suzanne.soy/nixpkgs
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Merge pull request #85418 from lopsided98/grub-initrd-secrets

Browse Source
This commit is contained in:
Jörg Thalheim 2020-06-05 16:03:48 +01:00 committed by GitHub
commit 7048a817b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 59 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nixos/doc/manual/release-notes/rl-2009.xml
View File

@ -441,6 +441,20 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
recommended to only use lower-case characters. recommended to only use lower-case characters.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
has been replaced with the generic option
<option>boot.initrd.secrets</option>. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>,
it is not possible to directly boot an older generation that used that
option. It is still possible to rollback to that generation if the required
initrd file has not been deleted.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

35
nixos/modules/system/boot/loader/grub/grub.nix
View File

@ -60,7 +60,7 @@ let
inherit (efi) canTouchEfiVariables; inherit (efi) canTouchEfiVariables;
inherit (cfg) inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios; default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios;
path = with pkgs; makeBinPath ( path = with pkgs; makeBinPath (
[ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ] [ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ]
@ -292,19 +292,6 @@ in
''; '';
}; };
extraInitrd = mkOption {
type = types.nullOr types.path;
default = null;
example = "/boot/extra_initramfs.gz";
description = ''
The path to a second initramfs to be supplied to the kernel.
This ramfs will not be copied to the store, so that it can
contain secrets such as LUKS keyfiles or ssh keys.
This implies that rolling back to a previous configuration
won't rollback the state of this file.
'';
};
useOSProber = mkOption { useOSProber = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -608,6 +595,8 @@ in
{ path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; } { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
]; ];
boot.loader.supportsInitrdSecrets = true;
system.build.installBootLoader = system.build.installBootLoader =
let let
install-grub-pl = pkgs.substituteAll { install-grub-pl = pkgs.substituteAll {
@ -705,6 +694,24 @@ in
(mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ]) (mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ])
(mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ]) (mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ])
(mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ]) (mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ])
(mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] ''
This option has been replaced with the bootloader agnostic
boot.initrd.secrets option. To migrate to the initrd secrets system,
extract the extraInitrd archive into your main filesystem:
# zcat /boot/extra_initramfs.gz | cpio -idvmD /etc/secrets/initrd
/path/to/secret1
/path/to/secret2
then replace boot.loader.grub.extraInitrd with boot.initrd.secrets:
boot.initrd.secrets = {
"/path/to/secret1" = "/etc/secrets/initrd/path/to/secret1";
"/path/to/secret2" = "/etc/secrets/initrd/path/to/secret2";
};
See the boot.initrd.secrets option documentation for more information.
'')
]; ];
} }

36
nixos/modules/system/boot/loader/grub/install-grub.pl
View File

@ -49,7 +49,6 @@ my $extraPrepareConfig = get("extraPrepareConfig");
my $extraPerEntryConfig = get("extraPerEntryConfig"); my $extraPerEntryConfig = get("extraPerEntryConfig");
my $extraEntries = get("extraEntries"); my $extraEntries = get("extraEntries");
my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true"; my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
my $extraInitrd = get("extraInitrd");
my $splashImage = get("splashImage"); my $splashImage = get("splashImage");
my $splashMode = get("splashMode"); my $splashMode = get("splashMode");
my $backgroundColor = get("backgroundColor"); my $backgroundColor = get("backgroundColor");
@ -232,13 +231,6 @@ my $grubStore;
if ($copyKernels == 0) { if ($copyKernels == 0) {
$grubStore = GrubFs($storePath); $grubStore = GrubFs($storePath);
} }
my $extraInitrdPath;
if ($extraInitrd) {
if (! -f $extraInitrd) {
print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
}
$extraInitrdPath = GrubFs($extraInitrd);
}
# Generate the header. # Generate the header.
my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n"; my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n";
@ -363,9 +355,30 @@ sub addEntry {
my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel")); my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd")); my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
if ($extraInitrd) {
$initrd .= " " .$extraInitrdPath->path; # Include second initrd with secrets
if (-e -x "$path/append-initrd-secrets") {
my $initrdName = basename($initrd);
my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
mkpath(dirname($initrdSecretsPath), 0, 0755);
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
# Check whether any secrets were actually added
if (-e $initrdSecretsPathTemp && ! -z _) {
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
$copied{$initrdSecretsPath} = 1;
$initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
} else {
unlink $initrdSecretsPathTemp;
rmdir dirname($initrdSecretsPathTemp);
}
umask $oldUmask;
} }
my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef; my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
# FIXME: $confName # FIXME: $confName
@ -388,9 +401,6 @@ sub addEntry {
if ($copyKernels == 0) { if ($copyKernels == 0) {
$conf .= $grubStore->search . "\n"; $conf .= $grubStore->search . "\n";
} }
if ($extraInitrd) {
$conf .= $extraInitrdPath->search . "\n";
}
$conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig; $conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig;
$conf .= " multiboot $xen $xenParams\n" if $xen; $conf .= " multiboot $xen $xenParams\n" if $xen;
$conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n"; $conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";

3
nixos/modules/system/boot/stage-1.nix
View File

@ -517,8 +517,7 @@ in
}; };
boot.initrd.secrets = mkOption boot.initrd.secrets = mkOption
{ internal = true; { default = {};
default = {};
type = types.attrsOf (types.nullOr types.path); type = types.attrsOf (types.nullOr types.path);
description = description =
'' ''