Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support
nixos/fileystems: Fix boot fails with encrypted fs
This commit is contained in:
commit
42be8dbe15
@ -235,6 +235,16 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
boot.initrd.luks.forceLuksSupportInInitrd = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
internal = true;
|
||||
description = ''
|
||||
Whether to configure luks support in the initrd, when no luks
|
||||
devices are configured.
|
||||
'';
|
||||
};
|
||||
|
||||
boot.initrd.luks.devices = mkOption {
|
||||
default = { };
|
||||
example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
|
||||
@ -417,7 +427,7 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (luks.devices != {}) {
|
||||
config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
|
||||
|
||||
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
|
||||
boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
|
||||
|
@ -61,6 +61,7 @@ in
|
||||
devices =
|
||||
map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
|
||||
cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
|
||||
forceLuksSupportInInitrd = true;
|
||||
};
|
||||
postMountCommands =
|
||||
concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;
|
||||
|
Loading…
Reference in New Issue
Block a user