diff options
author | Ben Wolsieffer <benwolsieffer@gmail.com> | 2018-03-27 19:57:52 -0400 |
---|---|---|
committer | Ben Wolsieffer <benwolsieffer@gmail.com> | 2020-06-04 18:30:46 -0400 |
commit | 14eceb59915d52e9bdcfa832d98b68f7c64db2f0 (patch) | |
tree | a7cd0d6a27913cfd26b68b0f11a4f2a1ab230011 /nixos/modules/system | |
parent | 50a5e5597a33f40567f2592ab7c59bb9856fab7b (diff) | |
download | nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar.gz nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar.bz2 nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar.lz nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar.xz nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.tar.zst nixlib-14eceb59915d52e9bdcfa832d98b68f7c64db2f0.zip |
nixos/grub: support initrd secrets
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/loader/grub/grub.nix | 35 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/grub/install-grub.pl | 36 |
2 files changed, 44 insertions, 27 deletions
diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index c775632a4aa0..67e8bf6fd654 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -60,7 +60,7 @@ let inherit (efi) canTouchEfiVariables; inherit (cfg) version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber - extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios; path = with pkgs; makeBinPath ( [ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ] @@ -292,19 +292,6 @@ in ''; }; - extraInitrd = mkOption { - type = types.nullOr types.path; - default = null; - example = "/boot/extra_initramfs.gz"; - description = '' - The path to a second initramfs to be supplied to the kernel. - This ramfs will not be copied to the store, so that it can - contain secrets such as LUKS keyfiles or ssh keys. - This implies that rolling back to a previous configuration - won't rollback the state of this file. - ''; - }; - useOSProber = mkOption { default = false; type = types.bool; @@ -608,6 +595,8 @@ in { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } ]; + boot.loader.supportsInitrdSecrets = true; + system.build.installBootLoader = let install-grub-pl = pkgs.substituteAll { @@ -705,6 +694,24 @@ in (mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ]) (mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ]) (mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ]) + (mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] '' + This option has been replaced with the bootloader agnostic + boot.initrd.secrets option. To migrate to the initrd secrets system, + extract the extraInitrd archive into your main filesystem: + + # zcat /boot/extra_initramfs.gz | cpio -idvmD /etc/secrets/initrd + /path/to/secret1 + /path/to/secret2 + + then replace boot.loader.grub.extraInitrd with boot.initrd.secrets: + + boot.initrd.secrets = { + "/path/to/secret1" = "/etc/secrets/initrd/path/to/secret1"; + "/path/to/secret2" = "/etc/secrets/initrd/path/to/secret2"; + }; + + See the boot.initrd.secrets option documentation for more information. + '') ]; } diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl index 8df18cbd9013..e469b18abd09 100644 --- a/nixos/modules/system/boot/loader/grub/install-grub.pl +++ b/nixos/modules/system/boot/loader/grub/install-grub.pl @@ -49,7 +49,6 @@ my $extraPrepareConfig = get("extraPrepareConfig"); my $extraPerEntryConfig = get("extraPerEntryConfig"); my $extraEntries = get("extraEntries"); my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; -my $extraInitrd = get("extraInitrd"); my $splashImage = get("splashImage"); my $splashMode = get("splashMode"); my $backgroundColor = get("backgroundColor"); @@ -232,13 +231,6 @@ my $grubStore; if ($copyKernels == 0) { $grubStore = GrubFs($storePath); } -my $extraInitrdPath; -if ($extraInitrd) { - if (! -f $extraInitrd) { - print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n"; - } - $extraInitrdPath = GrubFs($extraInitrd); -} # Generate the header. my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; @@ -363,9 +355,30 @@ sub addEntry { my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); - if ($extraInitrd) { - $initrd .= " " .$extraInitrdPath->path; + + # Include second initrd with secrets + if (-e -x "$path/append-initrd-secrets") { + my $initrdName = basename($initrd); + my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets"; + + mkpath(dirname($initrdSecretsPath), 0, 0755); + my $oldUmask = umask; + # Make sure initrd is not world readable (won't work if /boot is FAT) + umask 0137; + my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX"); + system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n"; + # Check whether any secrets were actually added + if (-e $initrdSecretsPathTemp && ! -z _) { + rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n"; + $copied{$initrdSecretsPath} = 1; + $initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets"; + } else { + unlink $initrdSecretsPathTemp; + rmdir dirname($initrdSecretsPathTemp); + } + umask $oldUmask; } + my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; # FIXME: $confName @@ -388,9 +401,6 @@ sub addEntry { if ($copyKernels == 0) { $conf .= $grubStore->search . "\n"; } - if ($extraInitrd) { - $conf .= $extraInitrdPath->search . "\n"; - } $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; $conf .= " multiboot $xen $xenParams\n" if $xen; $conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n"; |