diff options
author | André-Patrick Bubel <code@andre-bubel.de> | 2017-09-14 04:44:14 +0200 |
---|---|---|
committer | André-Patrick Bubel <code@andre-bubel.de> | 2017-09-14 05:27:41 +0200 |
commit | 2000fba5619c105f7df24736789365cc271b6596 (patch) | |
tree | abccc12acf406ba1b81d10b22e7319f5d049d6dc /nixos/modules/system/boot/luksroot.nix | |
parent | a7637b37955f1beacfe6c0b153fb11e086bb4762 (diff) | |
download | nixlib-2000fba5619c105f7df24736789365cc271b6596.tar nixlib-2000fba5619c105f7df24736789365cc271b6596.tar.gz nixlib-2000fba5619c105f7df24736789365cc271b6596.tar.bz2 nixlib-2000fba5619c105f7df24736789365cc271b6596.tar.lz nixlib-2000fba5619c105f7df24736789365cc271b6596.tar.xz nixlib-2000fba5619c105f7df24736789365cc271b6596.tar.zst nixlib-2000fba5619c105f7df24736789365cc271b6596.zip |
nixos/fileystems: Fix boot fails with encrypted fs
Boot fails when a keyfile is configured for all encrypted filesystems and no other luks devices are configured. This is because luks support is only enabled in the initrd, when boot.initrd.luks.devices has entries. When a fileystem has a keyfile configured though, it is setup by a custom command, not by boot.initrd.luks. This commit adds an internal config flag to enable luks support in the initrd file, even if there are no luks devices configured.
Diffstat (limited to 'nixos/modules/system/boot/luksroot.nix')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 3ca679b479a0..06f004fb06ec 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -235,6 +235,16 @@ in ''; }; + boot.initrd.luks.forceLuksSupportInInitrd = mkOption { + type = types.bool; + default = false; + internal = true; + description = '' + Whether to configure luks support in the initrd, when no luks + devices are configured. + ''; + }; + boot.initrd.luks.devices = mkOption { default = { }; example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; @@ -417,7 +427,7 @@ in }; }; - config = mkIf (luks.devices != {}) { + config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) { # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks |