diff options
author | Robin Gloster <mail@glob.in> | 2016-07-15 14:41:01 +0000 |
---|---|---|
committer | Robin Gloster <mail@glob.in> | 2016-07-15 14:41:01 +0000 |
commit | 5185bc177309c62e53dad1ad346d1220f0e77bd4 (patch) | |
tree | 52f5878b394abf2ef326765d46880ccbabd84903 /nixos/modules/system/boot | |
parent | 07615735077db344539eb9131823600593f0eddf (diff) | |
parent | f402c6321aa3c6e56f5e1f1e36c4ad459c881309 (diff) | |
download | nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar.gz nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar.bz2 nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar.lz nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar.xz nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.tar.zst nixlib-5185bc177309c62e53dad1ad346d1220f0e77bd4.zip |
Merge remote-tracking branch 'upstream/master' into hardened-stdenv
Diffstat (limited to 'nixos/modules/system/boot')
-rw-r--r-- | nixos/modules/system/boot/coredump.nix | 4 | ||||
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 3 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix | 1 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh | 9 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/install-grub.pl | 4 | ||||
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 26 | ||||
-rw-r--r-- | nixos/modules/system/boot/plymouth.nix | 129 | ||||
-rw-r--r-- | nixos/modules/system/boot/resolved.nix | 67 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 6 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 26 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 5 |
11 files changed, 251 insertions, 29 deletions
diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix index 793c7515c761..b27a35b6257d 100644 --- a/nixos/modules/system/boot/coredump.nix +++ b/nixos/modules/system/boot/coredump.nix @@ -36,6 +36,8 @@ with lib; config = mkMerge [ (mkIf config.systemd.coredump.enable { + systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ]; + environment.etc."systemd/coredump.conf".text = '' [Coredump] @@ -45,7 +47,7 @@ with lib; # Have the kernel pass core dumps to systemd's coredump helper binary. # From systemd's 50-coredump.conf file. See: # <https://github.com/systemd/systemd/blob/v218/sysctl.d/50-coredump.conf.in> - boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %p %u %g %s %t %e"; + boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e"; }) (mkIf (!config.systemd.coredump.enable) { diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index 3e2805a8c341..d0a4ce51148f 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -100,9 +100,6 @@ in ''; boot.initrd.network.postCommands = '' - mkdir /dev/pts - mount -t devpts devpts /dev/pts - echo '${cfg.shell}' > /etc/shells echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd echo 'passwd: files' > /etc/nsswitch.conf diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix index c5c250c14cea..576a07c1d272 100644 --- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix +++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.nix @@ -5,5 +5,4 @@ pkgs.substituteAll { isExecutable = true; path = [pkgs.coreutils pkgs.gnused pkgs.gnugrep]; inherit (pkgs) bash; - kernelDTB = pkgs.stdenv.platform.kernelDTB or false; } diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh index 78a8e8fd658c..c780a89b102c 100644 --- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh +++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh @@ -75,9 +75,10 @@ addEntry() { copyToKernelsDir "$path/kernel"; kernel=$result copyToKernelsDir "$path/initrd"; initrd=$result - if [ -n "@kernelDTB@" ]; then - # XXX UGLY: maybe the system config should have a top-level "dtbs" entry? - copyToKernelsDir $(readlink -m "$path/kernel/../dtbs"); dtbs=$result + # XXX UGLY: maybe the system config should have a top-level "dtbs" entry? + dtbDir=$(readlink -m "$path/kernel/../dtbs") + if [ -d "$dtbDir" ]; then + copyToKernelsDir "$dtbDir"; dtbs=$result fi timestampEpoch=$(stat -L -c '%Z' $path) @@ -95,7 +96,7 @@ addEntry() { fi echo " LINUX ../nixos/$(basename $kernel)" echo " INITRD ../nixos/$(basename $initrd)" - if [ -n "@kernelDTB@" ]; then + if [ -d "$dtbDir" ]; then echo " FDTDIR ../nixos/$(basename $dtbs)" fi echo " APPEND systemConfig=$path init=$path/init $extraParams" diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index b8ef02da4bc2..94d87b436065 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -501,7 +501,7 @@ sub getEfiTarget { my @deviceTargets = getDeviceTargets(); my $efiTarget = getEfiTarget(); my $prevGrubState = readGrubState(); -my @prevDeviceTargets = split/:/, $prevGrubState->devices; +my @prevDeviceTargets = split/,/, $prevGrubState->devices; my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference()); my $nameDiffer = get("fullName") ne $prevGrubState->name; @@ -549,7 +549,7 @@ if ($requireNewInstall != 0) { print FILE get("fullName"), "\n" or die; print FILE get("fullVersion"), "\n" or die; print FILE $efiTarget, "\n" or die; - print FILE join( ":", @deviceTargets ), "\n" or die; + print FILE join( ",", @deviceTargets ), "\n" or die; print FILE $efiSysMountPoint, "\n" or die; close FILE or die; } diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 8dad09c89207..15881b6d3714 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -36,7 +36,7 @@ let ${optionalString (header != null) "--header=${header}"} \ ${optionalString (keyFile != null) "--key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}"} \ > /.luksopen_args - cryptsetup-askpass + get_password "Enter LUKS Passphrase" cryptsetup-askpass rm /.luksopen_args } @@ -78,9 +78,7 @@ let for try in $(seq 3); do ${optionalString yubikey.twoFactor '' - echo -n "Enter two-factor passphrase: " - read -s k_user - echo + k_user="$(get_password "Enter two-factor passphrase" cat)" ''} if [ ! -z "$k_user" ]; then @@ -463,6 +461,26 @@ in ''} ''; + boot.initrd.preDeviceCommands = '' + get_password() { + local ret + local reply + local tty_stat + + tty_stat="$(stty -g)" + stty -echo + for i in `seq 1 3`; do + echo -n "$1: " + read reply + echo "$reply" | "$2" + if [ "$?" = "0" ]; then + break + fi + done + stty "$tty_stat" + } + ''; + boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM); boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM); diff --git a/nixos/modules/system/boot/plymouth.nix b/nixos/modules/system/boot/plymouth.nix new file mode 100644 index 000000000000..82c1032937c6 --- /dev/null +++ b/nixos/modules/system/boot/plymouth.nix @@ -0,0 +1,129 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) plymouth; + + cfg = config.boot.plymouth; + + themesEnv = pkgs.buildEnv { + name = "plymouth-themes"; + paths = [ plymouth ] ++ cfg.themePackages; + }; + + configFile = pkgs.writeText "plymouthd.conf" '' + [Daemon] + ShowDelay=0 + Theme=${cfg.theme} + ''; + +in + +{ + + options = { + + boot.plymouth = { + + enable = mkEnableOption "Plymouth boot splash screen"; + + themePackages = mkOption { + default = []; + type = types.listOf types.package; + description = '' + Extra theme packages for plymouth. + ''; + }; + + theme = mkOption { + default = "fade-in"; + type = types.str; + description = '' + Splash screen theme. + ''; + }; + + logo = mkOption { + type = types.path; + default = pkgs.fetchurl { + url = "https://nixos.org/logo/nixos-hires.png"; + sha256 = "1ivzgd7iz0i06y36p8m5w48fd8pjqwxhdaavc0pxs7w1g7mcy5si"; + }; + description = '' + Logo which is displayed on the splash screen. + ''; + }; + + }; + + }; + + config = mkIf cfg.enable { + + boot.kernelParams = [ "splash" ]; + + # To be discoverable by systemd. + environment.systemPackages = [ plymouth ]; + + environment.etc."plymouth/plymouthd.conf".source = configFile; + environment.etc."plymouth/plymouthd.defaults".source = "${plymouth}/share/plymouth/plymouth.defaults"; + environment.etc."plymouth/logo.png".source = cfg.logo; + environment.etc."plymouth/themes".source = "${themesEnv}/share/plymouth/themes"; + # XXX: Needed because we supply a different set of plugins in initrd. + environment.etc."plymouth/plugins".source = "${plymouth}/lib/plymouth"; + + systemd.packages = [ plymouth ]; + + systemd.services.plymouth-kexec.wantedBy = [ "kexec.target" ]; + systemd.services.plymouth-halt.wantedBy = [ "halt.target" ]; + systemd.services.plymouth-quit = { + wantedBy = [ "multi-user.target" ]; + after = [ "display-manager.service" "multi-user.target" ]; + }; + systemd.services.plymouth-poweroff.wantedBy = [ "poweroff.target" ]; + systemd.services.plymouth-reboot.wantedBy = [ "reboot.target" ]; + systemd.services.plymouth-read-write.wantedBy = [ "sysinit.target" ]; + + boot.initrd.extraUtilsCommands = '' + copy_bin_and_libs ${pkgs.plymouth}/bin/plymouthd + copy_bin_and_libs ${pkgs.plymouth}/bin/plymouth + + moduleName="$(sed -n 's,ModuleName *= *,,p' ${themesEnv}/share/plymouth/themes/${cfg.theme}/${cfg.theme}.plymouth)" + + mkdir -p $out/lib/plymouth/renderers + cp ${plymouth}/lib/plymouth/{text,details,$moduleName}.so $out/lib/plymouth + cp ${plymouth}/lib/plymouth/renderers/{drm,frame-buffer}.so $out/lib/plymouth/renderers + + mkdir -p $out/share/plymouth/themes + cp ${plymouth}/share/plymouth/plymouthd.defaults $out/share/plymouth + cp -r ${themesEnv}/share/plymouth/themes/{text,details,${cfg.theme}} $out/share/plymouth/themes + cp ${cfg.logo} $out/share/plymouth/logo.png + ''; + + boot.initrd.extraUtilsCommandsTest = '' + $out/bin/plymouthd --help >/dev/null + $out/bin/plymouth --help >/dev/null + ''; + + boot.initrd.extraUdevRulesCommands = '' + cp ${config.systemd.package}/lib/udev/rules.d/{70-uaccess,71-seat}.rules $out + sed -i '/loginctl/d' $out/71-seat.rules + ''; + + boot.initrd.preLVMCommands = mkAfter '' + mkdir -p /etc/plymouth + ln -s ${configFile} /etc/plymouth/plymouthd.conf + ln -s $extraUtils/share/plymouth/plymouthd.defaults /etc/plymouth/plymouthd.defaults + ln -s $extraUtils/share/plymouth/logo.png /etc/plymouth/logo.png + ln -s $extraUtils/share/plymouth/themes /etc/plymouth/themes + ln -s $extraUtils/lib/plymouth /etc/plymouth/plugins + + plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session + plymouth --show-splash + ''; + + }; + +} diff --git a/nixos/modules/system/boot/resolved.nix b/nixos/modules/system/boot/resolved.nix index 5a98b9b6d480..4b7c545dcc0d 100644 --- a/nixos/modules/system/boot/resolved.nix +++ b/nixos/modules/system/boot/resolved.nix @@ -1,7 +1,9 @@ { config, lib, pkgs, ... }: with lib; - +let + cfg = config.services.resolved; +in { options = { @@ -14,9 +16,60 @@ with lib; ''; }; + services.resolved.fallbackDns = mkOption { + default = [ ]; + example = [ "8.8.8.8" "2001:4860:4860::8844" ]; + type = types.listOf types.str; + description = '' + A list of IPv4 and IPv6 addresses to use as the fallback DNS servers. + If this option is empty, a compiled-in list of DNS servers is used instead. + ''; + }; + + services.resolved.domains = mkOption { + default = config.networking.search; + example = [ "example.com" ]; + type = types.listOf types.str; + description = '' + A list of domains. These domains are used as search suffixes when resolving single-label host names (domain names which contain no dot), in order to qualify them into fully-qualified domain names (FQDNs). + For compatibility reasons, if this setting is not specified, the search domains listed in /etc/resolv.conf are used instead, if that file exists and any domains are configured in it. + ''; + }; + + services.resolved.llmnr = mkOption { + default = "true"; + example = "false"; + type = types.enum [ "true" "resolve" "false" ]; + description = '' + Controls Link-Local Multicast Name Resolution support (RFC 4794) on the local host. + If true, enables full LLMNR responder and resolver support. + If false, disables both. + If set to "resolve", only resolution support is enabled, but responding is disabled. + ''; + }; + + services.resolved.dnssec = mkOption { + default = "allow-downgrade"; + example = "true"; + type = types.enum [ "true" "allow-downgrade" "false" ]; + description = '' + If true all DNS lookups are DNSSEC-validated locally (excluding LLMNR and Multicast DNS). Note that this mode requires a DNS server that supports DNSSEC. If the DNS server does not properly support DNSSEC all validations will fail. + If set to "allow-downgrade" DNSSEC validation is attempted, but if the server does not support DNSSEC properly, DNSSEC mode is automatically disabled. Note that this mode makes DNSSEC validation vulnerable to "downgrade" attacks, where an attacker might be able to trigger a downgrade to non-DNSSEC mode by synthesizing a DNS response that suggests DNSSEC was not supported. + If set to false, DNS lookups are not DNSSEC validated. + ''; + }; + + services.resolved.extraConfig = mkOption { + default = ""; + type = types.lines; + description = '' + Extra config to append to resolved.conf. + ''; + }; + }; - config = mkIf config.services.resolved.enable { + config = mkIf cfg.enable { systemd.additionalUpstreamSystemUnits = [ "systemd-resolved.service" ]; @@ -27,7 +80,15 @@ with lib; environment.etc."systemd/resolved.conf".text = '' [Resolve] - DNS=${concatStringsSep " " config.networking.nameservers} + ${optionalString (config.networking.nameservers != []) + "DNS=${concatStringsSep " " config.networking.nameservers}"} + ${optionalString (cfg.fallbackDns != []) + "FallbackDNS=${concatStringsSep " " cfg.fallbackDns}"} + ${optionalString (cfg.domains != []) + "Domains=${concatStringsSep " " cfg.domains}"} + LLMNR=${cfg.llmnr} + DNSSEC=${cfg.dnssec} + ${config.services.resolved.extraConfig} ''; }; diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 9bffcd31b9b4..6b1bf0b3e028 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -3,6 +3,7 @@ targetRoot=/mnt-root console=tty1 +extraUtils="@extraUtils@" export LD_LIBRARY_PATH=@extraUtils@/lib export PATH=@extraUtils@/bin ln -s @extraUtils@/bin /bin @@ -13,6 +14,9 @@ export LVM_SUPPRESS_FD_WARNINGS=true fail() { if [ -n "$panicOnFail" ]; then exit 1; fi + # If we have a splash screen started, quit it. + command -v plymouth >/dev/null 2>&1 && plymouth quit + # If starting stage 2 failed, allow the user to repair the problem # in an interactive shell. cat <<EOF @@ -70,6 +74,8 @@ mount -t sysfs sysfs /sys mount -t devtmpfs -o "size=@devSize@" devtmpfs /dev mkdir -p /run mount -t tmpfs -o "mode=0755,size=@runSize@" tmpfs /run +mkdir /dev/pts +mount -t devpts devpts /dev/pts # Log the script output to /dev/kmsg or /run/log/stage-1-init.log. mkdir -p /tmp diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 5e6554324ca4..56a9c38b8f2b 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -81,9 +81,9 @@ let # Copy ld manually since it isn't detected correctly cp -pv ${pkgs.glibc.out}/lib/ld*.so.? $out/lib - # Copy all of the needed libraries for the binaries - for BIN in $(find $out/{bin,sbin} -type f); do - echo "Copying libs for bin $BIN" + # Copy all of the needed libraries + find $out/bin $out/lib -type f | while read BIN; do + echo "Copying libs for executable $BIN" LDD="$(ldd $BIN)" || continue LIBS="$(echo "$LDD" | awk '{print $3}' | sed '/^$/d')" for LIB in $LIBS; do @@ -104,13 +104,17 @@ let stripDirs "lib bin" "-s" # Run patchelf to make the programs refer to the copied libraries. - for i in $out/bin/* $out/lib/*; do if ! test -L $i; then nuke-refs -e $out $i; fi; done + find $out/bin $out/lib -type f | while read i; do + if ! test -L $i; then + nuke-refs -e $out $i + fi + done - for i in $out/bin/*; do - if ! test -L $i; then - echo "patching $i..." - patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true - fi + find $out/bin -type f | while read i; do + if ! test -L $i; then + echo "patching $i..." + patchelf --set-interpreter $out/lib/ld*.so.? --set-rpath $out/lib $i || true + fi done # Make sure that the patchelf'ed binaries still work. @@ -138,6 +142,7 @@ let udevRules = pkgs.stdenv.mkDerivation { name = "udev-rules"; + allowedReferences = [ extraUtils ]; buildCommand = '' mkdir -p $out @@ -160,7 +165,8 @@ let --replace /sbin/mdadm ${extraUtils}/bin/mdadm \ --replace /bin/sh ${extraUtils}/bin/sh \ --replace /usr/bin/readlink ${extraUtils}/bin/readlink \ - --replace /usr/bin/basename ${extraUtils}/bin/basename + --replace /usr/bin/basename ${extraUtils}/bin/basename \ + --replace ${udev}/bin/udevadm ${extraUtils}/bin/udevadm done # Work around a bug in QEMU, which doesn't implement the "READ diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 076bbca850d9..5c8cce5066af 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -669,6 +669,7 @@ in "systemd/logind.conf".text = '' [Login] + KillUserProcesses=no ${config.services.logind.extraConfig} ''; @@ -763,7 +764,7 @@ in { wantedBy = [ "timers.target" ]; timerConfig.OnCalendar = service.startAt; }) - (filterAttrs (name: service: service.startAt != "") cfg.services); + (filterAttrs (name: service: service.enable && service.startAt != "") cfg.services); # Generate timer units for all services that have a ‘startAt’ value. systemd.user.timers = @@ -793,6 +794,8 @@ in systemd.services.systemd-remount-fs.restartIfChanged = false; systemd.services.systemd-update-utmp.restartIfChanged = false; systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions. + systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ]; + systemd.services.systemd-logind.stopIfChanged = false; systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true; systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true; systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.automount" ]; |