gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/systemd-boot: Add reboot-for-bitlocker support

Browse Source 
Windows with BitLocker and TPM enabled doesn't support boot chaining.
This option activates a special experimental mode in systemd-boot that
tries to detect such systems and, if detected and selected by the user
at the boot menu, set the BootNext EFI variable to it before resetting.
This commit is contained in:
Thibault Polge
2023-09-04 14:12:24 +02:00
committed by Florian Klink
parent 58bc3da2ae
commit a68b81c429
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
View File

@@ -29,6 +29,7 @@ DISTRO_NAME = "@distroName@"
NIX = "@nix@"
SYSTEMD = "@systemd@"
CONFIGURATION_LIMIT = int("@configurationLimit@")
REBOOT_FOR_BITLOCKER = bool("@rebootForBitlocker@")
CAN_TOUCH_EFI_VARIABLES = "@canTouchEfiVariables@"
GRACEFUL = "@graceful@"
COPY_EXTRA_FILES = "@copyExtraFiles@"
@@ -189,6 +190,8 @@ def write_loader_conf(profile: str | None) -> None:
f.write("default nixos-generation-*\n")
if not EDITOR:
f.write("editor 0\n")
if REBOOT_FOR_BITLOCKER:
f.write("reboot-for-bitlocker yes\n");
f.write(f"console-mode {CONSOLE_MODE}\n")
f.flush()
os.fsync(f.fileno())

18
nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
View File

@@ -40,7 +40,7 @@ let
configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;
inherit (cfg) consoleMode graceful editor;
inherit (cfg) consoleMode graceful editor rebootForBitlocker;
inherit (efi) efiSysMountPoint canTouchEfiVariables;
@@ -333,6 +333,22 @@ in {
};
};
rebootForBitlocker = mkOption {
default = false;
type = types.bool;
description = ''
Enable *EXPERIMENTAL* BitLocker support.
Try to detect BitLocker encrypted drives along with an active
TPM. If both are found and Windows Boot Manager is selected in
the boot menu, set the "BootNext" EFI variable and restart the
system. The firmware will then start Windows Boot Manager
directly, leaving the TPM PCRs in expected states so that
Windows can unseal the encryption key.
'';
};
};
config = mkIf cfg.enable {