commit de47b2e8a5e13afe8581f76bcb59ac5f17b4ac57

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #263033 from ElvishJerricco/systemd-stage-1-filesystems-encrypted

systemd-stage-1: Enable more encrypted installer tests

authored by

Ryan Lahfa and committed by

GitHub 2 years ago de47b2e8 d59ba91d

+54 -22

3 changed files

expand all

unified split

nixos

modules

tasks

encrypted-devices.nix

tests

installer-systemd-stage-1.nix

installer.nix

+48 -16

nixos/modules/tasks/encrypted-devices.nix

··· 5 5 let 6 6 fileSystems = config.system.build.fileSystems ++ config.swapDevices; 7 7 encDevs = filter (dev: dev.encrypted.enable) fileSystems; 8 - keyedEncDevs = filter (dev: dev.encrypted.keyFile != null) encDevs; 9 - keylessEncDevs = filter (dev: dev.encrypted.keyFile == null) encDevs; 8 + 9 + # With scripted initrd, devices with a keyFile have to be opened 10 + # late, after file systems are mounted, because that could be where 11 + # the keyFile is located. With systemd initrd, each individual 12 + # systemd-cryptsetup@ unit has RequiresMountsFor= to delay until all 13 + # the mount units for the key file are done; i.e. no special 14 + # treatment is needed. 15 + lateEncDevs = 16 + if config.boot.initrd.systemd.enable 17 + then { } 18 + else filter (dev: dev.encrypted.keyFile != null) encDevs; 19 + earlyEncDevs = 20 + if config.boot.initrd.systemd.enable 21 + then encDevs 22 + else filter (dev: dev.encrypted.keyFile == null) encDevs; 23 + 10 24 anyEncrypted = 11 25 foldr (j: v: v || j.encrypted.enable) false encDevs; 12 26 ··· 39 53 type = types.nullOr types.str; 40 54 description = lib.mdDoc '' 41 55 Path to a keyfile used to unlock the backing encrypted 42 - device. At the time this keyfile is accessed, the 43 - `neededForBoot` filesystems (see 44 - `fileSystems.<name?>.neededForBoot`) 45 - will have been mounted under `/mnt-root`, 46 - so the keyfile path should usually start with "/mnt-root/". 56 + device. When systemd stage 1 is not enabled, at the time 57 + this keyfile is accessed, the `neededForBoot` filesystems 58 + (see `utils.fsNeededForBoot`) will have been mounted under 59 + `/mnt-root`, so the keyfile path should usually start with 60 + "/mnt-root/". When systemd stage 1 is enabled, 61 + `fsNeededForBoot` file systems will be mounted as needed 62 + under `/sysroot`, and the keyfile will not be accessed until 63 + its requisite mounts are done. 47 64 ''; 48 65 }; 49 66 }; ··· 62 79 }; 63 80 64 81 config = mkIf anyEncrypted { 65 - assertions = map (dev: { 66 - assertion = dev.encrypted.label != null; 67 - message = '' 68 - The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set 69 - ''; 70 - }) encDevs; 82 + assertions = concatMap (dev: [ 83 + { 84 + assertion = dev.encrypted.label != null; 85 + message = '' 86 + The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set 87 + ''; 88 + } 89 + { 90 + assertion = 91 + config.boot.initrd.systemd.enable -> ( 92 + dev.encrypted.keyFile == null 93 + || !lib.any (x: lib.hasPrefix x dev.encrypted.keyFile) ["/mnt-root" "$targetRoot"] 94 + ); 95 + message = '' 96 + Bad use of '/mnt-root' or '$targetRoot` in 'keyFile'. 97 + 98 + When 'boot.initrd.systemd.enable' is enabled, file systems 99 + are mounted at '/sysroot' instead of '/mnt-root'. 100 + ''; 101 + } 102 + ]) encDevs; 71 103 72 104 boot.initrd = { 73 105 luks = { 74 106 devices = 75 107 builtins.listToAttrs (map (dev: { 76 108 name = dev.encrypted.label; 77 - value = { device = dev.encrypted.blkDev; }; 78 - }) keylessEncDevs); 109 + value = { device = dev.encrypted.blkDev; inherit (dev.encrypted) keyFile; }; 110 + }) earlyEncDevs); 79 111 forceLuksSupportInInitrd = true; 80 112 }; 81 113 postMountCommands = 82 114 concatMapStrings (dev: 83 115 "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n" 84 - ) keyedEncDevs; 116 + ) lateEncDevs; 85 117 }; 86 118 }; 87 119 }

+4 -4

nixos/tests/installer-systemd-stage-1.nix

··· 12 12 btrfsSubvolDefault 13 13 btrfsSubvolEscape 14 14 btrfsSubvols 15 - # encryptedFSWithKeyfile 15 + encryptedFSWithKeyfile 16 16 # grub1 17 - # luksroot 18 - # luksroot-format1 19 - # luksroot-format2 17 + luksroot 18 + luksroot-format1 19 + luksroot-format2 20 20 # lvm 21 21 separateBoot 22 22 separateBootFat

+2 -2

nixos/tests/installer.nix

··· 515 515 enableOCR = true; 516 516 preBootCommands = '' 517 517 machine.start() 518 - machine.wait_for_text("Passphrase for") 518 + machine.wait_for_text("[Pp]assphrase for") 519 519 machine.send_chars("supersecret\n") 520 520 ''; 521 521 }; ··· 781 781 encrypted.enable = true; 782 782 encrypted.blkDev = "/dev/vda3"; 783 783 encrypted.label = "crypt"; 784 - encrypted.keyFile = "/mnt-root/keyfile"; 784 + encrypted.keyFile = "/${if systemdStage1 then "sysroot" else "mnt-root"}/keyfile"; 785 785 }; 786 786 ''; 787 787 };