Commit 1a2492444ad8

Vincent Demeester <vincent@sbr.pm>
2025-12-02 14:50:07
fix: Disable TPM service on aarch64 systems without explicit support
- Fix tpm2-abrmd service failures on ARM SBCs without TPM hardware - Disable TPM automatically for aarch64 systems without hardwareType set - Prevent I/O errors from TPM service on Radxa CM3588 and similar boards Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 06e8a6a
Changed files (1)
systems
common
base
tpm.nix
systems/common/base/tpm.nix
@@ -2,22 +2,26 @@
   lib,
   hardwareType,
   pkgs,
+  system,
   ...
 }:
 let
-  # Detect if we are building RPI4 host, because RPI4 doesn't have TPM support
-  isRPI4 = hardwareType == "rpi4";
+  # Systems without TPM hardware
+  # - rpi4: Raspberry Pi 4
+  # - Most aarch64 SBCs (Radxa CM3588, etc.) don't have TPM chips
+  # For aarch64, only enable TPM if explicitly set via hardwareType
+  hasNoTPM = hardwareType == "rpi4" || (system == "aarch64-linux" && hardwareType == "");
 in
 {
   environment.systemPackages =
-    if isRPI4 then
+    if hasNoTPM then
       [ ]
     else
       with pkgs;
       [
         tpm2-tss
       ];
-  security = lib.mkIf (!isRPI4) {
+  security = lib.mkIf (!hasNoTPM) {
     tpm2 = {
       enable = true;
       pkcs11.enable = true;