pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #38263 from lopsided98/grub-initrd-secrets

grub: support initrd secrets

authored by Joachim F and committed by GitHub c06d7950 4c25fbe3

+31 -28
unified split
+9
nixos/doc/manual/release-notes/rl-1809.xml
··· 121 <literal>gnucash24</literal>. 122 </para> 123 </listitem> 124 </itemizedlist> 125 </section> 126
··· 121 <literal>gnucash24</literal>. 122 </para> 123 </listitem> 124 + <listitem> 125 + <para> 126 + The GRUB specific option <option>boot.loader.grub.extraInitrd</option> 127 + has been replaced with the generic option 128 + <option>boot.initrd.secrets</option>. This option creates a secondary 129 + initrd from the specified files, rather than using a manually created 130 + initrd file. 131 + </para> 132 + </listitem> 133 </itemizedlist> 134 </section> 135
+5 -15
nixos/modules/system/boot/loader/grub/grub.nix
··· 35 let 36 efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint; 37 efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint; 38 in 39 pkgs.writeText "grub-config.xml" (builtins.toXML 40 { splashImage = f cfg.splashImage; ··· 49 storePath = config.boot.loader.grub.storePath; 50 bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; 51 timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; 52 - inherit efiSysMountPoint; 53 inherit (args) devices; 54 inherit (efi) canTouchEfiVariables; 55 inherit (cfg) 56 version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber 57 - extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels 58 default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios; 59 path = (makeBinPath ([ 60 pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs ··· 284 ''; 285 }; 286 287 - extraInitrd = mkOption { 288 - type = types.nullOr types.path; 289 - default = null; 290 - example = "/boot/extra_initramfs.gz"; 291 - description = '' 292 - The path to a second initramfs to be supplied to the kernel. 293 - This ramfs will not be copied to the store, so that it can 294 - contain secrets such as LUKS keyfiles or ssh keys. 295 - This implies that rolling back to a previous configuration 296 - won't rollback the state of this file. 297 - ''; 298 - }; 299 - 300 useOSProber = mkOption { 301 default = false; 302 type = types.bool; ··· 540 boot.loader.grub.mirroredBoots = optionals (cfg.devices != [ ]) [ 541 { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } 542 ]; 543 544 system.build.installBootLoader = 545 let
··· 35 let 36 efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint; 37 efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint; 38 + initrdSecrets = config.boot.initrd.secrets != {}; 39 in 40 pkgs.writeText "grub-config.xml" (builtins.toXML 41 { splashImage = f cfg.splashImage; ··· 50 storePath = config.boot.loader.grub.storePath; 51 bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId; 52 timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout; 53 + inherit efiSysMountPoint initrdSecrets; 54 inherit (args) devices; 55 inherit (efi) canTouchEfiVariables; 56 inherit (cfg) 57 version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber 58 + extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels 59 default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios; 60 path = (makeBinPath ([ 61 pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs ··· 285 ''; 286 }; 287 288 useOSProber = mkOption { 289 default = false; 290 type = types.bool; ··· 528 boot.loader.grub.mirroredBoots = optionals (cfg.devices != [ ]) [ 529 { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } 530 ]; 531 + 532 + boot.loader.supportsInitrdSecrets = true; 533 534 system.build.installBootLoader = 535 let
+17 -13
nixos/modules/system/boot/loader/grub/install-grub.pl
··· 49 my $extraPerEntryConfig = get("extraPerEntryConfig"); 50 my $extraEntries = get("extraEntries"); 51 my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; 52 - my $extraInitrd = get("extraInitrd"); 53 my $splashImage = get("splashImage"); 54 my $configurationLimit = int(get("configurationLimit")); 55 my $copyKernels = get("copyKernels") eq "true"; ··· 228 if ($copyKernels == 0) { 229 $grubStore = GrubFs($storePath); 230 } 231 - my $extraInitrdPath; 232 - if ($extraInitrd) { 233 - if (! -f $extraInitrd) { 234 - print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n"; 235 - } 236 - $extraInitrdPath = GrubFs($extraInitrd); 237 - } 238 239 # Generate the header. 240 my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; ··· 354 355 my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); 356 my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); 357 - if ($extraInitrd) { 358 - $initrd .= " " .$extraInitrdPath->path; 359 } 360 my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; 361 362 # FIXME: $confName ··· 378 $conf .= $grubBoot->search . "\n"; 379 if ($copyKernels == 0) { 380 $conf .= $grubStore->search . "\n"; 381 - } 382 - if ($extraInitrd) { 383 - $conf .= $extraInitrdPath->search . "\n"; 384 } 385 $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; 386 $conf .= " multiboot $xen $xenParams\n" if $xen;
··· 49 my $extraPerEntryConfig = get("extraPerEntryConfig"); 50 my $extraEntries = get("extraEntries"); 51 my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; 52 + my $initrdSecrets = get("initrdSecrets"); 53 my $splashImage = get("splashImage"); 54 my $configurationLimit = int(get("configurationLimit")); 55 my $copyKernels = get("copyKernels") eq "true"; ··· 228 if ($copyKernels == 0) { 229 $grubStore = GrubFs($storePath); 230 } 231 232 # Generate the header. 233 my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; ··· 347 348 my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); 349 my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); 350 + 351 + # Include second initrd with secrets 352 + if ($initrdSecrets) { 353 + # Get last element of path 354 + $initrd =~ /\/([^\/]+)$/; 355 + my $initrdSecretsPath = "$bootPath/kernels/$1-secrets"; 356 + $initrd .= " $initrd-secrets"; 357 + my $oldUmask = umask; 358 + # Make sure initrd is not world readable (won't work if /boot is FAT) 359 + umask 0137; 360 + my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX"); 361 + system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n"; 362 + rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n"; 363 + umask $oldUmask; 364 + $copied{$initrdSecretsPath} = 1; 365 } 366 + 367 my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; 368 369 # FIXME: $confName ··· 385 $conf .= $grubBoot->search . "\n"; 386 if ($copyKernels == 0) { 387 $conf .= $grubStore->search . "\n"; 388 } 389 $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; 390 $conf .= " multiboot $xen $xenParams\n" if $xen;