diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2017-09-22 12:46:17 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-09-22 12:46:17 +0100 |
commit | 42be8dbe154a3cb44d67dd9c16bf1cdd56504871 (patch) | |
tree | 29722821f9fe895650f3598f878260af25d1c849 /nixos | |
parent | e17e22d455dfeadac47b38f467ba9d8700a3fcfd (diff) | |
parent | 2000fba5619c105f7df24736789365cc271b6596 (diff) | |
download | nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar.gz nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar.bz2 nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar.lz nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar.xz nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.tar.zst nixlib-42be8dbe154a3cb44d67dd9c16bf1cdd56504871.zip |
Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support
nixos/fileystems: Fix boot fails with encrypted fs
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/luksroot.nix | 12 | ||||
-rw-r--r-- | nixos/modules/tasks/encrypted-devices.nix | 1 |
2 files changed, 12 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 3ca679b479a0..06f004fb06ec 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -235,6 +235,16 @@ in ''; }; + boot.initrd.luks.forceLuksSupportInInitrd = mkOption { + type = types.bool; + default = false; + internal = true; + description = '' + Whether to configure luks support in the initrd, when no luks + devices are configured. + ''; + }; + boot.initrd.luks.devices = mkOption { default = { }; example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; @@ -417,7 +427,7 @@ in }; }; - config = mkIf (luks.devices != {}) { + config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) { # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks diff --git a/nixos/modules/tasks/encrypted-devices.nix b/nixos/modules/tasks/encrypted-devices.nix index b1a7711ddcb4..b019ddc3a98c 100644 --- a/nixos/modules/tasks/encrypted-devices.nix +++ b/nixos/modules/tasks/encrypted-devices.nix @@ -61,6 +61,7 @@ in devices = map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; + forceLuksSupportInInitrd = true; }; postMountCommands = concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs; |