boot.initrd.systemd: make TPM2 modules optional#207969
boot.initrd.systemd: make TPM2 modules optional#207969elohmeier wants to merge 1 commit intoNixOS:masterfrom
Conversation
github-actions
bot
added
6.topic: nixos
ofborg
bot
added
10.rebuild-darwin: 1-10
oxalica
left a comment
oxalica
left a comment
There was a problem hiding this comment.
Could you move the guard to variables and also add conditions cfg.package.withTpm2Tss && cfg.package.withCryptsetup? If systemd for initrd is built without cryptsetup or TPM2 support, the module is also unnecessary. So does withFIDO2 and libfido2.
This part also need a clean up to lower the condition granularity.
https://github.com/NixOS/nixpkgs/blob/8a7499d659107387703f9090d672e1e997b311d9/nixos/modules/system/boot/systemd/initrd.nix#L412-L423
|
Can we do something to get this to the finish line? |
|
@RaitoBezarius someone could respond to the question in my review comment |
Answered. :) |
|
Thanks for your feedback. The previous attempt didn't actually work. I've added a new approach with a option |
ofborg
bot
added
10.rebuild-darwin: 0
ElvishJerricco
left a comment
ElvishJerricco
left a comment
There was a problem hiding this comment.
I'd like to see this also exclude the TPM libraries, because they add a considerable amount of size to the initrd:
nixpkgs/nixos/modules/system/boot/systemd/initrd.nix
Lines 424 to 427 in 73a8ca1
FIDO2 is fine though, since it barely affects the size at all.
See this test I ran: https://gist.github.com/ElvishJerricco/ca36d26fd30b78b211aea10604b9885e#file-results-txt
Thanks, updated! |
Majiir
left a comment
Majiir
left a comment
There was a problem hiding this comment.
Tested on an armv7l system which can't build with tpm-crb. Code changes LGTM.
Is this config option discoverable for anyone running into the problem? Should we include a note in the enableTpm2 description? Is it possible to detect the missing module and print a NixOS-specific error? (I don't think any of that should hold up the PR, though.)
|
@ElvishJerricco can you somehow resolve/close your requested change blocking the merge? I don't know how I could do that since I addressed it by force-pushing an update. Maybe you have an option in GitHub to do that? |
lopsided98
left a comment
lopsided98
left a comment
There was a problem hiding this comment.
Confirmed that this allows systemd in initrd to build on my armv7l and armv6l machines.
|
Please see follow-up PR here: #253498 |
7 participants
Description of changes
This is a follow-up to a discussion reg. #189676. On some kernel configs the TPM2 modules are not available, e.g. the Raspberry Pi kernels. This change implements a proposed fix to only pull in the TPM2 modules if they are available, fixing the "module not found" issues for these kernels and re-enabling the use of
boot.initrd.systemd.Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)nixos/doc/manual/md-to-db.shto update generated release notes