Skip to content

nixos/plymouth-tpm2-totp: init #424861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

nixos/plymouth-tpm2-totp: init #424861

wants to merge 3 commits into from

Conversation

Majiir
Copy link
Contributor

@Majiir Majiir commented Jul 13, 2025
edited
Loading

Summary

  • Fixes man page generation for tpm2-totp.
  • Adds a boot.plymouth.tpm2-totp module for showing a TOTP during boot using tpm2-totp and Plymouth.

Pings

@RaitoBezarius (tpm2-totp maintainer)

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: documentation This PR adds or changes documentation labels Jul 13, 2025
@nix-owners nix-owners bot requested a review from RaitoBezarius July 13, 2025 17:22
@Majiir Majiir added 8.has: module (new) This PR adds a module in `nixos/` and removed 8.has: module (update) This PR changes an existing module in `nixos/` labels Jul 13, 2025
@Majiir Majiir force-pushed the plymouth-tpm2-totp branch from 3da7aff to 2ac481d Compare July 13, 2025 23:34
@nixpkgs-ci nixpkgs-ci bot added 8.has: module (update) This PR changes an existing module in `nixos/` 2.status: merge conflict This PR has merge conflicts with the target branch labels Jul 13, 2025
@Majiir Majiir force-pushed the plymouth-tpm2-totp branch from 2ac481d to bc90eb7 Compare July 19, 2025 15:59
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 19, 2025
jackrosenberg
jackrosenberg reviewed Jul 23, 2025
View reviewed changes
nixos/modules/system/boot/plymouth-tpm2-totp.nix Outdated

assertions = [
{
assertion = cfg.enable -> config.boot.initrd.systemd.enable;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
assertion = cfg.enable -> config.boot.initrd.systemd.enable;
assertion = config.boot.initrd.systemd.enable;

correct me if i'm wrong, but the first part isn't needed right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that was redundant. Removed.

@Majiir Majiir force-pushed the plymouth-tpm2-totp branch from bc90eb7 to 2e01379 Compare August 3, 2025 21:05
@Majiir Majiir requested a review from jackrosenberg August 3, 2025 21:06
@Majiir Majiir force-pushed the plymouth-tpm2-totp branch from 2e01379 to a4db850 Compare August 4, 2025 03:10
misuzu
misuzu reviewed Aug 11, 2025
View reviewed changes
misuzu
misuzu approved these changes Aug 12, 2025
View reviewed changes
Copy link
Contributor

@misuzu misuzu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on my laptop like this:
1 run nix shell nixpkgs#tpm2-totp -c sudo tpm2-totp generate
2 save the secret
3 run nix shell nixpkgs#tpm2-totp -c sudo tpm2-totp calculate
4 compare the codes
5 enable boot.plymouth.tpm2-totp.enable
6 reboot
7 compare the codes

A documentation on how to set it up would be great though

@Majiir
Copy link
Contributor Author

Majiir commented Aug 13, 2025

A documentation on how to set it up would be great though

The tpm2-totp README is pretty good. The exact setup commands are a bit situational. For NixOS, the steps are:

  1. Set up tpm2-totp (however you like)
  2. Set boot.plymouth.tpm2-totp.enable = true

Maybe the option description should mention that tpm2-totp setup has to be done separately?

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 13, 2025
misuzu
misuzu reviewed Aug 13, 2025
View reviewed changes
nixos/modules/system/boot/plymouth-tpm2-totp.nix
Comment on lines +20 to +21
config = lib.mkIf cfg.enable {
meta.maintainers = with lib.maintainers; [ majiir ];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
config = lib.mkIf cfg.enable {
meta.maintainers = with lib.maintainers; [ majiir ];
meta.maintainers = with lib.maintainers; [ majiir ];
config = lib.mkIf cfg.enable {

@misuzu
Copy link
Contributor

misuzu commented Aug 13, 2025

The tpm2-totp README is pretty good.

I open https://github.com/tpm2-software/tpm2-totp/blob/master/README.md#setup-1 and try the first suggested command:

% tpm2-totp init
Unknown command: generate, calculate, reseal, recover, clean.

Usage: [options] {generate|calculate|reseal|recover|clean}
Options:
    -h, --help      print help
    -b, --banks     Selected PCR banks (default: SHA1,SHA256)
    -l, --label     Label to use for display in the TOTP authenticator app (default: TPM2-TOTP)
    -N, --nvindex   TPM NV index to store data (default: 0x018094AF)
    -P, --password  Password for recovery/resealing (default: None)
    -p, --pcrs      Selected PCR registers (default: 0,2,4,6)
    -t, --time      Show the time used for calculation
    -T, --tcti      TCTI to use
    -v, --verbose   print verbose messages

This is just awful

Maybe the option description should mention that tpm2-totp setup has to be done separately?

The number one complaint about NixOS is the (lack of) documentation. A meta.doc attribute with a simple working quick start guide would be perfect for this module

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@misuzu misuzu misuzu approved these changes

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius

@jackrosenberg jackrosenberg Awaiting requested review from jackrosenberg

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (new) This PR adds a module in `nixos/` 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Majiir @misuzu @jackrosenberg