From 601fc20248d7c1b4cd3c33209fbc419af8ae0c04 Mon Sep 17 00:00:00 2001 From: Symphorien Gibol Date: Mon, 23 Oct 2017 22:22:26 +0200 Subject: [PATCH] nixos/luksroot.nix: add option boot.initrd.luks.devices..fallback This option, if set to true, enables fallbacking to an interactive passphrase prompt when the specified keyFile is not found. The default is false, which is compatible with previous behavior and doesn't prevent unattended boot. --- nixos/modules/system/boot/luksroot.nix | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index 19ca2a2c1bd..a5581b2bdc4 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -5,7 +5,7 @@ with lib; let luks = config.boot.initrd.luks; - openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; '' + openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, fallback, ... }: assert name' == name; '' # Wait for a target (e.g. device, keyFile, header, ...) to appear. wait_target() { @@ -45,13 +45,15 @@ let ${optionalString (header != null) "--header=${header}"} \ > /.luksopen_args ${optionalString (keyFile != null) '' - if [ -e ${keyFile} ]; then + ${optionalString fallback "if [ -e ${keyFile} ]; then"} echo " --key-file=${keyFile} ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"}" \ >> /.luksopen_args + ${optionalString fallback '' else echo "keyfile ${keyFile} not found -- fallback to interactive unlocking" fi ''} + ''} cryptsetup-askpass rm /.luksopen_args } @@ -330,6 +332,16 @@ in ''; }; + fallback = mkOption { + default = false; + type = types.bool; + description = '' + Whether to fallback to interactive passphrase prompt if the keyfile + cannot be found. This will prevent unattended boot should the keyfile + go missing. + ''; + }; + yubikey = mkOption { default = null; description = ''