diff options
| author | Vincent Haupert <mail@vincent-haupert.de> | 2021-12-10 10:08:46 +0100 |
|---|---|---|
| committer | Vincent Haupert <mail@vincent-haupert.de> | 2021-12-10 10:09:41 +0100 |
| commit | ac60e78b487310fa2d3bd21fad1570f5084662c4 (patch) | |
| tree | 09bd36b8add6f7510174c2d380b22a525a3465f2 | |
| parent | 92c24a12a778a7975013e15a89445dfd55c7a126 (diff) | |
| download | nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar.gz nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar.bz2 nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar.lz nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar.xz nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.tar.zst nixpkgs-ac60e78b487310fa2d3bd21fad1570f5084662c4.zip | |
nixos/intel-sgx: add option for SGX provisioning
| -rw-r--r-- | nixos/modules/hardware/cpu/intel-sgx.nix | 47 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 |
2 files changed, 48 insertions, 0 deletions
diff --git a/nixos/modules/hardware/cpu/intel-sgx.nix b/nixos/modules/hardware/cpu/intel-sgx.nix new file mode 100644 index 00000000000..04647940058 --- /dev/null +++ b/nixos/modules/hardware/cpu/intel-sgx.nix @@ -0,0 +1,47 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.hardware.cpu.intel.sgx.provision; + defaultGroup = "sgx_prv"; +in +{ + options.hardware.cpu.intel.sgx.provision = { + enable = mkEnableOption "access to the Intel SGX provisioning device"; + user = mkOption { + description = "Owner to assign to the SGX provisioning device."; + type = types.str; + default = "root"; + }; + group = mkOption { + description = "Group to assign to the SGX provisioning device."; + type = types.str; + default = defaultGroup; + }; + mode = mkOption { + description = "Mode to set for the SGX provisioning device."; + type = types.str; + default = "0660"; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = hasAttr cfg.user config.users.users; + message = "Given user does not exist"; + } + { + assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); + message = "Given group does not exist"; + } + ]; + + users.groups = optionalAttrs (cfg.group == defaultGroup) { + "${cfg.group}" = { }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="misc", KERNEL=="sgx_provision", OWNER="${cfg.user}", GROUP="${cfg.group}", MODE="${cfg.mode}" + ''; + }; +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c83a6923338..dbf78920f53 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -45,6 +45,7 @@ ./hardware/ckb-next.nix ./hardware/cpu/amd-microcode.nix ./hardware/cpu/intel-microcode.nix + ./hardware/cpu/intel-sgx.nix ./hardware/corectrl.nix ./hardware/digitalbitbox.nix ./hardware/device-tree.nix |