Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/fileystems: Fix boot fails with encrypted fs

authored by

Jörg Thalheim and committed by

GitHub 8 years ago 42be8dbe e17e22d4

+12 -1

2 changed files

expand all

unified split

nixos

modules

system

boot

luksroot.nix

tasks

encrypted-devices.nix

+11 -1

nixos/modules/system/boot/luksroot.nix

··· 235 235 ''; 236 236 }; 237 237 238 + boot.initrd.luks.forceLuksSupportInInitrd = mkOption { 239 + type = types.bool; 240 + default = false; 241 + internal = true; 242 + description = '' 243 + Whether to configure luks support in the initrd, when no luks 244 + devices are configured. 245 + ''; 246 + }; 247 + 238 248 boot.initrd.luks.devices = mkOption { 239 249 default = { }; 240 250 example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; }; ··· 417 427 }; 418 428 }; 419 429 420 - config = mkIf (luks.devices != {}) { 430 + config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) { 421 431 422 432 # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested 423 433 boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks

nixos/modules/tasks/encrypted-devices.nix

··· 61 61 devices = 62 62 map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs; 63 63 cryptoModules = [ "aes" "sha256" "sha1" "xts" ]; 64 + forceLuksSupportInInitrd = true; 64 65 }; 65 66 postMountCommands = 66 67 concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;