Commit a0165bd5 authored by Will Fancher's avatar Will Fancher
Browse files

nixos/systemd/tpm2: Enable tpm2-setup and tpm2.target 

tpm2.target was functionally useless without these services and this
generator. When systemd-cryptsetup-generator creates
systemd-cryptsetup@.service units, they are ordered after
systemd-tpm2-setup-early.service, not tpm2.target. These services are
themselves ordered after tpm2.target.

Note: The systemd-tpm2-setup(-early) services will serve no *function*
under a normal NixOS system at the moment. Because of their
ConditionSecurity=measured-uki, they will always be skipped, unless
you are building an appliance with the system.build.uki feature. Thus,
these are enabled solely for their systemd unit ordering properties.
parent 50344500

nixos/modules/system/boot/systemd/tpm2.nix

+5 −0
Original line number Diff line number Diff line
@@ -47,6 +47,8 @@ 
      lib.mkIf cfg.tpm2.enable {

        systemd.additionalUpstreamSystemUnits = [

          "tpm2.target"

          "systemd-tpm2-setup-early.service"

          "systemd-tpm2-setup.service"

        ];

      }

    )
@@ -59,6 +61,7 @@ 
      lib.mkIf cfg.tpm2.enable {

        boot.initrd.systemd.additionalUpstreamUnits = [

          "tpm2.target"

          "systemd-tpm2-setup-early.service"

        ];



        boot.initrd.availableKernelModules =
@@ -68,6 +71,8 @@ 
          ) "tpm-crb";

        boot.initrd.systemd.storePaths = [

          pkgs.tpm2-tss

          "${cfg.package}/lib/systemd/systemd-tpm2-setup"

          "${cfg.package}/lib/systemd/system-generators/systemd-tpm2-generator"

        ];

      }

    )