feat(tdx): add nix build for TDX google VMs

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
2025-07-21 15:13:56 +02:00 · 2025-01-08 08:59:23 +01:00 · 2025-01-08 08:59:23 +01:00 · dc1e756ec6
commit dc1e756ec6
parent 8270c389e4
11 changed files with 638 additions and 16 deletions
--- a/packages/tdx_google/verity.nix
+++ b/packages/tdx_google/verity.nix
@ -0,0 +1,127 @@
+{ config
+, pkgs
+, lib
+, modulesPath
+, ...
+}:
+let
+  inherit (config.image.repart.verityStore) partitionIds;
+in
+{
+  imports = [
+    "${toString modulesPath}/image/repart.nix"
+  ];
+
+  fileSystems = {
+    "/" = {
+      fsType = "tmpfs";
+      options = [ "mode=0755" "noexec" ];
+    };
+
+    "/dev/shm" = {
+      fsType = "tmpfs";
+      options = [ "defaults" "nosuid" "noexec" "nodev" "size=2G" ];
+    };
+
+    "/run" = {
+      fsType = "tmpfs";
+      options = [ "defaults" "mode=0755" "nosuid" "noexec" "nodev" "size=512M" ];
+    };
+
+    "/usr" = {
+      device = "/dev/mapper/usr";
+      # explicitly mount it read-only otherwise systemd-remount-fs will fail
+      options = [ "ro" ];
+      fsType = config.image.repart.partitions.${partitionIds.store}.repartConfig.Format;
+    };
+
+    # bind-mount the store
+    "/nix/store" = {
+      device = "/usr/nix/store";
+      options = [ "bind" ];
+    };
+  };
+
+  image.repart = {
+    verityStore = {
+      enable = true;
+      ukiPath = "/EFI/BOOT/BOOTx64.EFI";
+    };
+
+    partitions = {
+      ${partitionIds.esp} = {
+        # the UKI is injected into this partition by the verityStore module
+        repartConfig = {
+          Type = "esp";
+          Format = "vfat";
+          SizeMinBytes = "64M";
+        };
+      };
+      ${partitionIds.store-verity}.repartConfig = {
+        Minimize = "best";
+      };
+      ${partitionIds.store}.repartConfig = {
+        Minimize = "best";
+        Format = "squashfs";
+      };
+    };
+  };
+
+  boot = {
+    loader.grub.enable = false;
+    initrd.systemd.enable = true;
+  };
+
+  system.image = {
+    id = lib.mkDefault "nixos-appliance";
+    version = "1";
+  };
+
+  # don't create /usr/bin/env
+  # this would require some extra work on read-only /usr
+  # and it is not a strict necessity
+  system.activationScripts.usrbinenv = lib.mkForce "";
+
+  boot.kernelParams = [
+    "systemd.verity_usr_options=panic-on-corruption"
+    "panic=30"
+    "boot.panic_on_fail" # reboot the machine upon fatal boot issues
+    "lockdown=1"
+  ];
+
+  system.build.vmdk_verity =
+    config.system.build.finalImage.overrideAttrs
+      (
+        finalAttrs: previousAttrs:
+          let
+            kernel = config.boot.uki.settings.UKI.Linux;
+            ukifile = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
+          in
+          {
+            nativeBuildInputs =
+              previousAttrs.nativeBuildInputs
+              ++ [
+                pkgs.qemu
+                pkgs.teepot.teepot.rtmr_calc
+              ];
+
+            postInstall = ''
+              qemu-img convert -f raw -O vmdk \
+                $out/${config.image.repart.imageFileBasename}.raw \
+                $out/${config.image.repart.imageFileBasename}.vmdk
+              qemu-img info \
+                $out/${config.image.repart.imageFileBasename}.vmdk
+              echo "kernel: ${kernel}"
+              echo "uki: ${ukifile}"
+              rtmr-calc \
+               --image $out/${config.image.repart.imageFileBasename}.raw \
+               --bootefi "${ukifile}" \
+               --kernel "${kernel}" | tee $out/${config.image.repart.imageFileBasename}_rtmr.json
+              rm -vf $out/${config.image.repart.imageFileBasename}.raw
+            '';
+          }
+      );
+
+  formatAttr = lib.mkForce "vmdk_verity";
+  fileExtension = lib.mkForce ".raw";
+}