From 3831db6bd45219ca98788071a9c34b7ee0d51bee Mon Sep 17 00:00:00 2001
From: Manuel Bluhm <manuel@ssrc.tii.ae>
Date: Thu, 4 Apr 2024 20:59:15 +0400
Subject: [PATCH] Move TPM related code to hardware x86_64-generic as hardware
 dependent module.

Signed-off-by: Manuel Bluhm <manuel@ssrc.tii.ae>
---
 modules/common/default.nix                                    | 1 -
 modules/common/users/accounts.nix                             | 2 +-
 modules/hardware/x86_64-generic/default.nix                   | 1 +
 .../default.nix => hardware/x86_64-generic/modules/tpm2.nix}  | 4 ++--
 targets/lenovo-x1/everything.nix                              | 3 +--
 5 files changed, 5 insertions(+), 6 deletions(-)
 rename modules/{common/tpm2/default.nix => hardware/x86_64-generic/modules/tpm2.nix} (90%)

diff --git a/modules/common/default.nix b/modules/common/default.nix
index e742a04d6..774697255 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -11,7 +11,6 @@
     ./firewall
     ./profiles
     ./security
-    ./tpm2
     ./users/accounts.nix
     ./version
     ./virtualization/docker.nix
diff --git a/modules/common/users/accounts.nix b/modules/common/users/accounts.nix
index b44293022..afdeaa540 100644
--- a/modules/common/users/accounts.nix
+++ b/modules/common/users/accounts.nix
@@ -40,7 +40,7 @@ in
           extraGroups =
             ["wheel" "video" "networkmanager"]
             ++ optionals
-            config.ghaf.security.tpm2.enable ["tss"];
+            config.security.tpm2.enable ["tss"];
         };
         groups."${cfg.user}" = {
           name = cfg.user;
diff --git a/modules/hardware/x86_64-generic/default.nix b/modules/hardware/x86_64-generic/default.nix
index 6a8fbca1c..c09c4496b 100644
--- a/modules/hardware/x86_64-generic/default.nix
+++ b/modules/hardware/x86_64-generic/default.nix
@@ -7,5 +7,6 @@
     ./kernel/host
     ./kernel/host/pkvm
     ./x86_64-linux.nix
+    ./modules/tpm2.nix
   ];
 }
diff --git a/modules/common/tpm2/default.nix b/modules/hardware/x86_64-generic/modules/tpm2.nix
similarity index 90%
rename from modules/common/tpm2/default.nix
rename to modules/hardware/x86_64-generic/modules/tpm2.nix
index feed3224c..0828c61ed 100644
--- a/modules/common/tpm2/default.nix
+++ b/modules/hardware/x86_64-generic/modules/tpm2.nix
@@ -6,10 +6,10 @@
   pkgs,
   ...
 }: let
-  cfg = config.ghaf.security.tpm2;
+  cfg = config.ghaf.hardware.tpm2;
 in
   with lib; {
-    options.ghaf.security.tpm2 = {
+    options.ghaf.hardware.tpm2 = {
       enable = mkEnableOption "TPM2 PKCS#11 interface";
     };
 
diff --git a/targets/lenovo-x1/everything.nix b/targets/lenovo-x1/everything.nix
index 52c03d4f2..2cbb0911d 100644
--- a/targets/lenovo-x1/everything.nix
+++ b/targets/lenovo-x1/everything.nix
@@ -60,9 +60,8 @@
               # Hardware definitions
               hardware.x86_64.common.enable = true;
               hardware.generation = generation;
-
               hardware.ax88179_178a.enable = true;
-              security.tpm2.enable = true;
+              hardware.tpm2.enable = true;
 
               # Kernel hardening
               host.kernel.hardening.enable = false;