pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #29344 from Moredread/fix/fileystem-encrypted-keyfile-missing-initrd-support

nixos/fileystems: Fix boot fails with encrypted fs

Jörg Thalheim 42be8dbe e17e22d4

options
unified split
Changed files
+12 -1
nixos
modules
system
boot
luksroot.nix
tasks
encrypted-devices.nix
+11 -1
nixos/modules/system/boot/luksroot.nix 
···

       
235

       
235

       
 

       
      '';


     

       
236

       
236

       
 

       
    };


     

       
237

       
237

       
 

       



     

       

       
238

       
+

       
    boot.initrd.luks.forceLuksSupportInInitrd = mkOption {


     

       

       
239

       
+

       
      type = types.bool;


     

       

       
240

       
+

       
      default = false;


     

       

       
241

       
+

       
      internal = true;


     

       

       
242

       
+

       
      description = ''


     

       

       
243

       
+

       
        Whether to configure luks support in the initrd, when no luks


     

       

       
244

       
+

       
        devices are configured.


     

       

       
245

       
+

       
      '';


     

       

       
246

       
+

       
    };


     

       

       
247

       
+

       



     

       
238

       
248

       
 

       
    boot.initrd.luks.devices = mkOption {


     

       
239

       
249

       
 

       
      default = { };


     

       
240

       
250

       
 

       
      example = { "luksroot".device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };


     
···

       
417

       
427

       
 

       
    };


     

       
418

       
428

       
 

       
  };


     

       
419

       
429

       
 

       



     

       
420

       

       
-

       
  config = mkIf (luks.devices != {}) {


     

       

       
430

       
+

       
  config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {


     

       
421

       
431

       
 

       



     

       
422

       
432

       
 

       
    # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested


     

       
423

       
433

       
 

       
    boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
+1
nixos/modules/tasks/encrypted-devices.nix 
···

       
61

       
61

       
 

       
        devices =


     

       
62

       
62

       
 

       
          map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;


     

       
63

       
63

       
 

       
        cryptoModules = [ "aes" "sha256" "sha1" "xts" ];


     

       

       
64

       
+

       
        forceLuksSupportInInitrd = true;


     

       
64

       
65

       
 

       
      };


     

       
65

       
66

       
 

       
      postMountCommands =


     

       
66

       
67

       
 

       
        concatMapStrings (dev: "cryptsetup luksOpen --key-file ${dev.encrypted.keyFile} ${dev.encrypted.blkDev} ${dev.encrypted.label};\n") keyedEncDevs;