nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-12 15:14:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/systemd-boot: Add reboot-for-bitlocker support

Browse Source 
Windows with BitLocker and TPM enabled doesn't support boot chaining.
This option activates a special experimental mode in systemd-boot that
tries to detect such systems and, if detected and selected by the user
at the boot menu, set the BootNext EFI variable to it before resetting.

(cherry picked from commit a68b81c429)
This commit is contained in:
Thibault Polge 2023-09-04 14:12:24 +02:00 committed by Sarun Intaralawan
parent a3103d6851
commit 2f55cdb11d
2 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@ -28,6 +28,7 @@ DISTRO_NAME = "@distroName@"
NIX = "@nix@"
SYSTEMD = "@systemd@"
CONFIGURATION_LIMIT = int("@configurationLimit@")
REBOOT_FOR_BITLOCKER = bool("@rebootForBitlocker@")
CAN_TOUCH_EFI_VARIABLES = "@canTouchEfiVariables@"
GRACEFUL = "@graceful@"
COPY_EXTRA_FILES = "@copyExtraFiles@"
@ -99,6 +100,8 @@ def write_loader_conf(profile: str | None, generation: int, specialisation: str
f.write("default %s\n" % generation_conf_filename(profile, generation, specialisation))
if not EDITOR:
f.write("editor 0\n")
if REBOOT_FOR_BITLOCKER:
f.write("reboot-for-bitlocker yes\n");
f.write(f"console-mode {CONSOLE_MODE}\n")
f.flush()
os.fsync(f.fileno())

18
nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
View File

@ -38,7 +38,7 @@ let
configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
inherit (cfg) consoleMode graceful editor;
inherit (cfg) consoleMode graceful editor rebootForBitlocker;
inherit (efi) efiSysMountPoint canTouchEfiVariables;
@ -317,6 +317,22 @@ in {
'';
};
rebootForBitlocker = mkOption {
default = false;
type = types.bool;
description = ''
Enable *EXPERIMENTAL* BitLocker support.
Try to detect BitLocker encrypted drives along with an active
TPM. If both are found and Windows Boot Manager is selected in
the boot menu, set the "BootNext" EFI variable and restart the
system. The firmware will then start Windows Boot Manager
directly, leaving the TPM PCRs in expected states so that
Windows can unseal the encryption key.
'';
};
};
config = mkIf cfg.enable {