unlock the disk using the host's TPM

author: Franck Cuny <franck@fcuny.net> 2026-01-25 11:33:58 -0800
committer: Franck Cuny <franck@fcuny.net> 2026-01-25 11:33:58 -0800
commit: ff02e60527dca0b83352dd8136565374b003b210 (patch)
tree: 0b475b1bd84e34437e5712748494ddf471c16e51 /profiles/secureboot.nix
parent: flake.lock: Update (diff)
download: infra-ff02e60527dca0b83352dd8136565374b003b210.tar.gz
1 files changed, 19 insertions, 5 deletions
diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix
index 53df8e3..48eb868 100644
--- a/profiles/secureboot.nix
+++ b/profiles/secureboot.nix
@@ -4,14 +4,28 @@
     "/var/lib/sbctl"
   ];
 
-  environment.systemPackages = [
-    pkgs.sbctl
+  environment.systemPackages = with pkgs; [
+    sbctl
+    tpm2-tools
   ];
 
-  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot = {
+    loader.systemd-boot.enable = lib.mkForce false;
+    initrd.systemd.enable = true;
+    lanzaboote = {
+      enable = true;
+      pkiBundle = "/var/lib/sbctl";
+    };
+  };
 
-  boot.lanzaboote = {
+  security.tpm2 = {
     enable = true;
-    pkiBundle = "/var/lib/sbctl";
+    pkcs11.enable = true;
+    tctiEnvironment.enable = true;
+  };
+
+  environment.shellAliases = {
+    # Requires a device argument (/dev//dev/nvme0n1p3)
+    cryptenroll = "systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2";
   };
 }
author	Franck Cuny <franck@fcuny.net>	2026-01-25 11:33:58 -0800
committer	Franck Cuny <franck@fcuny.net>	2026-01-25 11:33:58 -0800
commit	ff02e60527dca0b83352dd8136565374b003b210 (patch)
tree	0b475b1bd84e34437e5712748494ddf471c16e51 /profiles/secureboot.nix
parent	flake.lock: Update (diff)
download	infra-ff02e60527dca0b83352dd8136565374b003b210.tar.gz