER"
|
|
rm -rf "$state"
|
|
mkdir -m 700 "$state"
|
|
qemu-img create -f qcow2 -F raw -b "$(readlink -e "$1")" "$state/disk.qcow2" 10G
|
|
|
|
swtpm socket -d --tpmstate dir="$state" \
|
|
--ctrl type=unixio,path="$state/swtpm-sock" \
|
|
--tpm2 \
|
|
--log level=20
|
|
|
|
qemu-system-x86_64 \
|
|
-enable-kvm \
|
|
-machine q35,accel=kvm \
|
|
-cpu host \
|
|
-smp 8 \
|
|
-m 4G \
|
|
-display none \
|
|
-chardev "stdio,id=char0,mux=on,logfile=$state/console.log,signal=off" \
|
|
-serial chardev:char0 \
|
|
-mon chardev=char0 \
|
|
-drive "if=pflash,format=raw,unit=0,readonly=on,file=${tpmOVMF.firmware}" \
|
|
-drive "if=pflash,format=raw,unit=1,readonly=on,file=${tpmOVMF.variables}" \
|
|
-chardev socket,id=chrtpm,path="$state/swtpm-sock" \
|
|
-tpmdev emulator,id=tpm0,chardev=chrtpm \
|
|
-device tpm-tis,tpmdev=tpm0 \
|
|
-netdev id=net00,type=user,hostfwd=tcp::2222-:22 \
|
|
-device virtio-net-pci,netdev=net00 \
|
|
-drive "format=qcow2,file=$state/disk.qcow2"
|
|
'';
|
|
}
|