From c3d5cfdc3ca709a9c5081b1a11bca533bc4788af Mon Sep 17 00:00:00 2001 From: Martin Wohlert Date: Mon, 22 May 2017 20:07:04 +0200 Subject: [PATCH] swap: extend randomEncryption to plainOpen and ability to select cipher --- nixos/modules/config/swap.nix | 42 ++++++++++++++++++++------- nixos/modules/system/boot/stage-1.nix | 2 +- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/nixos/modules/config/swap.nix b/nixos/modules/config/swap.nix index 5d47b09ded9..769029e1b04 100644 --- a/nixos/modules/config/swap.nix +++ b/nixos/modules/config/swap.nix @@ -45,7 +45,7 @@ let ''; }; - randomEncryption = mkOption { + randomEncryption.enable = mkOption { default = false; type = types.bool; description = '' @@ -61,6 +61,26 @@ let ''; }; + randomEncryption.cipher = mkOption { + default = "aes-xts-plain64"; + example = "serpent-xts-plain64"; + type = types.str; + description = '' + Use specified cipher for randomEncryption. + + Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine. + ''; + }; + + randomEncryption.source = mkOption { + default = "/dev/urandom"; + example = "/dev/random"; + type = types.str; + description = '' + Define the source of randomness to obtain a random key for encryption. + ''; + }; + deviceName = mkOption { type = types.str; internal = true; @@ -77,7 +97,7 @@ let device = mkIf options.label.isDefined "/dev/disk/by-label/${config.label}"; deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device); - realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device; + realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device; }; }; @@ -125,14 +145,14 @@ in createSwapDevice = sw: assert sw.device != ""; - assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid" sw.device); - assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device); + assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid" sw.device); + assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device); let realDevice' = escapeSystemdPath sw.realDevice; in nameValuePair "mkswap-${sw.deviceName}" { description = "Initialisation of swap device ${sw.device}"; wantedBy = [ "${realDevice'}.swap" ]; before = [ "${realDevice'}.swap" ]; - path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup; + path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup; script = '' @@ -145,11 +165,11 @@ in truncate --size "${toString sw.size}M" "${sw.device}" fi chmod 0600 ${sw.device} - ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"} + ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"} fi ''} - ${optionalString sw.randomEncryption '' - cryptsetup open ${sw.device} ${sw.deviceName} --type plain --key-file /dev/urandom + ${optionalString sw.randomEncryption.enable '' + cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName} mkswap ${sw.realDevice} ''} ''; @@ -157,12 +177,12 @@ in unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ]; unitConfig.DefaultDependencies = false; # needed to prevent a cycle serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = sw.randomEncryption; - serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; + serviceConfig.RemainAfterExit = sw.randomEncryption.enable; + serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}"; restartIfChanged = false; }; - in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices)); + in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices)); }; diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index 02870878c0f..d6e3e3a87d0 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -207,7 +207,7 @@ let preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules; resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}") - (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption + (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption.enable # Don't include zram devices && !(hasPrefix "/dev/zram" sd.device) ) config.swapDevices);