sys/boot/tpm: initial commit

author: Alejandro Soto <alejandro@34project.org> 2025-07-23 20:52:42 -0600
committer: Alejandro Soto <alejandro@34project.org> 2025-07-24 00:17:08 -0600
commit: 2ad37812978e83578ce6c7cf5fcd3e7d783b99a4 (patch)
tree: 88e9012cb8723b6dbe133a59cfe7b26e7370a6e7 /sys
parent: 7a6f4790282d001e2c7adbdaa4806f8beed02ddb (diff)
2 files changed, 28 insertions, 0 deletions
diff --git a/sys/boot/default.nix b/sys/boot/default.nix
index 73fe5d6..4580cba 100644
--- a/sys/boot/default.nix
+++ b/sys/boot/default.nix
@@ -9,5 +9,6 @@
     ./namespaced.nix
     ./secure-boot.nix
     ./stack
+    ./tpm.nix
   ];
 }
diff --git a/sys/boot/tpm.nix b/sys/boot/tpm.nix
new file mode 100644
index 0000000..4932b7c
--- /dev/null
+++ b/sys/boot/tpm.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+with lib; let
+  cfg = config.local.boot.tpm;
+in
+{
+  options.local.boot.tpm = {
+    enable = mkEnableOption "Trusted Platform Module 2.0";
+  };
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.local.boot.efi.enable;
+        message = "TPM2 requires EFI";
+      }
+    ];
+
+    security.tpm2 = {
+      enable = true;
+
+      pkcs11.enable = true;
+      tctiEnvironment.enable = true;
+    };
+
+    environment.systemPackages = [ pkgs.tpm2-tools ];
+  };
+}
author	Alejandro Soto <alejandro@34project.org>	2025-07-23 20:52:42 -0600
committer	Alejandro Soto <alejandro@34project.org>	2025-07-24 00:17:08 -0600
commit	2ad37812978e83578ce6c7cf5fcd3e7d783b99a4 (patch)
tree	88e9012cb8723b6dbe133a59cfe7b26e7370a6e7 /sys
parent	7a6f4790282d001e2c7adbdaa4806f8beed02ddb (diff)