Merge pull request #181079 from profianinc/init/nixos/amd-sev

nixos/amd.sev: init

3 files changed, 59 insertions, 0 deletions

diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index db5d2d44e1b0c..5d09d3a93aae8 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -408,6 +408,12 @@
       </listitem>
       <listitem>
         <para>
+          There is a new module for AMD SEV CPU functionality, which
+          grants access to the hardware.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
           There is a new module for the <literal>thunar</literal>
           program (the Xfce file manager), which depends on the
           <literal>xfconf</literal> dbus service, and also has a dbus
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index 37d53841b76be..f37d7d827bd9a 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -149,6 +149,8 @@ Use `configure.packages` instead.
 
 - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API.
 
+- There is a new module for AMD SEV CPU functionality, which grants access to the hardware.
+
 - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed.
 
 - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service.
diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix
new file mode 100644
index 0000000000000..32fed2c484d44
--- /dev/null
+++ b/nixos/modules/hardware/cpu/amd-sev.nix
@@ -0,0 +1,51 @@
+{ config, lib, ... }:
+with lib;
+let
+  cfg = config.hardware.cpu.amd.sev;
+  defaultGroup = "sev";
+in
+  with lib; {
+    options.hardware.cpu.amd.sev = {
+      enable = mkEnableOption "access to the AMD SEV device";
+      user = mkOption {
+        description = "Owner to assign to the SEV device.";
+        type = types.str;
+        default = "root";
+      };
+      group = mkOption {
+        description = "Group to assign to the SEV device.";
+        type = types.str;
+        default = defaultGroup;
+      };
+      mode = mkOption {
+        description = "Mode to set for the SEV device.";
+        type = types.str;
+        default = "0660";
+      };
+    };
+
+    config = mkIf cfg.enable {
+      assertions = [
+        {
+          assertion = hasAttr cfg.user config.users.users;
+          message = "Given user does not exist";
+        }
+        {
+          assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups);
+          message = "Given group does not exist";
+        }
+      ];
+
+      boot.extraModprobeConfig = ''
+        options kvm_amd sev=1
+      '';
+
+      users.groups = optionalAttrs (cfg.group == defaultGroup) {
+        "${cfg.group}" = {};
+      };
+
+      services.udev.extraRules = with cfg; ''
+        KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}"
+      '';
+    };
+  }