public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

boot.initrd.luks.devices: Change into an attribute set 

This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain

  boot.initrd.luks.devices.crypted.device = "/dev/disk/...";

while configuration.nix can add

  boot.initrd.luks.devices.crypted.allowDiscards = true;

Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
This commit is contained in:
Eelco Dolstra 2016-05-25 13:23:32 +02:00
parent bf2aaeb0f6
commit 845c9b50bf
4 changed files with 29 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nixos/doc/manual/configuration/luks-file-systems.xml
View File

@ -9,21 +9,21 @@
<para>NixOS supports file systems that are encrypted using <para>NixOS supports file systems that are encrypted using
<emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example, <emphasis>LUKS</emphasis> (Linux Unified Key Setup). For example,
here is how you create an encrypted Ext4 file system on the device here is how you create an encrypted Ext4 file system on the device
<filename>/dev/sda2</filename>: <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
<screen> <screen>
$ cryptsetup luksFormat /dev/sda2 $ cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
WARNING! WARNING!
======== ========
This will overwrite data on /dev/sda2 irrevocably. This will overwrite data on /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d irrevocably.
Are you sure? (Type uppercase yes): YES Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: *** Enter LUKS passphrase: ***
Verify passphrase: *** Verify passphrase: ***
$ cryptsetup luksOpen /dev/sda2 crypted $ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
Enter passphrase for /dev/sda2: *** Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
$ mkfs.ext4 /dev/mapper/crypted $ mkfs.ext4 /dev/mapper/crypted
</screen> </screen>
@ -33,7 +33,7 @@ as <filename>/</filename>, add the following to
<filename>configuration.nix</filename>: <filename>configuration.nix</filename>:
<programlisting> <programlisting>
boot.initrd.luks.devices = [ { device = "/dev/sda2"; name = "crypted"; } ]; boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d";
fileSystems."/".device = "/dev/mapper/crypted"; fileSystems."/".device = "/dev/mapper/crypted";
</programlisting> </programlisting>

42
nixos/modules/system/boot/luksroot.nix
View File

@ -5,7 +5,7 @@ with lib;
let let
luks = config.boot.initrd.luks; luks = config.boot.initrd.luks;
openCommand = { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: '' openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
# Wait for luksRoot to appear, e.g. if on a usb drive. # Wait for luksRoot to appear, e.g. if on a usb drive.
# XXX: copied and adapted from stage-1-init.sh - should be # XXX: copied and adapted from stage-1-init.sh - should be
# available as a function. # available as a function.
@ -192,9 +192,8 @@ let
''} ''}
''; '';
isPreLVM = f: f.preLVM; preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
preLVM = filter isPreLVM luks.devices; postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
postLVM = filter (f: !(isPreLVM f)) luks.devices;
in in
{ {
@ -228,31 +227,31 @@ in
}; };
boot.initrd.luks.devices = mkOption { boot.initrd.luks.devices = mkOption {
default = [ ]; default = { };
example = literalExample ''[ { name = "luksroot"; device = "/dev/sda3"; preLVM = true; } ]''; example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
description = '' description = ''
The list of devices that should be decrypted using LUKS before trying to mount the The encrypted disk that should be opened before the root
root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
setups are sypported. The unencrypted devices can be accessed as
The devices are decrypted to the device mapper names defined. <filename>/dev/mapper/<replaceable>name</replaceable></filename>.
Make sure that initrd has the crypto modules needed for decryption.
''; '';
type = types.listOf types.optionSet; type = types.loaOf types.optionSet;
options = { options = { name, ... }: { options = {
name = mkOption { name = mkOption {
visible = false;
default = name;
example = "luksroot"; example = "luksroot";
type = types.str; type = types.str;
description = "Named to be used for the generated device in /dev/mapper."; description = "Name of the unencrypted device in <filename>/dev/mapper</filename>.";
}; };
device = mkOption { device = mkOption {
example = "/dev/sda2"; example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
type = types.str; type = types.str;
description = "Path of the underlying block device."; description = "Path of the underlying encrypted block device.";
}; };
header = mkOption { header = mkOption {
@ -289,6 +288,7 @@ in
''; '';
}; };
# FIXME: get rid of this option.
preLVM = mkOption { preLVM = mkOption {
default = true; default = true;
type = types.bool; type = types.bool;
@ -394,7 +394,7 @@ in
}; };
}; };
}; }; };
}; };
boot.initrd.luks.yubikeySupport = mkOption { boot.initrd.luks.yubikeySupport = mkOption {
@ -408,7 +408,7 @@ in
}; };
}; };
config = mkIf (luks.devices != []) { config = mkIf (luks.devices != {}) {
# actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
@ -463,8 +463,8 @@ in
''} ''}
''; '';
boot.initrd.preLVMCommands = concatMapStrings openCommand preLVM; boot.initrd.preLVMCommands = concatStrings (mapAttrsToList openCommand preLVM);
boot.initrd.postDeviceCommands = concatMapStrings openCommand postLVM; boot.initrd.postDeviceCommands = concatStrings (mapAttrsToList openCommand postLVM);
environment.systemPackages = [ pkgs.cryptsetup ]; environment.systemPackages = [ pkgs.cryptsetup ];
}; };

2
nixos/modules/virtualisation/qemu-vm.nix
View File

@ -465,7 +465,7 @@ in
}); });
swapDevices = mkVMOverride [ ]; swapDevices = mkVMOverride [ ];
boot.initrd.luks.devices = mkVMOverride []; boot.initrd.luks.devices = mkVMOverride {};
# Don't run ntpd in the guest. It should get the correct time from KVM. # Don't run ntpd in the guest. It should get the correct time from KVM.
services.ntp.enable = false; services.ntp.enable = false;

3
nixos/tests/installer.nix
View File

@ -363,8 +363,7 @@ in {
# XXX: Currently, generate-config doesn't detect LUKS yet. # XXX: Currently, generate-config doesn't detect LUKS yet.
extraConfig = '' extraConfig = ''
boot.kernelParams = lib.mkAfter [ "console=tty0" ]; boot.kernelParams = lib.mkAfter [ "console=tty0" ];
boot.initrd.luks.devices = lib.singleton { boot.initrd.luks.devices.cryptroot = {
name = "cryptroot";
device = "/dev/vda3"; device = "/dev/vda3";
preLVM = true; preLVM = true;
}; };