Rewrite hardware definition into module and basic fingerprint support

Signed-off-by: Manuel Bluhm <manuel@ssrc.tii.ae>

modules/common/default.nix

@@ -9,9 +9,7 @@
     ./common.nix
     ./development
     ./firewall
-    ./hardware
     ./profiles
-    ./tpm2
     ./users/accounts.nix
     ./version
     ./virtualization/docker.nix

modules/common/users/accounts.nix

@@ -40,7 +40,7 @@ in
           extraGroups =
             ["wheel" "video" "networkmanager"]
             ++ optionals
-            config.ghaf.security.tpm2.enable ["tss"];
+            config.security.tpm2.enable ["tss"];
         };
         groups."${cfg.user}" = {
           name = cfg.user;

modules/desktop/graphics/default.nix

@@ -11,5 +11,6 @@
     ./gnome.nix
     ./window-manager.nix
     ./boot.nix
+    ./hardware.nix
   ];
 }

modules/desktop/graphics/hardware.nix

@@ -0,0 +1,18 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  ...
+}:
+with lib; {
+  options.ghaf.graphics.hardware = {
+    networkDevice = mkOption {
+      type = types.anything;
+      default = {};
+      description = ''
+        Network device interface for use with graphics stack.
+      '';
+    };
+  };
+}

modules/desktop/graphics/waybar.config.nix

@@ -7,7 +7,7 @@
   ...
 }: let
   cfg = config.ghaf.graphics.labwc;
-  networkDevice = config.ghaf.hardware.definition.network.pciDevices;
+  inherit (config.ghaf.graphics.hardware) networkDevice;
 
   ghaf-icon = pkgs.runCommand "ghaf-icon-24x24" {} ''
     mkdir -p $out/share/icons/hicolor/24x24/apps

modules/flake-module.nix

@@ -4,7 +4,10 @@
 # Modules to be exported from Flake
 #
 {inputs, ...}: {
-  imports = [./disko/flake-module.nix];
+  imports = [
+    ./disko/flake-module.nix
+    ./hardware/flake-module.nix
+  ];
 
   flake.nixosModules = {
     common.imports = [

modules/hardware/flake-module.nix

@@ -0,0 +1,15 @@
+# Copyright 2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+_: {
+  flake.nixosModules = {
+    hw-lenovo-x1.imports = [
+      ./definition.nix
+      ./x86_64-generic
+      ./lenovo-x1
+    ];
+    hw-x86_64-generic.imports = [
+      ./definition.nix
+      ./x86_64-generic
+    ];
+  };
+}

modules/common/hardware/default.nix → modules/hardware/lenovo-x1/default.nix

@@ -2,8 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 {
   imports = [
-    ./x86_64-linux.nix
-    ./x86_64-generic
-    ./definition.nix
+    ./definitions
+    ./modules/fprint.nix
   ];
 }

modules/hardware/lenovo-x1/definitions/default.nix

@@ -0,0 +1,69 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+{
+  config,
+  lib,
+  ...
+}: let
+  hwDefinition = import (./. + "/x1-${config.ghaf.hardware.generation}.nix");
+in {
+  imports = [
+    ../../definition.nix
+  ];
+
+  options.ghaf.hardware.generation = lib.mkOption {
+    description = "Generation of the hardware configuration";
+    type = lib.types.str;
+    default = "gen11";
+  };
+
+  config = {
+    ghaf.hardware.definition = {
+      inherit (hwDefinition) mouse;
+      inherit (hwDefinition) touchpad;
+      inherit (hwDefinition) disks;
+      inherit (hwDefinition) network;
+      inherit (hwDefinition) gpu;
+
+      virtioInputHostEvdevs = [
+        # Lenovo X1 touchpad and keyboard
+        "/dev/input/by-path/platform-i8042-serio-0-event-kbd"
+        "/dev/mouse"
+        "/dev/touchpad"
+        # Lenovo X1 trackpoint (red button/joystick)
+        "/dev/input/by-path/platform-i8042-serio-1-event-mouse"
+      ];
+    };
+
+    disko.devices.disk = hwDefinition.disks;
+
+    # Notes:
+    #   1. This assembles udev rules for different hw configurations (i.e., different mice/touchpads) by adding
+    #      all of them to the configuration. This was chosen for simplicity to not have to provide hw identifier at build,
+    #      but is not ideal and should be changed.
+    #   2. USB camera "passthrough" is handled by qemu and thus available on host. If peripheral VM is implemented,
+    #      the entire host controller should be passthrough'd using the PCI bus (14.0). In x1, bluetooth and fingerprint
+    #      reader are on this bus.
+    services.udev.extraRules = let
+      mapMouseRules =
+        builtins.map (d: ''          SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="mouse"
+        '');
+      mapTouchpadRules =
+        builtins.map (d: ''          SUBSYSTEM=="input", ATTRS{name}=="${d}", KERNEL=="event*", GROUP="kvm", SYMLINK+="touchpad"
+        '');
+    in ''
+      # Laptop keyboard
+      SUBSYSTEM=="input", ATTRS{name}=="AT Translated Set 2 keyboard", GROUP="kvm"
+      # Laptop TrackPoint
+      SUBSYSTEM=="input", ATTRS{name}=="TPPS/2 Elan TrackPoint", GROUP="kvm"
+      # Lenovo X1 integrated webcam
+      KERNEL=="3-8", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="3", GROUP="kvm"
+      # Lenovo X1 integrated fingerprint reader
+      KERNEL=="3-6", SUBSYSTEM=="usb", ATTR{busnum}=="3", ATTR{devnum}=="2", GROUP="kvm"
+      # Mouse and Touchpad
+      ${lib.strings.concatStrings (mapMouseRules hwDefinition.mouse)}
+      ${lib.strings.concatStrings (mapTouchpadRules hwDefinition.touchpad)}
+    '';
+  };
+}

modules/hardware/lenovo-x1/modules/fprint.nix

@@ -0,0 +1,51 @@
+# Copyright 2022-2024 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.ghaf.hardware.fprint;
+in
+  with lib; {
+    options.ghaf.hardware.fprint = {
+      enable = mkEnableOption "Enable fingerprint reader support";
+      qemuExtraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          Extra arguments to pass to Qemu when enabling the fingerprint reader.
+          This is useful for passing USB device information to Qemu.
+        '';
+      };
+      extraConfigurations = mkOption {
+        type = types.attrsOf types.anything;
+        default = {};
+        description = ''
+          Extra configurations to enable when enabling the fingerprint reader.
+          This is useful for enabling services and packages related to the fingerprint reader.
+        '';
+      };
+    };
+
+    config = mkIf cfg.enable {
+      ghaf.hardware.fprint = {
+        qemuExtraArgs = [
+          # Fingerprint reader
+          "-device"
+          "qemu-xhci"
+          "-device"
+          "usb-host,hostbus=3,hostport=6"
+        ];
+
+        extraConfigurations = {
+          # Enable services and packages for fingerprint reader
+          ghaf.systemd.withPolkit = true;
+          security.polkit.enable = true;
+          services.fprintd.enable = true;
+          environment.systemPackages = with pkgs; [fprintd];
+        };
+      };
+    };
+  }

modules/common/hardware/x86_64-generic/default.nix → modules/hardware/x86_64-generic/default.nix

@@ -6,5 +6,7 @@
     ./kernel/hardening.nix
     ./kernel/host
     ./kernel/host/pkvm
+    ./x86_64-linux.nix
+    ./modules/tpm2.nix
   ];
 }

modules/common/tpm2/default.nix → modules/hardware/x86_64-generic/modules/tpm2.nix

@@ -6,10 +6,10 @@
   pkgs,
   ...
 }: let
-  cfg = config.ghaf.security.tpm2;
+  cfg = config.ghaf.hardware.tpm2;
 in
   with lib; {
-    options.ghaf.security.tpm2 = {
+    options.ghaf.hardware.tpm2 = {
       enable = mkEnableOption "TPM2 PKCS#11 interface";
     };
 

targets/generic-x86_64/flake-module.nix

@@ -41,6 +41,7 @@
           self.nixosModules.desktop
           self.nixosModules.host
           self.nixosModules.microvm
+          self.nixosModules.hw-x86_64-generic
 
           {
             ghaf = {

targets/lenovo-x1/everything.nix

@@ -18,9 +18,6 @@
   ## To here
 
   lenovo-x1 = generation: variant: extraModules: let
-    hwDefinition = import ../../modules/common/hardware/lenovo-x1/definitions {
-      inherit generation lib;
-    };
     hostConfiguration = lib.nixosSystem {
       inherit system;
       modules =
@@ -34,6 +31,7 @@
           self.nixosModules.microvm
 
           self.nixosModules.disko-lenovo-x1-basic-v1
+          self.nixosModules.hw-lenovo-x1
 
           ./sshkeys.nix
           ({
@@ -43,8 +41,6 @@
           }: let
             powerControl = pkgs.callPackage ../../packages/powercontrol {};
           in {
-            security.polkit.extraConfig = powerControl.polkitExtraConfig;
-            services.udev.extraRules = hwDefinition.udevRules;
             time.timeZone = "Asia/Dubai";
 
             # Enable pulseaudio support for host as a service
@@ -62,25 +58,26 @@
             environment.etc.${config.ghaf.security.sshKeys.getAuthKeysFilePathInEtc} = import ./getAuthKeysSource.nix {inherit pkgs config;};
             services.openssh = config.ghaf.security.sshKeys.sshAuthorizedKeysCommand;
 
-            disko.devices.disk = config.ghaf.hardware.definition.disks;
+            # Hardware configurations
+            security.polkit.extraConfig = powerControl.polkitExtraConfig;
 
             ghaf = {
-              hardware.definition = hwDefinition;
-              # To enable guest hardening enable host hardening first
+              # Hardware definitions
+              hardware.x86_64.common.enable = true;
+              hardware.generation = generation;
+              hardware.tpm2.enable = true;
+              hardware.fprint.enable = true;
+
+              # Kernel hardening
               host.kernel.hardening.enable = false;
               host.kernel.hardening.virtualization.enable = false;
               host.kernel.hardening.networking.enable = false;
               host.kernel.hardening.inputdevices.enable = false;
-
+              host.kernel.hardening.hypervisor.enable = false;
               guest.kernel.hardening.enable = false;
               guest.kernel.hardening.graphics.enable = false;
 
-              host.kernel.hardening.hypervisor.enable = false;
-
-              hardware.x86_64.common.enable = true;
-
-              security.tpm2.enable = true;
-
+              # Virtualization options
               virtualization.microvm-host.enable = true;
               virtualization.microvm-host.hostNetworkSupport = true;
               host.networking.enable = true;
@@ -105,7 +102,7 @@
                 vms = import ./appvms/default.nix {inherit pkgs;};
               };
 
-              # Enable all the default UI applications
+              # UI applications
               profiles = {
                 applications.enable = false;
               };