Merge pull request #8654 from ts468/upstream.trusted_grub_integration

grub installation: integrate trustedGRUB + fix broken equality check
2015-07-05 11:34:00 -07:00 · 2015-07-05 11:34:00 -07:00 · c38a9b607f
parent bdc77d2733 65cbbc75b0
commit c38a9b607f
2 changed files with 39 additions and 7 deletions
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -10,7 +10,8 @@ let

  realGrub = if cfg.version == 1 then pkgs.grub
    else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }
-    else pkgs.grub2;
+    else if cfg.enableTrustedboot then pkgs.trustedGrub
+           else pkgs.grub2;

  grub =
    # Don't include GRUB if we're only generating a GRUB menu (e.g.,
@ -37,6 +38,7 @@ let
      grub = f grub;
      grubTarget = f (grub.grubTarget or "");
      shell = "${pkgs.stdenv.shell}";
+      fullName = (builtins.parseDrvName realGrub.name).name;
      fullVersion = (builtins.parseDrvName realGrub.name).version;
      grubEfi = f grubEfi;
      grubTargetEfi = if cfg.efiSupport && (cfg.version == 2) then f (grubEfi.grubTarget or "") else "";
@ -367,6 +369,15 @@ in
        '';
      };

+      enableTrustedboot = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Enable trusted boot. Grub will measure all critical components during
+          the boot process to offer TCG (TPM) support.
+        '';
+      };
+
    };

  };
@ -429,6 +440,22 @@ in
          assertion = all (c: c < 2) (mapAttrsToList (_: c: c) bootDeviceCounters);
          message = "You cannot have duplicated devices in mirroredBoots";
        }
+        {
+          assertion = !cfg.enableTrustedboot || cfg.version == 2;
+          message = "Trusted GRUB is only available for GRUB 2";
+        }
+        {
+          assertion = !cfg.efiSupport || !cfg.enableTrustedboot;
+          message = "Trusted GRUB does not have EFI support";
+        }
+        {
+          assertion = !cfg.zfsSupport || !cfg.enableTrustedboot;
+          message = "Trusted GRUB does not have ZFS support";
+        }
+        {
+          assertion = !cfg.enableTrustedboot;
+          message = "Trusted GRUB can break your system. Remove assertion if you want to test trustedGRUB nevertheless.";
+        }
      ] ++ flip concatMap cfg.mirroredBoots (args: [
        {
          assertion = args.devices != [ ];
--- a/nixos/modules/system/boot/loader/grub/install-grub.pl
+++ b/nixos/modules/system/boot/loader/grub/install-grub.pl
@ -433,15 +433,18 @@ foreach my $fn (glob "$bootPath/kernels/*") {
 #

 struct(GrubState => {
+    name => '$',
    version => '$',
    efi => '$',
    devices => '$',
    efiMountPoint => '$',
 });
 sub readGrubState {
-    my $defaultGrubState = GrubState->new(version => "", efi => "", devices => "", efiMountPoint => "" );
+    my $defaultGrubState = GrubState->new(name => "", version => "", efi => "", devices => "", efiMountPoint => "" );
    open FILE, "<$bootPath/grub/state" or return $defaultGrubState;
    local $/ = "\n";
+    my $name = <FILE>;
+    chomp($name);
    my $version = <FILE>;
    chomp($version);
    my $efi = <FILE>;
@ -451,7 +454,7 @@ sub readGrubState {
    my $efiMountPoint = <FILE>;
    chomp($efiMountPoint);
    close FILE;
-    my $grubState = GrubState->new(version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint );
+    my $grubState = GrubState->new(name => $name, version => $version, efi => $efi, devices => $devices, efiMountPoint => $efiMountPoint );
    return $grubState
 }

@ -497,10 +500,11 @@ my $prevGrubState = readGrubState();
 my @prevDeviceTargets = split/:/, $prevGrubState->devices;

 my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference() );
-my $versionDiffer = (get("fullVersion") eq \$prevGrubState->version);
-my $efiDiffer = ($efiTarget eq \$prevGrubState->efi);
-my $efiMountPointDiffer = ($efiSysMountPoint eq \$prevGrubState->efiMountPoint);
-my $requireNewInstall = $devicesDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1");
+my $nameDiffer = !(get("fullName") eq $prevGrubState->name);
+my $versionDiffer = !(get("fullVersion") eq $prevGrubState->version);
+my $efiDiffer = !($efiTarget eq $prevGrubState->efi);
+my $efiMountPointDiffer = !($efiSysMountPoint eq $prevGrubState->efiMountPoint);
+my $requireNewInstall = $devicesDiffer || $nameDiffer || $versionDiffer || $efiDiffer || $efiMountPointDiffer || (($ENV{'NIXOS_INSTALL_GRUB'} // "") eq "1");

 # install a symlink so that grub can detect the boot drive when set
 # as the root directory
@ -543,6 +547,7 @@ if (($requireNewInstall != 0) && ($efiTarget eq "only" || $efiTarget eq "both"))
 # update GRUB state file
 if ($requireNewInstall != 0) {
    open FILE, ">$bootPath/grub/state" or die "cannot create $bootPath/grub/state: $!\n";
+    print FILE get("fullName"), "\n" or die;
    print FILE get("fullVersion"), "\n" or die;
    print FILE $efiTarget, "\n" or die;
    print FILE join( ":", @deviceTargets ), "\n" or die;