forked from M-Labs/wfvm
add enableTpm
This commit is contained in:
parent
bc24fd6a2b
commit
16e041282f
@ -15,6 +15,7 @@
|
|||||||
, impureShellCommands ? []
|
, impureShellCommands ? []
|
||||||
, driveLetter ? "D:"
|
, driveLetter ? "D:"
|
||||||
, imageSelection ? "Windows 11 Pro N"
|
, imageSelection ? "Windows 11 Pro N"
|
||||||
|
, enableTpm
|
||||||
, ...
|
, ...
|
||||||
}:
|
}:
|
||||||
|
|
||||||
@ -146,12 +147,14 @@ let
|
|||||||
</DriverPaths>
|
</DriverPaths>
|
||||||
</component>
|
</component>
|
||||||
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
<RunSynchronous>
|
${lib.optionalString (!enableTpm) ''
|
||||||
<RunSynchronousCommand wcm:action="add">
|
<RunSynchronous>
|
||||||
<Order>1</Order>
|
<RunSynchronousCommand wcm:action="add">
|
||||||
<Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
|
<Order>1</Order>
|
||||||
</RunSynchronousCommand>
|
<Path>reg add HKLM\System\Setup\LabConfig /v BypassTPMCheck /t reg_dword /d 0x00000001 /f</Path>
|
||||||
</RunSynchronous>
|
</RunSynchronousCommand>
|
||||||
|
</RunSynchronous>
|
||||||
|
''}
|
||||||
|
|
||||||
<DiskConfiguration>
|
<DiskConfiguration>
|
||||||
<Disk wcm:action="add">
|
<Disk wcm:action="add">
|
||||||
|
@ -1,4 +1,9 @@
|
|||||||
{ pkgs, baseRtc ? "2022-10-10T10:10:10", cores ? "4", qemuMem ? "4G" }:
|
{ pkgs
|
||||||
|
, baseRtc ? "2022-10-10T10:10:10"
|
||||||
|
, cores ? "4"
|
||||||
|
, qemuMem ? "4G"
|
||||||
|
, enableTpm ? false
|
||||||
|
}:
|
||||||
|
|
||||||
rec {
|
rec {
|
||||||
# qemu_test is a smaller closure only building for a single system arch
|
# qemu_test is a smaller closure only building for a single system arch
|
||||||
@ -19,8 +24,19 @@ rec {
|
|||||||
"-device qemu-xhci"
|
"-device qemu-xhci"
|
||||||
"-device virtio-net-pci,netdev=n1"
|
"-device virtio-net-pci,netdev=n1"
|
||||||
"-bios ${OVMF.fd}/FV/OVMF.fd"
|
"-bios ${OVMF.fd}/FV/OVMF.fd"
|
||||||
|
] ++ pkgs.lib.optionals enableTpm [
|
||||||
|
"-chardev" "socket,id=chrtpm,path=tpm.sock"
|
||||||
|
"-tpmdev" "emulator,id=tpm0,chardev=chrtpm"
|
||||||
|
"-device" "tpm-tis,tpmdev=tpm0"
|
||||||
] ++ extraFlags;
|
] ++ extraFlags;
|
||||||
|
|
||||||
|
tpmStartCommands = pkgs.lib.optionalString enableTpm ''
|
||||||
|
mkdir -p tpmstate
|
||||||
|
${pkgs.swtpm}/bin/swtpm socket \
|
||||||
|
--tpmstate dir=tpmstate \
|
||||||
|
--ctrl type=unixio,path=tpm.sock &
|
||||||
|
'';
|
||||||
|
|
||||||
# Pass empty config file to prevent ssh from failing to create ~/.ssh
|
# Pass empty config file to prevent ssh from failing to create ~/.ssh
|
||||||
sshOpts = "-F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=1";
|
sshOpts = "-F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -o ConnectTimeout=1";
|
||||||
win-exec = pkgs.writeShellScriptBin "win-exec" ''
|
win-exec = pkgs.writeShellScriptBin "win-exec" ''
|
||||||
@ -96,6 +112,7 @@ rec {
|
|||||||
]);
|
]);
|
||||||
in pkgs.writeShellScriptBin "wfvm-run-${name}" ''
|
in pkgs.writeShellScriptBin "wfvm-run-${name}" ''
|
||||||
set -e -m
|
set -e -m
|
||||||
|
${tpmStartCommands}
|
||||||
${qemu}/bin/qemu-system-x86_64 ${pkgs.lib.concatStringsSep " " qemuParams} &
|
${qemu}/bin/qemu-system-x86_64 ${pkgs.lib.concatStringsSep " " qemuParams} &
|
||||||
|
|
||||||
${win-wait}/bin/win-wait
|
${win-wait}/bin/win-wait
|
||||||
|
@ -5,6 +5,7 @@
|
|||||||
, impureMode ? false
|
, impureMode ? false
|
||||||
, installCommands ? []
|
, installCommands ? []
|
||||||
, users ? {}
|
, users ? {}
|
||||||
|
, enableTpm ? true
|
||||||
# autounattend always installs index 1, so this default is backward-compatible
|
# autounattend always installs index 1, so this default is backward-compatible
|
||||||
, imageSelection ? "Windows 11 Pro N"
|
, imageSelection ? "Windows 11 Pro N"
|
||||||
, ...
|
, ...
|
||||||
@ -12,7 +13,7 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
lib = pkgs.lib;
|
lib = pkgs.lib;
|
||||||
utils = import ./utils.nix { inherit pkgs; };
|
utils = import ./utils.nix { inherit pkgs enableTpm; };
|
||||||
inherit (pkgs) guestfs-tools;
|
inherit (pkgs) guestfs-tools;
|
||||||
|
|
||||||
# p7zip on >20.03 has known vulns but we have no better option
|
# p7zip on >20.03 has known vulns but we have no better option
|
||||||
@ -52,7 +53,7 @@ let
|
|||||||
|
|
||||||
autounattend = import ./autounattend.nix (
|
autounattend = import ./autounattend.nix (
|
||||||
attrs // {
|
attrs // {
|
||||||
inherit pkgs;
|
inherit pkgs enableTpm;
|
||||||
users = users // {
|
users = users // {
|
||||||
wfvm = {
|
wfvm = {
|
||||||
password = "1234";
|
password = "1234";
|
||||||
@ -126,6 +127,8 @@ let
|
|||||||
virt-make-fs --partition --type=fat win/ usbimage.img
|
virt-make-fs --partition --type=fat win/ usbimage.img
|
||||||
rm -rf win
|
rm -rf win
|
||||||
|
|
||||||
|
${utils.tpmStartCommands}
|
||||||
|
|
||||||
# Qemu requires files to be rw
|
# Qemu requires files to be rw
|
||||||
qemu-img create -f qcow2 c.img ${diskImageSize}
|
qemu-img create -f qcow2 c.img ${diskImageSize}
|
||||||
qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams}
|
qemu-system-x86_64 ${lib.concatStringsSep " " qemuParams}
|
||||||
@ -153,6 +156,8 @@ let
|
|||||||
|
|
||||||
in ''
|
in ''
|
||||||
set -x
|
set -x
|
||||||
|
${utils.tpmStartCommands}
|
||||||
|
|
||||||
# Create an image referencing the previous image in the chain
|
# Create an image referencing the previous image in the chain
|
||||||
qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img
|
qemu-img create -F qcow2 -f qcow2 -b ${acc} c.img
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user