diff options
author | digital <132694082+digtail@users.noreply.github.com> | 2023-09-23 14:32:09 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-23 14:32:09 +0200 |
commit | 94e939985b7730fd74b1c2e03292661734b490f0 (patch) | |
tree | f128ae61f727f7217d5a9093f47ff9fe02b3c0fa /nixos/modules/system | |
parent | 8bd11cde4dff85592044d217e7b7851e57d45bb3 (diff) | |
download | nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar.gz nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar.bz2 nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar.lz nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar.xz nixlib-94e939985b7730fd74b1c2e03292661734b490f0.tar.zst nixlib-94e939985b7730fd74b1c2e03292661734b490f0.zip |
nixos/boot/rasbperrypi: add support for boot.initrd.secret with uboot (#240358)
Co-authored-by: digital <didev@dinid.net>
Diffstat (limited to 'nixos/modules/system')
3 files changed, 33 insertions, 3 deletions
diff --git a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh index 1a0da0050291..84a0a93ded17 100644 --- a/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh +++ b/nixos/modules/system/boot/loader/generic-extlinux-compatible/extlinux-conf-builder.sh @@ -70,13 +70,33 @@ copyToKernelsDir() { addEntry() { local path=$(readlink -f "$1") local tag="$2" # Generation number or 'default' + local current="$3" # whether this is the current/latest generation if ! test -e $path/kernel -a -e $path/initrd; then return fi + if test -e "$path/append-initrd-secrets"; then + local initrd="$target/nixos/$(basename "$path")-initramfs-with-secrets" + cp $(readlink -f "$path/initrd") "$initrd" + chmod 600 "${initrd}" + chown 0:0 "${initrd}" + filesCopied[$initrd]=1 + + "$path/append-initrd-secrets" "$initrd" || if test "${current}" = "1"; then + echo "failed to create initrd secrets for the current generation." >&2 + echo "are your \`boot.initrd.secrets\` still in place?" >&2 + exit 1 + else + echo "warning: failed to create initrd secrets for \"$path\", an older generation" >&2 + echo "note: this is normal after having removed or renamed a file in \`boot.initrd.secrets\`" >&2 + fi + else + copyToKernelsDir "$path/initrd"; initrd=$result + fi + copyToKernelsDir "$path/kernel"; kernel=$result - copyToKernelsDir "$path/initrd"; initrd=$result + dtbDir=$(readlink -m "$path/dtbs") if [ -e "$dtbDir" ]; then copyToKernelsDir "$dtbDir"; dtbs=$result @@ -130,18 +150,20 @@ MENU TITLE ------------------------------------------------------------ TIMEOUT $timeout EOF -addEntry $default default >> $tmpFile +addEntry $default default 1 >> $tmpFile if [ "$numGenerations" -gt 0 ]; then # Add up to $numGenerations generations of the system profile to the menu, # in reverse (most recent to least recent) order. + current=1 for generation in $( (cd /nix/var/nix/profiles && ls -d system-*-link) \ | sed 's/system-\([0-9]\+\)-link/\1/' \ | sort -n -r \ | head -n $numGenerations); do link=/nix/var/nix/profiles/system-$generation-link - addEntry $link $generation + addEntry $link $generation $current + current=0 done >> $tmpFile fi diff --git a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix index 9c9bee93de8a..c64ef092667b 100644 --- a/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix +++ b/nixos/modules/system/boot/loader/raspberrypi/raspberrypi.nix @@ -142,6 +142,7 @@ in assertion = !pkgs.stdenv.hostPlatform.isAarch64 || cfg.version >= 3; message = "Only Raspberry Pi >= 3 supports aarch64."; }; + boot.loader.supportsInitrdSecrets = cfg.uboot.enable; system.build.installBootLoader = builder; system.boot.loader.id = "raspberrypi"; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index a3551f68dbe8..1cf58dbe9f1f 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -610,6 +610,13 @@ in path the secret should have inside the initrd, the value is the path it should be copied from (or null for the same path inside and out). + + The loader `generic-extlinux-compatible` supports this. Because + it is not well know how different implementations react to + concatenated cpio archives, this is disabled by default. It can be + enabled by setting {option}`boot.loader.supportsInitrdSecrets` + to true. If this works for you, please report your findings at + https://github.com/NixOS/nixpkgs/issues/247145 . ''; example = literalExpression '' |