diff options
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2211.section.xml | 6 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2211.section.md | 2 | ||||
| -rw-r--r-- | nixos/modules/hardware/cpu/amd-sev.nix | 51 |
3 files changed, 59 insertions, 0 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index be3adc4d3bed9..8cb8e16952329 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -359,6 +359,12 @@ </listitem> <listitem> <para> + There is a new module for AMD SEV CPU functionality, which + grants access to the hardware. + </para> + </listitem> + <listitem> + <para> There is a new module for the <literal>thunar</literal> program (the Xfce file manager), which depends on the <literal>xfconf</literal> dbus service, and also has a dbus diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 3f9afe13f1d99..b664ea02f4fab 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -132,6 +132,8 @@ Use `configure.packages` instead. - The `pass-secret-service` package now includes systemd units from upstream, so adding it to the NixOS `services.dbus.packages` option will make it start automatically as a systemd user service when an application tries to talk to the libsecret D-Bus API. +- There is a new module for AMD SEV CPU functionality, which grants access to the hardware. + - There is a new module for the `thunar` program (the Xfce file manager), which depends on the `xfconf` dbus service, and also has a dbus service and a systemd unit. The option `services.xserver.desktopManager.xfce.thunarPlugins` has been renamed to `programs.thunar.plugins`, and in a future release it may be removed. - There is a new module for the `xfconf` program (the Xfce configuration storage system), which has a dbus service. diff --git a/nixos/modules/hardware/cpu/amd-sev.nix b/nixos/modules/hardware/cpu/amd-sev.nix new file mode 100644 index 0000000000000..32fed2c484d44 --- /dev/null +++ b/nixos/modules/hardware/cpu/amd-sev.nix @@ -0,0 +1,51 @@ +{ config, lib, ... }: +with lib; +let + cfg = config.hardware.cpu.amd.sev; + defaultGroup = "sev"; +in + with lib; { + options.hardware.cpu.amd.sev = { + enable = mkEnableOption "access to the AMD SEV device"; + user = mkOption { + description = "Owner to assign to the SEV device."; + type = types.str; + default = "root"; + }; + group = mkOption { + description = "Group to assign to the SEV device."; + type = types.str; + default = defaultGroup; + }; + mode = mkOption { + description = "Mode to set for the SEV device."; + type = types.str; + default = "0660"; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = hasAttr cfg.user config.users.users; + message = "Given user does not exist"; + } + { + assertion = (cfg.group == defaultGroup) || (hasAttr cfg.group config.users.groups); + message = "Given group does not exist"; + } + ]; + + boot.extraModprobeConfig = '' + options kvm_amd sev=1 + ''; + + users.groups = optionalAttrs (cfg.group == defaultGroup) { + "${cfg.group}" = {}; + }; + + services.udev.extraRules = with cfg; '' + KERNEL=="sev", OWNER="${user}", GROUP="${group}", MODE="${mode}" + ''; + }; + } |