nixos/tpm2: add comment describing purpose of script

2025-09-15 14:49:31 -04:00
parent db83ec4e2a
commit 95d8873397
1 changed files with 9 additions and 0 deletions
--- a/nixos/modules/security/tpm2.nix
+++ b/nixos/modules/security/tpm2.nix
@@ -306,6 +306,15 @@ in
      }

      {
+        # This script has the hash of the udev rules in it,
+        # and also writes that hash to
+        # /var/lib/tpm2-udev-trigger/hash.txt at the end.
+        # On each run, it checks to see if the hash embedded in the script
+        # matches the hash on disk. If they are different, that
+        # indicates that the udev rules created by this module
+        # have changed. In that case, a udev change is triggered
+        # for tpm and tpmrm devices so that the new rules are
+        # applied at the end of a nixos-rebuild switch or activate
        systemd.services."tpm2-udev-trigger" =
          let
            udevHash =