diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 87dbbd7cd51f..47605e3685ca 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -10,8 +10,11 @@ let realGrub = if cfg.version == 1 then pkgs.grub else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; } - else if cfg.enableTrustedBoot then pkgs.trustedGrub - else pkgs.grub2; + else if cfg.trustedBoot.enable + then if cfg.trustedBoot.isHPLaptop + then pkgs.trustedGrub-for-HP + else pkgs.trustedGrub + else pkgs.grub2; grub = # Don't include GRUB if we're only generating a GRUB menu (e.g., @@ -369,24 +372,37 @@ in ''; }; - enableTrustedBoot = mkOption { - default = false; - type = types.bool; - description = '' - Enable trusted boot. GRUB will measure all critical components during - the boot process to offer TCG (TPM) support. - ''; - }; + trustedBoot = { + + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enable trusted boot. GRUB will measure all critical components during + the boot process to offer TCG (TPM) support. + ''; + }; + + systemHasTPM = mkOption { + default = ""; + example = "YES_TPM_is_activated"; + type = types.string; + description = '' + Assertion that the target system has an activated TPM. It is a safety + check before allowing the activation of 'trustedBoot.enable'. TrustedBoot + WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available. + ''; + }; + + isHPLaptop = mkOption { + default = false; + type = types.bool; + description = '' + Use a special version of TrustedGRUB that is needed by some HP laptops + and works only for the HP laptops. + ''; + }; - systemHasTPM = mkOption { - default = ""; - example = "YES_TPM_is_activated"; - type = types.string; - description = '' - Assertion that the target system has an activated TPM. It is a safety - check before allowing the activation of 'enableTrustedBoot'. TrustedBoot - WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available. - ''; }; }; @@ -452,19 +468,19 @@ in message = "You cannot have duplicated devices in mirroredBoots"; } { - assertion = !cfg.enableTrustedBoot || cfg.version == 2; + assertion = !cfg.trustedBoot.enable || cfg.version == 2; message = "Trusted GRUB is only available for GRUB 2"; } { - assertion = !cfg.efiSupport || !cfg.enableTrustedBoot; + assertion = !cfg.efiSupport || !cfg.trustedBoot.enable; message = "Trusted GRUB does not have EFI support"; } { - assertion = !cfg.zfsSupport || !cfg.enableTrustedBoot; + assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable; message = "Trusted GRUB does not have ZFS support"; } { - assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated"; + assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated"; message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'."; } ] ++ flip concatMap cfg.mirroredBoots (args: [ diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 87c551db4e38..694f45599f30 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -1,5 +1,6 @@ { stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake , gettext, ncurses, libusb, freetype, qemu, devicemapper +, for_HP_laptop ? false }: with stdenv.lib; @@ -11,7 +12,7 @@ let inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems); - version = "1.2.1"; + version = if for_HP_laptop then "1.2.1" else "1.2.0"; unifont_bdf = fetchurl { url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz"; @@ -25,16 +26,22 @@ let }; -in ( +in stdenv.mkDerivation rec { name = "trustedGRUB2-${version}"; - src = fetchgit { - url = "https://github.com/Sirrix-AG/TrustedGRUB2"; - rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41"; - sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0"; - }; + src = if for_HP_laptop + then fetchgit { + url = "https://github.com/Sirrix-AG/TrustedGRUB2"; + rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41"; + sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0"; + } + else fetchgit { + url = "https://github.com/Sirrix-AG/TrustedGRUB2"; + rev = "1ff54a5fbe02ea01df5a7de59b1e0201e08d4f76"; + sha256 = "8c17bd7e14dd96ae9c4e98723f4e18ec6b21d45ac486ecf771447649829d0b34"; + }; nativeBuildInputs = [ autogen flex bison python autoconf automake ]; buildInputs = [ ncurses libusb freetype gettext devicemapper ] @@ -89,4 +96,4 @@ stdenv.mkDerivation rec { license = licenses.gpl3Plus; platforms = platforms.gnu; }; -}) +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 86a722b278a0..917afffdfcf9 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1741,6 +1741,8 @@ let trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { }; + trustedGrub-for-HP = callPackage_i686 ../tools/misc/grub/trusted.nix { for_HP_laptop = true; }; + grub2 = grub2_full; grub2_full = callPackage ../tools/misc/grub/2.0x.nix { };