diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2018-06-06 19:05:54 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-06-06 19:05:54 +0000 |
commit | c06d7950f1b97abf510bc70bd2a2b0445e8d36f2 (patch) | |
tree | dcf8240d7766258861a605d1deb17d486207b2d1 | |
parent | 4c25fbe338212f498a34d2a9b4c2072ac96c0e31 (diff) | |
parent | a75aee39236d5e343fcc8bfa3602a7e1b9ee30c9 (diff) | |
download | nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar.gz nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar.bz2 nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar.lz nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar.xz nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.tar.zst nixlib-c06d7950f1b97abf510bc70bd2a2b0445e8d36f2.zip |
Merge pull request #38263 from lopsided98/grub-initrd-secrets
grub: support initrd secrets
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1809.xml | 9 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 20 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/install-grub.pl | 30 |
3 files changed, 31 insertions, 28 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index ae0f35046fff..53aa910aea0d 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -121,6 +121,15 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' <literal>gnucash24</literal>. </para> </listitem> + <listitem> + <para> + The GRUB specific option <option>boot.loader.grub.extraInitrd</option> + has been replaced with the generic option + <option>boot.initrd.secrets</option>. This option creates a secondary + initrd from the specified files, rather than using a manually created + initrd file. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 2e497ff9f2c4..350ad162da63 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -35,6 +35,7 @@ let let efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint; efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint; + initrdSecrets = config.boot.initrd.secrets != {}; in pkgs.writeText "grub-config.xml" (builtins.toXML { splashImage = f cfg.splashImage; @@ -49,12 +50,12 @@ let storePath = config.boot.loader.grub.storePath; bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; - inherit efiSysMountPoint; + inherit efiSysMountPoint initrdSecrets; inherit (args) devices; inherit (efi) canTouchEfiVariables; inherit (cfg) version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber - extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios; path = (makeBinPath ([ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs @@ -284,19 +285,6 @@ in ''; }; - extraInitrd = mkOption { - type = types.nullOr types.path; - default = null; - example = "/boot/extra_initramfs.gz"; - description = '' - The path to a second initramfs to be supplied to the kernel. - This ramfs will not be copied to the store, so that it can - contain secrets such as LUKS keyfiles or ssh keys. - This implies that rolling back to a previous configuration - won't rollback the state of this file. - ''; - }; - useOSProber = mkOption { default = false; type = types.bool; @@ -541,6 +529,8 @@ in { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } ]; + boot.loader.supportsInitrdSecrets = true; + system.build.installBootLoader = let install-grub-pl = pkgs.substituteAll { diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index 872261d0edfa..ed0210d5645d 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -49,7 +49,7 @@ my $extraPrepareConfig = get("extraPrepareConfig"); my $extraPerEntryConfig = get("extraPerEntryConfig"); my $extraEntries = get("extraEntries"); my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; -my $extraInitrd = get("extraInitrd"); +my $initrdSecrets = get("initrdSecrets"); my $splashImage = get("splashImage"); my $configurationLimit = int(get("configurationLimit")); my $copyKernels = get("copyKernels") eq "true"; @@ -228,13 +228,6 @@ my $grubStore; if ($copyKernels == 0) { $grubStore = GrubFs($storePath); } -my $extraInitrdPath; -if ($extraInitrd) { - if (! -f $extraInitrd) { - print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n"; - } - $extraInitrdPath = GrubFs($extraInitrd); -} # Generate the header. my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; @@ -354,9 +347,23 @@ sub addEntry { my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); - if ($extraInitrd) { - $initrd .= " " .$extraInitrdPath->path; + + # Include second initrd with secrets + if ($initrdSecrets) { + # Get last element of path + $initrd =~ /\/([^\/]+)$/; + my $initrdSecretsPath = "$bootPath/kernels/$1-secrets"; + $initrd .= " $initrd-secrets"; + my $oldUmask = umask; + # Make sure initrd is not world readable (won't work if /boot is FAT) + umask 0137; + my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX"); + system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n"; + rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n"; + umask $oldUmask; + $copied{$initrdSecretsPath} = 1; } + my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; # FIXME: $confName @@ -379,9 +386,6 @@ sub addEntry { if ($copyKernels == 0) { $conf .= $grubStore->search . "\n"; } - if ($extraInitrd) { - $conf .= $extraInitrdPath->search . "\n"; - } $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; $conf .= " multiboot $xen $xenParams\n" if $xen; $conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n"; |