| 13 Apr 2022 |
 @elvishjerricco:matrix.org | I was just about to start testing the it out | 09:30:04 |
 @janne.hess:helsinki-systems.de | diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix
index dde07571b3e..f6e99258f78 100644
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@@ -474,6 +474,18 @@ let
preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
+ # TODO reuse passphrases
+ stage1Crypttab = pkgs.writeText "initrd-crypttab" (lib.traceValSeq (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let
+ opts = []
+ ++ optional v.allowDiscards "discard"
+ ++ optionals v.bypassWorkqueues [ "no-read-workqueue" "no-write-workqueue" ]
+ ++ optional (v.header != null) "header=${v.header}"
+ ++ optional (v.keyFileOffset != null) "keyfile-offset=${v.keyFileOffset}"
+ ++ optional (v.keyFileSize != null) "keyfile-size=${v.keyFileSize}"
+ ;
+ # TODO extra opts
+ in "${n} ${v.device} ${if v.keyFile == null then "-" else v.keyFile} ${lib.concatStringsSep "," opts}") luks.devices)));
+
in
{
imports = [
@@ -853,6 +865,33 @@ in
-> versionAtLeast kernelPackages.kernel.version "5.9";
message = "boot.initrd.luks.devices.<name>.bypassWorkqueues is not supported for kernels older than 5.9";
}
+
+ /* TODO
+ { assertion = any (dev: dev.fallbackToPassword) (attrValues luks.devices);
+ message = "boot.initrd.luks.devices.<name>.fallbackToPassword is implied by systemd stage 1";
+ }
+ { assertion = any (dev: !dev.preLVM) (attrValues luks.devices);
+ message = "boot.initrd.luks.devices.<name>.preLVM is not used by systemd stage 1";
+ }
+ { assertion = any (dev: dev.preOpenCommands != "" || dev.postOpenCommands != "") (attrValues luks.devices);
+ message = "boot.initrd.luks.devices.<name>.preOpenCommands and postOpenCommands is not supported by systemd stage 1. Please bind a service to cryptsetup.target or cryptsetup-pre.target instead";
+ }*/
+ # TODO
+ { assertion = config.boot.initrd.systemd.enable -> !luks.gpgSupport;
+ message = "systemd stage 1 does not support GPG smartcards";
+ }
+
+ # TODO
+ { assertion = config.boot.initrd.systemd.enable -> !luks.fido2Support;
+ message = "systemd stage 1 does not support FIDO2";
+ }
+
+ # TODO
+ { assertion = config.boot.initrd.systemd.enable -> !luks.yubikeySupport;
+ message = "systemd stage 1 does not support Yubikeys";
+ }
+
+ # TODO TPM2
];
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@@ -932,9 +971,24 @@ in
''}
'';
- boot.initrd.preFailCommands = postCommands;
- boot.initrd.preLVMCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands;
- boot.initrd.postDeviceCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands;
+ boot.initrd.systemd = {
+ contents."/etc/crypttab".source = stage1Crypttab;
+
+ extraBin.systemd-cryptsetup = "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup";
+
+ additionalUpstreamUnits = [
+ "cryptsetup-pre.target"
+ "cryptsetup.target"
+ "remote-cryptsetup.target"
+ ];
+ storePaths = [
+ "${config.boot.initrd.systemd.package}/lib/systemd/systemd-cryptsetup"
+ ];
+ };
+
+ boot.initrd.preFailCommands = mkIf (!config.boot.initrd.systemd.enable) postCommands;
+ boot.initrd.preLVMCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands);
+ boot.initrd.postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable) (commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands);
environment.systemPackages = [ pkgs.cryptsetup ];
};
| 09:34:36 |
| @janne.hess:helsinki-systems.de | this is what I have. The only thing left is that this doesn't enable LVM which is required for the udev rules | 09:34:51 |
| @janne.hess:helsinki-systems.de | (the code quality is also why there is no PR yet 👀) | 09:35:37 |
 Arian | hax | 09:35:51 |
| @elvishjerricco:matrix.org | Also, I've figured out why networkd was waiting for local-fs.target. It has After=systemd-tmpfiles-setup.service | 09:39:41 |
| @elvishjerricco:matrix.org | I'm not 100% sure if systemd-tmpfiles ought to be in initrd or not | 09:40:16 |
| @janne.hess:helsinki-systems.de | I don't think it should | 09:40:36 |
| @janne.hess:helsinki-systems.de | But that's just my opinion, not based on anything | 09:40:44 |
| @elvishjerricco:matrix.org | Yea that's my gut feeling but I'm not confident in that | 09:41:00 |
 @andi:kack.it | Why wouldn't you have tmpfiles in the initrd? I think we shouldn't try to disable stuff but rather stick with the defaults. Otherwise it'll be an uphill battle on any change from systemd side | 09:41:23 |
| @elvishjerricco:matrix.org | andi-: There aren't defaults :P | 09:41:36 |
| @elvishjerricco:matrix.org | The list of units we have in initrd right now was just copied from the unit files I saw in fedora's initrd | 09:41:53 |
| @elvishjerricco:matrix.org | systemd doesn't really explain which ones ought to go in initrd | 09:42:06 |
| @elvishjerricco:matrix.org | actually... I guess man bootup has a small section on systemd in initrd, and it has a graph of units | 09:43:17 |
| @elvishjerricco:matrix.org | Maybe those are the only ones a distro is expected to include? | 09:43:24 |
| @elvishjerricco:matrix.org | Hm, can't be. The graph doesn't include udev. | 09:46:30 |
| @janne.hess:helsinki-systems.de |
The bootup process begins identical to the system manager bootup (see above) until it reaches basic.target.
| 09:47:30 |
| @elvishjerricco:matrix.org | Oh | 09:47:42 |
| @elvishjerricco:matrix.org | Now that would include tmpfiles, if we took that word as gospel | 09:48:25 |
| Arian | Tmpfiles should definitely be in initrd | 10:00:18 |
| Arian | Its used to create some device nodes before udev even starts | 10:00:31 |
| Arian | Without it btrfs won't work | 10:00:40 |
| @elvishjerricco:matrix.org | Arian: Isn't that systemd-tmpfiles-setup-dev.service, not systemd-tmpfiles-setup.service? | 10:00:56 |
| Arian | Yes | 10:01:03 |
| @elvishjerricco:matrix.org | I guess I only said tmp files though :P | 10:01:06 |
| @janne.hess:helsinki-systems.de | In reply to @arianvp:matrix.org
Without it btrfs won't work At least people are safe from data loss :P | 10:01:08 |
| @elvishjerricco:matrix.org | should we keep the -dev one but not the regular one? | 10:01:29 |
| @janne.hess:helsinki-systems.de | In reply to @elvishjerricco:matrix.org
should we keep the -dev one but not the regular one? we can probably go with all of them since we need to copy the tmpfiles binary anyway | 10:01:48 |
| @elvishjerricco:matrix.org | true | 10:02:04 |
