Merge pull request #38263 from lopsided98/grub-initrd-secrets

grub: support initrd secrets
This commit is contained in:
Joachim F 2018-06-06 19:05:54 +00:00 committed by GitHub
commit c06d7950f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 28 deletions

View File

@ -121,6 +121,15 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
<literal>gnucash24</literal>. <literal>gnucash24</literal>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
has been replaced with the generic option
<option>boot.initrd.secrets</option>. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -35,6 +35,7 @@ let
let let
efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint; efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint;
efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint; efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint;
initrdSecrets = config.boot.initrd.secrets != {};
in in
pkgs.writeText "grub-config.xml" (builtins.toXML pkgs.writeText "grub-config.xml" (builtins.toXML
{ splashImage = f cfg.splashImage; { splashImage = f cfg.splashImage;
@ -49,12 +50,12 @@ let
storePath = config.boot.loader.grub.storePath; storePath = config.boot.loader.grub.storePath;
bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
inherit efiSysMountPoint; inherit efiSysMountPoint initrdSecrets;
inherit (args) devices; inherit (args) devices;
inherit (efi) canTouchEfiVariables; inherit (efi) canTouchEfiVariables;
inherit (cfg) inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios; default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
path = (makeBinPath ([ path = (makeBinPath ([
pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
@ -284,19 +285,6 @@ in
''; '';
}; };
extraInitrd = mkOption {
type = types.nullOr types.path;
default = null;
example = "/boot/extra_initramfs.gz";
description = ''
The path to a second initramfs to be supplied to the kernel.
This ramfs will not be copied to the store, so that it can
contain secrets such as LUKS keyfiles or ssh keys.
This implies that rolling back to a previous configuration
won't rollback the state of this file.
'';
};
useOSProber = mkOption { useOSProber = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -541,6 +529,8 @@ in
{ path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
]; ];
boot.loader.supportsInitrdSecrets = true;
system.build.installBootLoader = system.build.installBootLoader =
let let
install-grub-pl = pkgs.substituteAll { install-grub-pl = pkgs.substituteAll {

View File

@ -49,7 +49,7 @@ my $extraPrepareConfig = get("extraPrepareConfig");
my $extraPerEntryConfig = get("extraPerEntryConfig"); my $extraPerEntryConfig = get("extraPerEntryConfig");
my $extraEntries = get("extraEntries"); my $extraEntries = get("extraEntries");
my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
my $extraInitrd = get("extraInitrd"); my $initrdSecrets = get("initrdSecrets");
my $splashImage = get("splashImage"); my $splashImage = get("splashImage");
my $configurationLimit = int(get("configurationLimit")); my $configurationLimit = int(get("configurationLimit"));
my $copyKernels = get("copyKernels") eq "true"; my $copyKernels = get("copyKernels") eq "true";
@ -228,13 +228,6 @@ my $grubStore;
if ($copyKernels == 0) { if ($copyKernels == 0) {
$grubStore = GrubFs($storePath); $grubStore = GrubFs($storePath);
} }
my $extraInitrdPath;
if ($extraInitrd) {
if (! -f $extraInitrd) {
print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
}
$extraInitrdPath = GrubFs($extraInitrd);
}
# Generate the header. # Generate the header.
my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n";
@ -354,9 +347,23 @@ sub addEntry {
my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
if ($extraInitrd) {
$initrd .= " " .$extraInitrdPath->path; # Include second initrd with secrets
if ($initrdSecrets) {
# Get last element of path
$initrd =~ /\/([^\/]+)$/;
my $initrdSecretsPath = "$bootPath/kernels/$1-secrets";
$initrd .= " $initrd-secrets";
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
umask $oldUmask;
$copied{$initrdSecretsPath} = 1;
} }
my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
# FIXME: $confName # FIXME: $confName
@ -379,9 +386,6 @@ sub addEntry {
if ($copyKernels == 0) { if ($copyKernels == 0) {
$conf .= $grubStore->search . "\n"; $conf .= $grubStore->search . "\n";
} }
if ($extraInitrd) {
$conf .= $extraInitrdPath->search . "\n";
}
$conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig;
$conf .= " multiboot $xen $xenParams\n" if $xen; $conf .= " multiboot $xen $xenParams\n" if $xen;
$conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n"; $conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";