diff --git a/config/basic/default.nix b/config/basic/default.nix index ff08112..e668d36 100644 --- a/config/basic/default.nix +++ b/config/basic/default.nix @@ -20,6 +20,7 @@ ../../modules/deterministic-ids.nix ../../modules/distributed-config.nix + ../../modules/ensure-pcr.nix ../../modules/globals.nix ../../modules/meta.nix ../../modules/iwd.nix diff --git a/hosts/desktopnix/fs.nix b/hosts/desktopnix/fs.nix index 375bd7a..f11d9d7 100644 --- a/hosts/desktopnix/fs.nix +++ b/hosts/desktopnix/fs.nix @@ -65,4 +65,12 @@ }; }; }; + boot.initrd.luks.devices.rpool_m2-ssd.crypttabExtraOpts = [ + "tpm2-device=auto" + "tpm2-measure-pcr=yes" + ]; + boot.initrd.luks.devices.panzer_sata-hdd.crypttabExtraOpts = [ + "tpm2-device=auto" + "tpm2-measure-pcr=yes" + ]; } diff --git a/hosts/patricknix/fs.nix b/hosts/patricknix/fs.nix index 3a255e9..cc34af5 100644 --- a/hosts/patricknix/fs.nix +++ b/hosts/patricknix/fs.nix @@ -1,5 +1,11 @@ -{ config, lib, ... }: { + config, + lib, + pkgs, + ... +}: +{ + disko.devices = { disk = { m2-ssd = rec { @@ -27,4 +33,31 @@ }; fileSystems."/state".neededForBoot = true; fileSystems."/persist".neededForBoot = true; + + boot.initrd.systemd.extraBin = { + jq = lib.getExe pkgs.jq; + }; + # In ermergency shell type: + # ´systemctl disable check-pcrs´ + # ´systemctl default´ + # to continue booting + boot.initrd.systemd.services.check-pcrs = { + script = '' + echo "Checking PCRS tag: ctiectie" + if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "a8cfdc8ec869f9edf4635129ba6bb19a076a5d234655cf4684286dc57e325a38" ]] ; then + echo "PCR 15 contains invalid hash" + exit 1 + else + echo "PCR 15 checked" + fi + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + unitConfig.DefaultDependencies = "no"; + after = [ "cryptsetup.target" ]; + before = [ "sysroot.mount" ]; + requiredBy = [ "sysroot.mount" ]; + }; } diff --git a/modules/ensure-pcr.nix b/modules/ensure-pcr.nix new file mode 100644 index 0000000..1017175 --- /dev/null +++ b/modules/ensure-pcr.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +{ + options.boot.initrd.luks.devices = lib.mkOption { + type = + with lib.types; + attrsOf (submodule { + config.crypttabExtraOpts = [ + "tpm2-device=auto" + "tpm2-measure-pcr=yes" + ]; + }); + }; +}