1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.boot.initrd.clevis;
systemd = config.boot.initrd.systemd;
supportedFs = [ "zfs" "bcachefs" ];
in
{
meta.maintainers = with maintainers; [ julienmalka camillemndn ];
meta.doc = ./clevis.md;
options = {
boot.initrd.clevis.enable = mkEnableOption (lib.mdDoc "Clevis in initrd");
boot.initrd.clevis.package = mkOption {
type = types.package;
default = pkgs.clevis;
defaultText = "pkgs.clevis";
description = lib.mdDoc "Clevis package";
};
boot.initrd.clevis.devices = mkOption {
description = "Encrypted devices that need to be unlocked at boot using Clevis";
default = { };
type = types.attrsOf (types.submodule ({
options.secretFile = mkOption {
description = lib.mdDoc "Clevis JWE file used to decrypt the device at boot, in concert with the chosen pin (one of TPM2, Tang server, or SSS).";
type = types.path;
};
}));
};
boot.initrd.clevis.useTang = mkOption {
description = "Whether the Clevis JWE file used to decrypt the devices uses a Tang server as a pin.";
default = false;
type = types.bool;
};
};
config = mkIf cfg.enable {
# Implementation of clevis unlocking for the supported filesystems are located directly in the respective modules.
assertions = (attrValues (mapAttrs
(device: _: {
assertion = (any (fs: fs.device == device && (elem fs.fsType supportedFs)) config.system.build.fileSystems) || (hasAttr device config.boot.initrd.luks.devices);
message = ''
No filesystem or LUKS device with the name ${device} is declared in your configuration.'';
})
cfg.devices));
warnings =
if cfg.useTang && !config.boot.initrd.network.enable && !config.boot.initrd.systemd.network.enable
then [ "In order to use a Tang pinned secret you must configure networking in initrd" ]
else [ ];
boot.initrd = {
extraUtilsCommands = mkIf (!systemd.enable) ''
copy_bin_and_libs ${pkgs.jose}/bin/jose
copy_bin_and_libs ${pkgs.curl}/bin/curl
copy_bin_and_libs ${pkgs.bash}/bin/bash
copy_bin_and_libs ${pkgs.tpm2-tools}/bin/.tpm2-wrapped
mv $out/bin/{.tpm2-wrapped,tpm2}
cp {${pkgs.tpm2-tss},$out}/lib/libtss2-tcti-device.so.0
copy_bin_and_libs ${cfg.package}/bin/.clevis-wrapped
mv $out/bin/{.clevis-wrapped,clevis}
for BIN in ${cfg.package}/bin/clevis-decrypt*; do
copy_bin_and_libs $BIN
done
for BIN in $out/bin/clevis{,-decrypt{,-null,-tang,-tpm2}}; do
sed -i $BIN -e 's,${pkgs.bash},,' -e 's,${pkgs.coreutils},,'
done
sed -i $out/bin/clevis-decrypt-tpm2 -e 's,tpm2_,tpm2 ,'
'';
secrets = lib.mapAttrs' (name: value: nameValuePair "/etc/clevis/${name}.jwe" value.secretFile) cfg.devices;
systemd = {
extraBin = mkIf systemd.enable {
clevis = "${cfg.package}/bin/clevis";
curl = "${pkgs.curl}/bin/curl";
};
storePaths = mkIf systemd.enable [
cfg.package
"${pkgs.jose}/bin/jose"
"${pkgs.curl}/bin/curl"
"${pkgs.tpm2-tools}/bin/tpm2_createprimary"
"${pkgs.tpm2-tools}/bin/tpm2_flushcontext"
"${pkgs.tpm2-tools}/bin/tpm2_load"
"${pkgs.tpm2-tools}/bin/tpm2_unseal"
];
};
};
};
}
|