Merge pull request #38263 from lopsided98/grub-initrd-secrets

grub: support initrd secrets

nixos/doc/manual/release-notes/rl-1809.xml

@@ -121,6 +121,15 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
      <literal>gnucash24</literal>.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
+      has been replaced with the generic option
+      <option>boot.initrd.secrets</option>. This option creates a secondary
+      initrd from the specified files, rather than using a manually created
+      initrd file.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/system/boot/loader/grub/grub.nix

@@ -35,6 +35,7 @@ let
     let
       efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint;
       efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint;
+      initrdSecrets = config.boot.initrd.secrets != {};
     in
     pkgs.writeText "grub-config.xml" (builtins.toXML
     { splashImage = f cfg.splashImage;
@@ -49,12 +50,12 @@ let
       storePath = config.boot.loader.grub.storePath;
       bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
       timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
-      inherit efiSysMountPoint;
+      inherit efiSysMountPoint initrdSecrets;
       inherit (args) devices;
       inherit (efi) canTouchEfiVariables;
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
-        extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels
+        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
         default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
       path = (makeBinPath ([
         pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
@@ -284,19 +285,6 @@ in
         '';
       };
 
-      extraInitrd = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        example = "/boot/extra_initramfs.gz";
-        description = ''
-          The path to a second initramfs to be supplied to the kernel.
-          This ramfs will not be copied to the store, so that it can
-          contain secrets such as LUKS keyfiles or ssh keys.
-          This implies that rolling back to a previous configuration
-          won't rollback the state of this file.
-        '';
-      };
-
       useOSProber = mkOption {
         default = false;
         type = types.bool;
@@ -541,6 +529,8 @@ in
         { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
       ];
 
+      boot.loader.supportsInitrdSecrets = true;
+
       system.build.installBootLoader =
         let
           install-grub-pl = pkgs.substituteAll {

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -49,7 +49,7 @@ my $extraPrepareConfig = get("extraPrepareConfig");
 my $extraPerEntryConfig = get("extraPerEntryConfig");
 my $extraEntries = get("extraEntries");
 my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
-my $extraInitrd = get("extraInitrd");
+my $initrdSecrets = get("initrdSecrets");
 my $splashImage = get("splashImage");
 my $configurationLimit = int(get("configurationLimit"));
 my $copyKernels = get("copyKernels") eq "true";
@@ -228,13 +228,6 @@ my $grubStore;
 if ($copyKernels == 0) {
     $grubStore = GrubFs($storePath);
 }
-my $extraInitrdPath;
-if ($extraInitrd) {
-    if (! -f $extraInitrd) {
-        print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
-    }
-    $extraInitrdPath = GrubFs($extraInitrd);
-}
 
 # Generate the header.
 my $conf .= "# Automatically generated.  DO NOT EDIT THIS FILE!\n";
@@ -354,9 +347,23 @@ sub addEntry {
 
     my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
     my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
-    if ($extraInitrd) {
+
-        $initrd .= " " .$extraInitrdPath->path;
+    # Include second initrd with secrets
+    if ($initrdSecrets) {
+      # Get last element of path
+      $initrd =~ /\/([^\/]+)$/;
+      my $initrdSecretsPath = "$bootPath/kernels/$1-secrets";
+      $initrd .= " $initrd-secrets";
+      my $oldUmask = umask;
+      # Make sure initrd is not world readable (won't work if /boot is FAT)
+      umask 0137;
+      my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
+      system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
+      rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
+      umask $oldUmask;
+      $copied{$initrdSecretsPath} = 1;
     }
+
     my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
 
     # FIXME: $confName
@@ -379,9 +386,6 @@ sub addEntry {
         if ($copyKernels == 0) {
             $conf .= $grubStore->search . "\n";
         }
-        if ($extraInitrd) {
-            $conf .= $extraInitrdPath->search . "\n";
-        }
         $conf .= "  $extraPerEntryConfig\n" if $extraPerEntryConfig;
         $conf .= "  multiboot $xen $xenParams\n" if $xen;
         $conf .= "  " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";