diff options
| author | Thomas Strobel <ts468@cam.ac.uk> | 2015-08-01 16:56:06 +0200 |
|---|---|---|
| committer | Thomas Strobel <ts468@cam.ac.uk> | 2015-08-01 16:56:06 +0200 |
| commit | aa63d4299ff3236f8a47d7b20434be7785902d40 (patch) | |
| tree | a2b5656d6180ca6431fd7e4c0f3fb2067dbec948 /nixos/modules | |
| parent | df038c93cc823fef9ceb547e3d635317bdd7d39e (diff) | |
| download | nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar.gz nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar.bz2 nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar.lz nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar.xz nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.tar.zst nixlib-aa63d4299ff3236f8a47d7b20434be7785902d40.zip | |
tcsd module: expose firmwarePCRs and kernelPCRs
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/services/hardware/tcsd.nix | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/nixos/modules/services/hardware/tcsd.nix b/nixos/modules/services/hardware/tcsd.nix index 220b154bd97a..ced2d49c1e15 100644 --- a/nixos/modules/services/hardware/tcsd.nix +++ b/nixos/modules/services/hardware/tcsd.nix @@ -17,8 +17,8 @@ let # what is available directly from the PCR registers. firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements - #firmware_pcrs = 0,1,2,3,4,5,6,7 - #kernel_pcrs = 10,11 + firmware_pcrs = ${cfg.firmwarePCRs} + kernel_pcrs = ${cfg.kernelPCRs} platform_cred = ${cfg.platformCred} conformance_cred = ${cfg.conformanceCred} endorsement_cred = ${cfg.endorsementCred} @@ -60,20 +60,32 @@ in }; stateDir = mkOption { - default = "/var/lib/tpm"; + default = "/var/lib/tpm"; type = types.path; - description = '' + description = '' The location of the system persistent storage file. The system persistent storage file holds keys and data across restarts of the TCSD and system reboots. - ''; + ''; + }; + + firmwarePCRs = mkOption { + default = "0,1,2,3,4,5,6,7"; + type = types.string; + description = "PCR indices used in the TPM for firmware measurements."; + }; + + kernelPCRs = mkOption { + default = "10,11"; + type = types.string; + description = "PCR indices used in the TPM for kernel measurements."; }; platformCred = mkOption { default = "${cfg.stateDir}/platform.cert"; type = types.path; description = '' - Path to the platform credential for your TPM. Your TPM + Path to the platform credential for your TPM. Your TPM manufacturer may have provided you with a set of credentials (certificates) that should be used when creating identities using your TPM. When a user of your TPM makes an identity, |