boot.initrd.systemd: make TPM2 modules optional

author: Enno Richter <enno@nerdworks.de> 2023-07-03 14:36:07 +0200
committer: Enno Richter <enno@nerdworks.de> 2023-08-14 09:34:29 +0200
commit: 3f52185de86ebe49ad46d9aee13d00f39e71a202 (patch)
tree: c7bcad804991d7df361007332c272710fbabb001 /nixos/modules/system
parent: 49924683534a844757cbe960a143f89a7fb621a6 (diff)
download: nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.gz
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.bz2
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.lz
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.xz
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.zst
nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix
index 3f40a5b2dfa..1b9584cb57b 100644
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@@ -333,6 +333,14 @@ in {
       visible = "shallow";
       description = lib.mdDoc "Definition of slice configurations.";
     };
+
+    enableTpm2 = mkOption {
+      default = true;
+      type = types.bool;
+      description = lib.mdDoc ''
+        Whether to enable TPM2 support in the initrd.
+      '';
+    };
   };
 
   config = mkIf (config.boot.initrd.enable && cfg.enable) {
@@ -342,8 +350,8 @@ in {
       # systemd needs this for some features
       "autofs4"
       # systemd-cryptenroll
-      "tpm-tis"
-    ] ++ lib.optional (pkgs.stdenv.hostPlatform.system != "riscv64-linux") "tpm-crb";
+    ] ++ lib.optional cfg.enableTpm2 "tpm-tis"
+    ++ lib.optional (cfg.enableTpm2 && pkgs.stdenv.hostPlatform.system != "riscv64-linux") "tpm-crb";
 
     boot.initrd.systemd = {
       initrdBin = [pkgs.bash pkgs.coreutils cfg.package.kmod cfg.package] ++ config.system.fsPackages;
@@ -421,11 +429,11 @@ in {
 
         # so NSS can look up usernames
         "${pkgs.glibc}/lib/libnss_files.so.2"
-      ] ++ optionals cfg.package.withCryptsetup [
+      ] ++ optionals (cfg.package.withCryptsetup && cfg.enableTpm2) [
         # tpm2 support
         "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-tpm2.so"
         pkgs.tpm2-tss
-
+      ] ++ optionals cfg.package.withCryptsetup [
         # fido2 support
         "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"
         "${pkgs.libfido2}/lib/libfido2.so.1"
author	Enno Richter <enno@nerdworks.de>	2023-07-03 14:36:07 +0200
committer	Enno Richter <enno@nerdworks.de>	2023-08-14 09:34:29 +0200
commit	3f52185de86ebe49ad46d9aee13d00f39e71a202 (patch)
tree	c7bcad804991d7df361007332c272710fbabb001 /nixos/modules/system
parent	49924683534a844757cbe960a143f89a7fb621a6 (diff)
download	nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.gz nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.bz2 nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.lz nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.xz nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.tar.zst nixpkgs-3f52185de86ebe49ad46d9aee13d00f39e71a202.zip