Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support

nixos/fileystems: Fix boot fails with encrypted fs
This commit is contained in:
Jörg Thalheim 2017-09-22 12:46:17 +01:00 committed by GitHub
commit 42be8dbe15
2 changed files with 12 additions and 1 deletions

View File

@ -235,6 +235,16 @@ in
'';
};
boot.initrd.luks.forceLuksSupportInInitrd = mkOption {
type = types.bool;
default = false;
internal = true;
description = ''
Whether to configure luks support in the initrd, when no luks
devices are configured.
'';
};
boot.initrd.luks.devices = mkOption {
default = { };
example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
@ -417,7 +427,7 @@ in
};
};
config = mkIf (luks.devices != {}) {
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks

View File

@ -61,6 +61,7 @@ in
devices =
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
forceLuksSupportInInitrd = true;
};
postMountCommands =
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;