diff options
Diffstat (limited to 'profiles/secureboot.nix')
| -rw-r--r-- | profiles/secureboot.nix | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/profiles/secureboot.nix b/profiles/secureboot.nix index 53df8e3..48eb868 100644 --- a/profiles/secureboot.nix +++ b/profiles/secureboot.nix @@ -4,14 +4,28 @@ "/var/lib/sbctl" ]; - environment.systemPackages = [ - pkgs.sbctl + environment.systemPackages = with pkgs; [ + sbctl + tpm2-tools ]; - boot.loader.systemd-boot.enable = lib.mkForce false; + boot = { + loader.systemd-boot.enable = lib.mkForce false; + initrd.systemd.enable = true; + lanzaboote = { + enable = true; + pkiBundle = "/var/lib/sbctl"; + }; + }; - boot.lanzaboote = { + security.tpm2 = { enable = true; - pkiBundle = "/var/lib/sbctl"; + pkcs11.enable = true; + tctiEnvironment.enable = true; + }; + + environment.shellAliases = { + # Requires a device argument (/dev//dev/nvme0n1p3) + cryptenroll = "systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+2+7+12 --wipe-slot=tpm2"; }; } |