nixos trustedGRUB: add support for HP laptops

2015-12-21 20:20:29 +01:00 · 2015-12-21 20:20:29 +01:00 · d856841ba4
commit d856841ba4
parent d76c26e876
3 changed files with 56 additions and 31 deletions
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -10,8 +10,11 @@ let

  realGrub = if cfg.version == 1 then pkgs.grub
    else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }
-    else if cfg.enableTrustedBoot then pkgs.trustedGrub
-           else pkgs.grub2;
+    else if cfg.trustedBoot.enable
+         then if cfg.trustedBoot.isHPLaptop
+              then pkgs.trustedGrub-for-HP
+              else pkgs.trustedGrub
+         else pkgs.grub2;

  grub =
    # Don't include GRUB if we're only generating a GRUB menu (e.g.,
@ -369,24 +372,37 @@ in
        '';
      };

-      enableTrustedBoot = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enable trusted boot. GRUB will measure all critical components during
-          the boot process to offer TCG (TPM) support.
-        '';
-      };
+      trustedBoot = {
+
+        enable = mkOption {
+          default = false;
+          type = types.bool;
+          description = ''
+            Enable trusted boot. GRUB will measure all critical components during
+            the boot process to offer TCG (TPM) support.
+          '';
+        };
+
+        systemHasTPM = mkOption {
+          default = "";
+          example = "YES_TPM_is_activated";
+          type = types.string;
+          description = ''
+            Assertion that the target system has an activated TPM. It is a safety
+            check before allowing the activation of 'trustedBoot.enable'. TrustedBoot
+            WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
+          '';
+        };
+
+        isHPLaptop = mkOption {
+          default = false;
+          type = types.bool;
+          description = ''
+            Use a special version of TrustedGRUB that is needed by some HP laptops
+            and works only for the HP laptops.
+          '';
+        };

-      systemHasTPM = mkOption {
-        default = "";
-        example = "YES_TPM_is_activated";
-        type = types.string;
-        description = ''
-          Assertion that the target system has an activated TPM. It is a safety
-          check before allowing the activation of 'enableTrustedBoot'. TrustedBoot
-          WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
-        '';
      };

    };
@ -452,19 +468,19 @@ in
          message = "You cannot have duplicated devices in mirroredBoots";
        }
        {
-          assertion = !cfg.enableTrustedBoot || cfg.version == 2;
+          assertion = !cfg.trustedBoot.enable || cfg.version == 2;
          message = "Trusted GRUB is only available for GRUB 2";
        }
        {
-          assertion = !cfg.efiSupport || !cfg.enableTrustedBoot;
+          assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;
          message = "Trusted GRUB does not have EFI support";
        }
        {
-          assertion = !cfg.zfsSupport || !cfg.enableTrustedBoot;
+          assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;
          message = "Trusted GRUB does not have ZFS support";
        }
        {
-          assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated";
+          assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
          message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
        }
      ] ++ flip concatMap cfg.mirroredBoots (args: [
--- a/pkgs/tools/misc/grub/trusted.nix
+++ b/pkgs/tools/misc/grub/trusted.nix
@ -1,5 +1,6 @@
 { stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake
 , gettext, ncurses, libusb, freetype, qemu, devicemapper
+, for_HP_laptop ? false
 }:

 with stdenv.lib;
@ -11,7 +12,7 @@ let

  inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems);

-  version = "1.2.1";
+  version = if for_HP_laptop then "1.2.1" else "1.2.0";

  unifont_bdf = fetchurl {
    url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";
@ -25,16 +26,22 @@ let

  };

-in (
+in

 stdenv.mkDerivation rec {
  name = "trustedGRUB2-${version}";

-  src = fetchgit {
-    url = "https://github.com/Sirrix-AG/TrustedGRUB2";
-    rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";
-    sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";
-  };
+  src = if for_HP_laptop
+        then fetchgit {
+          url = "https://github.com/Sirrix-AG/TrustedGRUB2";
+          rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";
+          sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";
+        }
+        else fetchgit {
+          url = "https://github.com/Sirrix-AG/TrustedGRUB2";
+          rev = "1ff54a5fbe02ea01df5a7de59b1e0201e08d4f76";
+          sha256 = "8c17bd7e14dd96ae9c4e98723f4e18ec6b21d45ac486ecf771447649829d0b34";
+        };

  nativeBuildInputs = [ autogen flex bison python autoconf automake ];
  buildInputs = [ ncurses libusb freetype gettext devicemapper ]
@ -89,4 +96,4 @@ stdenv.mkDerivation rec {
    license = licenses.gpl3Plus;
    platforms = platforms.gnu;
  };
-})
+}
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1741,6 +1741,8 @@ let

  trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { };

+  trustedGrub-for-HP = callPackage_i686 ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };
+
  grub2 = grub2_full;

  grub2_full = callPackage ../tools/misc/grub/2.0x.nix { };