diff options
| author | Roman Volosatovs <rvolosatovs@riseup.net> | 2022-07-11 12:33:06 +0200 |
|---|---|---|
| committer | Roman Volosatovs <rvolosatovs@riseup.net> | 2022-07-25 18:13:52 +0200 |
| commit | 191f777c4af43744eef543ba9c12b3259a055a7d (patch) | |
| tree | 3f479c2bd400d6a95b941f5866d8bfa53c46562b /nixos/modules/hardware | |
| parent | e9109d950b06e7792ff1b3b91a13d757dd2d0167 (diff) | |
nixos/amd.sev: init
Signed-off-by: Roman Volosatovs <roman@profian.com> Signed-off-by: Roman Volosatovs <rvolosatovs@riseup.net>
Diffstat (limited to 'nixos/modules/hardware')
| -rw-r--r-- | nixos/modules/hardware/cpu/amd-sev.nix | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix new file mode 100644 index 0000000000000..32fed2c484d44 --- /dev/null +++ b/nixos/modules/hardware/cpu/amd-sev.nix @@ -0,0 +1,51 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.hardware.cpu.amd.sev; + defaultGroup = "sev"; +in + with lib; { + options.hardware.cpu.amd.sev = { + enable = mkEnableOption "access to the AMD SEV device"; + user = mkOption { + description = "Owner to assign to the SEV device."; + type = types.str; + default = "root"; + }; + group = mkOption { + description = "Group to assign to the SEV device."; + type = types.str; + default = defaultGroup; + }; + mode = mkOption { + description = "Mode to set for the SEV device."; + type = types.str; + default = "0660"; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = hasAttr cfg.user config.users.users; + message = "Given user does not exist"; + } + { + assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); + message = "Given group does not exist"; + } + ]; + + boot.extraModprobeConfig = '' + options kvm_amd sev=1 + ''; + + users.groups = optionalAttrs (cfg.group == defaultGroup) { + "${cfg.group}" = {}; + }; + + services.udev.extraRules = with cfg; '' + KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}" + ''; + }; + } |