diff options
| author | Sergei Trofimovich <slyich@gmail.com> | 2022-08-10 23:32:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-10 23:32:39 +0100 |
| commit | 5ad2e70f9527c16a9b520c9183aa5a2d22ed224a (patch) | |
| tree | bdedcf68ef95cbf865d7148b7135be0420444961 /nixos/modules/hardware | |
| parent | 1418780ec38d1982bcb4b5890858e5ec604b0d51 (diff) | |
| parent | 191f777c4af43744eef543ba9c12b3259a055a7d (diff) | |
Merge pull request #181079 from profianinc/init/nixos/amd-sev
nixos/amd.sev: init
Diffstat (limited to 'nixos/modules/hardware')
| -rw-r--r-- | nixos/modules/hardware/cpu/amd-sev.nix | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix new file mode 100644 index 0000000000000..32fed2c484d44 --- /dev/null +++ b/nixos/modules/hardware/cpu/amd-sev.nix @@ -0,0 +1,51 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.hardware.cpu.amd.sev; + defaultGroup = "sev"; +in + with lib; { + options.hardware.cpu.amd.sev = { + enable = mkEnableOption "access to the AMD SEV device"; + user = mkOption { + description = "Owner to assign to the SEV device."; + type = types.str; + default = "root"; + }; + group = mkOption { + description = "Group to assign to the SEV device."; + type = types.str; + default = defaultGroup; + }; + mode = mkOption { + description = "Mode to set for the SEV device."; + type = types.str; + default = "0660"; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = hasAttr cfg.user config.users.users; + message = "Given user does not exist"; + } + { + assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); + message = "Given group does not exist"; + } + ]; + + boot.extraModprobeConfig = '' + options kvm_amd sev=1 + ''; + + users.groups = optionalAttrs (cfg.group == defaultGroup) { + "${cfg.group}" = {}; + }; + + services.udev.extraRules = with cfg; '' + KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}" + ''; + }; + } |