Merge pull request #231153 from helsinki-systems/drop/trusted-grub

    if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs;

  realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; }

    else if cfg.trustedBoot.enable

         then if cfg.trustedBoot.isHPLaptop

              then grubPkgs.trustedGrub-for-HP

              else grubPkgs.trustedGrub

    else grubPkgs.grub2;

  grub =

        '';

      };

      trustedBoot = {

        enable = mkOption {

          default = false;

          type = types.bool;

          description = lib.mdDoc ''

            Enable trusted boot. GRUB will measure all critical components during

            the boot process to offer TCG (TPM) support.

          '';

        };

        systemHasTPM = mkOption {

          default = "";

          example = "YES_TPM_is_activated";

          type = types.str;

          description = lib.mdDoc ''

            Assertion that the target system has an activated TPM. It is a safety

            check before allowing the activation of 'trustedBoot.enable'. TrustedBoot

            WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.

          '';

        };

        isHPLaptop = mkOption {

          default = false;

          type = types.bool;

          description = lib.mdDoc ''

            Use a special version of TrustedGRUB that is needed by some HP laptops

            and works only for the HP laptops.

          '';

        };

      };

    };

  };

          assertion = cfg.efiSupport || all (c: c < 2) (mapAttrsToList (n: c: if n == "nodev" then 0 else c) bootDeviceCounters);

          message = "You cannot have duplicated devices in mirroredBoots";

        }

        {

          assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;

          message = "Trusted GRUB does not have EFI support";

        }

        {

          assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;

          message = "Trusted GRUB does not have ZFS support";

        }

        {

          assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";

          message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";

        }

        {

          assertion = cfg.efiInstallAsRemovable -> cfg.efiSupport;

          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn on boot.loader.grub.efiSupport";

      (mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ])

      (mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ])

      (mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ])

      (mkRemovedOptionModule [ "boot" "loader" "grub" "trustedBoot" ] ''

        Support for Trusted GRUB has been removed, because the project

        has been retired upstream.

      '')

      (mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] ''

        This option has been replaced with the bootloader agnostic

        boot.initrd.secrets option. To migrate to the initrd secrets system,

{ lib

, stdenv

, fetchurl

, fetchFromGitHub

, fetchpatch

, autogen

, flex

, bison

, python2

, autoconf

, automake

, gettext

, ncurses

, libusb-compat-0_1

, freetype

, qemu

, lvm2

, for_HP_laptop ? false

}:

let

  pcSystems = {

    i686-linux.target = "i386";

    x86_64-linux.target = "i386";

  };

  inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) pcSystems);

  version = if for_HP_laptop then "1.2.1" else "1.2.0";

  unifont_bdf = fetchurl {

    url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";

    sha256 = "0s0qfff6n6282q28nwwblp5x295zd6n71kl43xj40vgvdqxv0fxx";

  };

  po_src = fetchurl {

    name = "grub-2.02-beta2.tar.gz";

    url = "https://alpha.gnu.org/gnu/grub/grub-2.02~beta2.tar.gz";

    sha256 = "1lr9h3xcx0wwrnkxdnkfjwy08j7g7mdlmmbdip2db4zfgi69h0rm";

  };

in

stdenv.mkDerivation rec {

  pname = "trustedGRUB2";

  inherit version;

  src = fetchFromGitHub {

    owner = "Sirrix-AG";

    repo = "TrustedGRUB2";

    rev = version;

    sha256 =

      if for_HP_laptop

      then "sha256-H1JzT/RgnbHqnW2/FmvXFuI6gnHI2vQU3W1iq2FqwJw="

      else "sha256-k8DGHjTIpnjWw7GNN2kyR8rRl2MAq1xkfOndd0znLns=";

  };

  nativeBuildInputs = [ autogen flex bison python2 autoconf automake ];

  buildInputs = [ ncurses libusb-compat-0_1 freetype gettext lvm2 ]

    ++ lib.optional doCheck qemu;

  hardeningDisable = [ "stackprotector" "pic" ];

  env.NIX_CFLAGS_COMPILE = "-Wno-error"; # generated code redefines yyfree

  preConfigure =

    '' for i in "tests/util/"*.in

       do

         sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'

       done

       # Apparently, the QEMU executable is no longer called

       # `qemu-system-i386', even on i386.

       #

       # In addition, use `-nodefaults' to avoid errors like:

       #

       #  chardev: opening backend "stdio" failed

       #  qemu: could not open serial device 'stdio': Invalid argument

       #

       # See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.

       sed -i "tests/util/grub-shell.in" \

           -e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'

    '';

  prePatch =

    '' tar zxf ${po_src} grub-2.02~beta2/po

       rm -rf po

       mv grub-2.02~beta2/po po

       sh autogen.sh

       gunzip < "${unifont_bdf}" > "unifont.bdf"

       sed -i "configure" \

           -e "s|/usr/src/unifont.bdf|$PWD/unifont.bdf|g"

    '';

  patches = [

    ./fix-bash-completion.patch

    (fetchpatch {

      # glibc-2.26 and above needs '<sys/sysmacros.h>'

      url = "https://github.com/Rohde-Schwarz/TrustedGRUB2/commit/7a5b301e3adb8e054288518a325135a1883c1c6c.patch";

      sha256 = "1jfrrmcrd9a8w7n419kszxgbpshx7888wc05smg5q4jvc1ag3xm7";

    })

  ];

  # save target that grub is compiled for

  grubTarget = lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";

  doCheck = false;

  # On -j16 races with early header creation:

  #  config.h:38:10: fatal error: ./config-util.h: No such file or directory

  enableParallelBuilding = false;

  meta = with lib; {

    description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";

    homepage = "https://github.com/Sirrix-AG/TrustedGRUB2";

    license = licenses.gpl3Plus;

    platforms = platforms.gnu ++ platforms.linux;

  };

}

  trebleshot = throw "trebleshot has been removed. It was archived upstream, so it's considered abandoned";

  trilium = throw "trilium has been removed. Please use trilium-desktop instead"; # Added 2020-04-29

  truecrypt = throw "'truecrypt' has been renamed to/replaced by 'veracrypt'"; # Converted to throw 2022-02-22

  trustedGrub = throw "trustedGrub has been removed, because it is not maintained upstream anymore"; # Added 2023-05-10

  trustedGrub-for-HP = throw "trustedGrub-for-HP has been removed, because it is not maintained upstream anymore"; # Added 2023-05-10

  tuijam = throw "tuijam has been removed because Google Play Music was discontinued"; # Added 2021-03-07

  turbo-geth = throw "turbo-geth has been renamed to erigon"; # Added 2021-08-08

  tvbrowser-bin = tvbrowser; # Added 2023-03-02

  grpc-client-cli = callPackage ../development/tools/misc/grpc-client-cli { };

  trustedGrub = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { };

  trustedGrub-for-HP = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };

  grub2 = callPackage ../tools/misc/grub/default.nix {

    # update breaks grub2

    gnulib = pkgs.gnulib.overrideAttrs (_: rec {