BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

trustedGrub: remove

Browse source
This commit is contained in:
ajs124 2023-04-14 02:15:51 +02:00
parent 3c4a0ecdb0
commit 96fbdcedcd
4 changed files with 7 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
nixos/modules/system/boot/loader/grub/grub.nix
View file

@ -13,11 +13,7 @@ let
if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs;
realGrub = if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; }
else if cfg.trustedBoot.enable
then if cfg.trustedBoot.isHPLaptop
then grubPkgs.trustedGrub-for-HP
else grubPkgs.trustedGrub
else grubPkgs.grub2;
else grubPkgs.grub2;
grub =
# Don't include GRUB if we're only generating a GRUB menu (e.g.,
@ -674,39 +670,6 @@ in
'';
};
trustedBoot = {
enable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
Enable trusted boot. GRUB will measure all critical components during
the boot process to offer TCG (TPM) support.
'';
};
systemHasTPM = mkOption {
default = "";
example = "YES_TPM_is_activated";
type = types.str;
description = lib.mdDoc ''
Assertion that the target system has an activated TPM. It is a safety
check before allowing the activation of 'trustedBoot.enable'. TrustedBoot
WILL FAIL TO BOOT YOUR SYSTEM if no TPM is available.
'';
};
isHPLaptop = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc ''
Use a special version of TrustedGRUB that is needed by some HP laptops
and works only for the HP laptops.
'';
};
};
};
};
@ -782,18 +745,6 @@ in
assertion = cfg.efiSupport || all (c: c < 2) (mapAttrsToList (n: c: if n == "nodev" then 0 else c) bootDeviceCounters);
message = "You cannot have duplicated devices in mirroredBoots";
}
{
assertion = !cfg.efiSupport || !cfg.trustedBoot.enable;
message = "Trusted GRUB does not have EFI support";
}
{
assertion = !cfg.zfsSupport || !cfg.trustedBoot.enable;
message = "Trusted GRUB does not have ZFS support";
}
{
assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
}
{
assertion = cfg.efiInstallAsRemovable -> cfg.efiSupport;
message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn on boot.loader.grub.efiSupport";
@ -841,6 +792,10 @@ in
(mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ])
(mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ])
(mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ])
(mkRemovedOptionModule [ "boot" "loader" "grub" "trustedBoot" ] ''
Support for Trusted GRUB has been removed, because the project
has been retired upstream.
'')
(mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] ''
This option has been replaced with the bootloader agnostic
boot.initrd.secrets option. To migrate to the initrd secrets system,

119
pkgs/tools/misc/grub/trusted.nix
View file

@ -1,119 +0,0 @@
{ lib
, stdenv
, fetchurl
, fetchFromGitHub
, fetchpatch
, autogen
, flex
, bison
, python2
, autoconf
, automake
, gettext
, ncurses
, libusb-compat-0_1
, freetype
, qemu
, lvm2
, for_HP_laptop ? false
}:
let
pcSystems = {
i686-linux.target = "i386";
x86_64-linux.target = "i386";
};
inPCSystems = lib.any (system: stdenv.hostPlatform.system == system) (lib.mapAttrsToList (name: _: name) pcSystems);
version = if for_HP_laptop then "1.2.1" else "1.2.0";
unifont_bdf = fetchurl {
url = "http://unifoundry.com/unifont-5.1.20080820.bdf.gz";
sha256 = "0s0qfff6n6282q28nwwblp5x295zd6n71kl43xj40vgvdqxv0fxx";
};
po_src = fetchurl {
name = "grub-2.02-beta2.tar.gz";
url = "https://alpha.gnu.org/gnu/grub/grub-2.02~beta2.tar.gz";
sha256 = "1lr9h3xcx0wwrnkxdnkfjwy08j7g7mdlmmbdip2db4zfgi69h0rm";
};
in
stdenv.mkDerivation rec {
pname = "trustedGRUB2";
inherit version;
src = fetchFromGitHub {
owner = "Sirrix-AG";
repo = "TrustedGRUB2";
rev = version;
sha256 =
if for_HP_laptop
then "sha256-H1JzT/RgnbHqnW2/FmvXFuI6gnHI2vQU3W1iq2FqwJw="
else "sha256-k8DGHjTIpnjWw7GNN2kyR8rRl2MAq1xkfOndd0znLns=";
};
nativeBuildInputs = [ autogen flex bison python2 autoconf automake ];
buildInputs = [ ncurses libusb-compat-0_1 freetype gettext lvm2 ]
++ lib.optional doCheck qemu;
hardeningDisable = [ "stackprotector" "pic" ];
env.NIX_CFLAGS_COMPILE = "-Wno-error"; # generated code redefines yyfree
preConfigure =
'' for i in "tests/util/"*.in
do
sed -i "$i" -e's|/bin/bash|${stdenv.shell}|g'
done
# Apparently, the QEMU executable is no longer called
# `qemu-system-i386', even on i386.
#
# In addition, use `-nodefaults' to avoid errors like:
#
# chardev: opening backend "stdio" failed
# qemu: could not open serial device 'stdio': Invalid argument
#
# See <http://www.mail-archive.com/qemu-devel@nongnu.org/msg22775.html>.
sed -i "tests/util/grub-shell.in" \
-e's/qemu-system-i386/qemu-system-x86_64 -nodefaults/g'
'';
prePatch =
'' tar zxf ${po_src} grub-2.02~beta2/po
rm -rf po
mv grub-2.02~beta2/po po
sh autogen.sh
gunzip < "${unifont_bdf}" > "unifont.bdf"
sed -i "configure" \
-e "s|/usr/src/unifont.bdf|$PWD/unifont.bdf|g"
'';
patches = [
./fix-bash-completion.patch
(fetchpatch {
# glibc-2.26 and above needs '<sys/sysmacros.h>'
url = "https://github.com/Rohde-Schwarz/TrustedGRUB2/commit/7a5b301e3adb8e054288518a325135a1883c1c6c.patch";
sha256 = "1jfrrmcrd9a8w7n419kszxgbpshx7888wc05smg5q4jvc1ag3xm7";
})
];
# save target that grub is compiled for
grubTarget = lib.optionalString inPCSystems "${pcSystems.${stdenv.hostPlatform.system}.target}-pc";
doCheck = false;
# On -j16 races with early header creation:
# config.h:38:10: fatal error: ./config-util.h: No such file or directory
enableParallelBuilding = false;
meta = with lib; {
description = "GRUB 2.0 extended with TCG (TPM) support for integrity measured boot process (trusted boot)";
homepage = "https://github.com/Sirrix-AG/TrustedGRUB2";
license = licenses.gpl3Plus;
platforms = platforms.gnu ++ platforms.linux;
};
}

2
pkgs/top-level/aliases.nix
View file

@ -1657,6 +1657,8 @@ mapAliases ({
trebleshot = throw "trebleshot has been removed. It was archived upstream, so it's considered abandoned";
trilium = throw "trilium has been removed. Please use trilium-desktop instead"; # Added 2020-04-29
truecrypt = throw "'truecrypt' has been renamed to/replaced by 'veracrypt'"; # Converted to throw 2022-02-22
trustedGrub = throw "trustedGrub has been removed, because it is not maintained upstream anymore"; # Added 2023-05-10
trustedGrub-for-HP = throw "trustedGrub-for-HP has been removed, because it is not maintained upstream anymore"; # Added 2023-05-10
tuijam = throw "tuijam has been removed because Google Play Music was discontinued"; # Added 2021-03-07
turbo-geth = throw "turbo-geth has been renamed to erigon"; # Added 2021-08-08
tvbrowser-bin = tvbrowser; # Added 2023-03-02

4
pkgs/top-level/all-packages.nix
View file

@ -8168,10 +8168,6 @@ with pkgs;
grpc-client-cli = callPackage ../development/tools/misc/grpc-client-cli { };
trustedGrub = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { };
trustedGrub-for-HP = pkgsi686Linux.callPackage ../tools/misc/grub/trusted.nix { for_HP_laptop = true; };
grub2 = callPackage ../tools/misc/grub/default.nix {
# update breaks grub2
gnulib = pkgs.gnulib.overrideAttrs (_: rec {