nixos trustedGRUB: add support for HP laptops

3 files changed, 56 insertions, 31 deletions

diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix
index 87dbbd7cd51f..47605e3685ca 100644
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@@ -10,8 +10,11 @@ let
 
   realGrub = if cfg.version == 1 then pkgs.grub
     else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }
-    else if cfg.enableTrustedBoot then pkgs.trustedGrub
-           else pkgs.grub2;
+    else if cfg.trustedBoot.enable
+         then if cfg.trustedBoot.isHPLaptop
+              then pkgs.trustedGrub-for-HP
+              else pkgs.trustedGrub
+         else pkgs.grub2;
 
   grub =
     # Don't include GRUB if we're only generating a GRUB menu (e.g.,
@@ -369,24 +372,37 @@ in
         '';
       };
 
-      enableTrustedBoot = mkOption {
-        default = false;
-        type = types.bool;
-        description = ''
-          Enable trusted boot. GRUB will measure all critical components during
-          the boot process to offer TCG (TPM) support.
-        '';
-      };
+      trustedBoot = {
+
+        enable = mkOption {
+          default = false;
+          type = types.bool;
+          description = ''
+            Enable trusted boot. GRUB will measure all critical components during
+            the boot process to offer TCG (TPM) support.
+          '';
+        };
+
+        systemHasTPM = mkOption {
+          default = "";
+          example = "YES_TPM_is_activated";
+          type = types.string;
+          description = ''
+            Assertion that the target system has an activated TPM. It is a safety
+            check before allowing the activation of 'trustedBoot.enable'. TrustedBoot
+            WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
+          '';
+        };
+
+        isHPLaptop = mkOption {
+          default = false;
+          type = types.bool;
+          description = ''
+            Use a special version of TrustedGRUB that is needed by some HP laptops
+            and works only for the HP laptops.
+          '';
+        };
 
-      systemHasTPM = mkOption {
-        default = "";
-        example = "YES_TPM_is_activated";
-        type = types.string;
-        description = ''
-          Assertion that the target system has an activated TPM. It is a safety
-          check before allowing the activation of 'enableTrustedBoot'. TrustedBoot
-          WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
-        '';
       };
 
     };
@@ -452,19 +468,19 @@ in
           message = "You cannot have duplicated devices in mirroredBoots";
         }
         {
-          assertion = !cfg.enableTrustedBoot || cfg.version == 2;
+          assertion = !cfg.trustedBoot.enable || cfg.version == 2;
           message = "Trusted GRUB is only available for GRUB 2";
         }
         {
-          assertion = !cfg.efiSupport || !cfg.enableTrustedBoot;
+          assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;
           message = "Trusted GRUB does not have EFI support";
         }
         {
-          assertion = !cfg.zfsSupport || !cfg.enableTrustedBoot;
+          assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;
           message = "Trusted GRUB does not have ZFS support";
         }
         {
-          assertion = !cfg.enableTrustedBoot || cfg.systemHasTPM == "YES_TPM_is_activated";
+          assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
           message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
         }
       ] ++ flip concatMap cfg.mirroredBoots (args: [
diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix
index 87c551db4e38..694f45599f30 100644
--- a/pkgs/tools/misc/grub/trusted.nix
+++ b/pkgs/tools/misc/grub/trusted.nix
@@ -1,5 +1,6 @@
 { stdenv, fetchurl, fetchgit, autogen, flex, bison, python, autoconf, automake
 , gettext, ncurses, libusb, freetype, qemu, devicemapper
+, for_HP_laptop ? false
 }:
 
 with stdenv.lib;
@@ -11,7 +12,7 @@ let
 
   inPCSystems = any (system: stdenv.system == system) (mapAttrsToList (name: _: name) pcSystems);
 
-  version = "1.2.1";
+  version = if for_HP_laptop then "1.2.1" else "1.2.0";
 
   unifont_bdf = fetchurl {
     url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";
@@ -25,16 +26,22 @@ let
 
   };
 
-in (
+in
 
 stdenv.mkDerivation rec {
   name = "trustedGRUB2-${version}";
 
-  src = fetchgit {
-    url = "https://github.com/Sirrix-AG/TrustedGRUB2";
-    rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";
-    sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";
-  };
+  src = if for_HP_laptop
+        then fetchgit {
+          url = "https://github.com/Sirrix-AG/TrustedGRUB2";
+          rev = "ab483d389bda3115ca0ae4202fd71f2e4a31ad41";
+          sha256 = "4b715837f8632278720d8b29aec06332f5302c6ba78183ced5f48d3c376d89c0";
+        }
+        else fetchgit {
+          url = "https://github.com/Sirrix-AG/TrustedGRUB2";
+          rev = "1ff54a5fbe02ea01df5a7de59b1e0201e08d4f76";
+          sha256 = "8c17bd7e14dd96ae9c4e98723f4e18ec6b21d45ac486ecf771447649829d0b34";
+        };
 
   nativeBuildInputs = [ autogen flex bison python autoconf automake ];
   buildInputs = [ ncurses libusb freetype gettext devicemapper ]
@@ -89,4 +96,4 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3Plus;
     platforms = platforms.gnu;
   };
-})
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 86a722b278a0..917afffdfcf9 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1741,6 +1741,8 @@ let
 
   trustedGrub = callPackage_i686 ../tools/misc/grub/trusted.nix { };
 
+  trustedGrub-for-HP = callPackage_i686 ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };
+
   grub2 = grub2_full;
 
   grub2_full = callPackage ../tools/misc/grub/2.0x.nix { };