sgx: unsgx and prevent sleep on lid close

Signed-off-by: Harald Hoyer <harald@hoyer.xyz>
sgx: set disks idle
2024-04-10 21:46:05 +02:00 · 2024-04-10 21:45:22 +02:00 · 2024-04-10 21:45:02 +02:00
3 changed files with 401 additions and 335 deletions
--- a/flake.lock
+++ b/flake.lock
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@ -13,12 +13,11 @@
  metacfg = {
    base.enable = true;
    gui.enable = false;
-    nix-ld.enable = true;
+    nix-ld.enable = false;
    nix.enable = true;
    aesmd_dcap.enable = true;
    podman.enable = true;
    secureboot.enable = true;
-    user.extraGroups = [ "docker" "sgx" ];
+    user.extraGroups = [ "docker" ];
  };
  virtualisation = {
@ -26,6 +25,7 @@
    libvirtd.enable = true;
    podman.dockerCompat = false;
  };
  systemd.services.libvirt-guests.after = [ "network-online.target" ];
  system.autoUpgrade = {
@ -34,19 +34,11 @@
    allowReboot = true;
  };
-  services.pcscd.enable = true;
+  systemd.targets.sleep.enable = false;
-
+  systemd.targets.suspend.enable = false;
-  environment.etc."sgx_default_qcnl.conf".text = ''
+  systemd.targets.hibernate.enable = false;
-    {
+  systemd.targets.hybrid-sleep.enable = false;
-      "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/",
+  services.xserver.displayManager.gdm.autoSuspend = false;
      "use_secure_cert": true,
      "retry_times": 6,
      "retry_delay": 10,
      "pck_cache_expire_hours": 168,
      "verify_collateral_cache_expire_hours": 168,
      "local_cache_only": false
    }
  '';
  system.stateVersion = "23.11";
 }
--- a/systems/x86_64-linux/sgx/hardware-configuration.nix
+++ b/systems/x86_64-linux/sgx/hardware-configuration.nix
@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, modulesPath, ... }:
+{ pkgs, config, lib, modulesPath, ... }:
 {
  imports =
@ -54,6 +54,29 @@
    c4  /dev/disk/by-uuid/5c61cbf0-dbca-48e0-948e-71bea3806a6c /dev/disk/by-id/usb-Ut165_USB2FlashStorage_08050508d213e6-0:0-part1 luks,keyfile-size=256
  '';
  systemd.services.hd-idle = {
    description = "Set to idle";
    wantedBy = [ "multi-user.target" ];
    after = [
      "dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K2TX.device"
      "dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K3WR.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0710903.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732164.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732505.device"
    ];
    bindsTo = [
      "dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K2TX.device"
      "dev-disk-by\\x2did-ata\\x2dST16000NT001\\x2d3LV101_ZRS0K3WR.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0710903.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732164.device"
      "dev-disk-by\\x2did-ata\\x2dWDC_WD40EFRX\\x2d68WT0N0_WD\\x2dWCC4E0732505.device"
    ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.hdparm}/sbin/hdparm -S 60 /dev/disk/by-id/ata-*'";
    };
  };
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
Author	SHA1	Message	Date
Harald Hoyer	4066b0cd80	sgx: unsgx and prevent sleep on lid close Signed-off-by: Harald Hoyer <harald@hoyer.xyz>	2024-04-10 21:46:05 +02:00
Harald Hoyer	7d0cf0ac60	sgx: set disks idle Signed-off-by: Harald Hoyer <harald@hoyer.xyz>	2024-04-10 21:45:22 +02:00
Harald Hoyer	969d86d932	flake update Signed-off-by: Harald Hoyer <harald@hoyer.xyz>	2024-04-10 21:45:02 +02:00