pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #209156 from pwaller/issue-114594

nixos/grub: Name initrd-secrets by system, not by initrd

Guillaume Girol db901673 f71d96a5

options
unified split
Changed files
+81 -6
nixos
modules
system
boot
loader
grub
install-grub.pl
virtualisation
qemu-vm.nix
tests
all-tests.nix
initrd-secrets-changing.nix
+4 -3
nixos/modules/system/boot/loader/grub/install-grub.pl 
···

       
450

       
450

       
 

       



     

       
451

       
451

       
 

       
    # Include second initrd with secrets


     

       
452

       
452

       
 

       
    if (-e -x "$path/append-initrd-secrets") {


     

       
453

       

       
-

       
        my $initrdName = basename($initrd);


     

       
454

       

       
-

       
        my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";


     

       

       
453

       
+

       
        # Name the initrd secrets after the system from which they're derived.


     

       

       
454

       
+

       
        my $systemName = basename(Cwd::abs_path("$path"));


     

       

       
455

       
+

       
        my $initrdSecretsPath = "$bootPath/kernels/$systemName-secrets";


     

       
455

       
456

       
 

       



     

       
456

       
457

       
 

       
        mkpath(dirname($initrdSecretsPath), 0, 0755);


     

       
457

       
458

       
 

       
        my $oldUmask = umask;


     
···

       
470

       
471

       
 

       
        if (-e $initrdSecretsPathTemp && ! -z _) {


     

       
471

       
472

       
 

       
            rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place: $!\n";


     

       
472

       
473

       
 

       
            $copied{$initrdSecretsPath} = 1;


     

       
473

       

       
-

       
            $initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";


     

       

       
474

       
+

       
            $initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$systemName-secrets";


     

       
474

       
475

       
 

       
        } else {


     

       
475

       
476

       
 

       
            unlink $initrdSecretsPathTemp;


     

       
476

       
477

       
 

       
            rmdir dirname($initrdSecretsPathTemp);
+18 -3
nixos/modules/virtualisation/qemu-vm.nix 
···

       
152

       
152

       
 

       



     

       
153

       
153

       
 

       
      ${lib.optionalString cfg.useBootLoader


     

       
154

       
154

       
 

       
      ''


     

       
155

       

       
-

       
        # Create a writable copy/snapshot of the boot disk.


     

       
156

       

       
-

       
        # A writable boot disk can be booted from automatically.


     

       
157

       

       
-

       
        ${qemu}/bin/qemu-img create -f qcow2 -F qcow2 -b ${bootDisk}/disk.img "$TMPDIR/disk.img"


     

       

       
155

       
+

       
        if ${if !cfg.persistBootDevice then "true" else "! test -e $TMPDIR/disk.img"}; then


     

       

       
156

       
+

       
          # Create a writable copy/snapshot of the boot disk.


     

       

       
157

       
+

       
          # A writable boot disk can be booted from automatically.


     

       

       
158

       
+

       
          ${qemu}/bin/qemu-img create -f qcow2 -F qcow2 -b ${bootDisk}/disk.img "$TMPDIR/disk.img"


     

       

       
159

       
+

       
        fi


     

       
158

       
160

       
 

       



     

       
159

       
161

       
 

       
        NIX_EFI_VARS=$(readlink -f "''${NIX_EFI_VARS:-${cfg.efiVars}}")


     

       
160

       
162

       
 

       



     
···

       
368

       
370

       
 

       
          lib.mdDoc ''


     

       
369

       
371

       
 

       
            The disk to be used for the root filesystem.


     

       
370

       
372

       
 

       
          '';


     

       

       
373

       
+

       
      };


     

       

       
374

       
+

       



     

       

       
375

       
+

       
    virtualisation.persistBootDevice =


     

       

       
376

       
+

       
      mkOption {


     

       

       
377

       
+

       
        type = types.bool;


     

       

       
378

       
+

       
        default = false;


     

       

       
379

       
+

       
        description =


     

       

       
380

       
+

       
          lib.mdDoc ''


     

       

       
381

       
+

       
            If useBootLoader is specified, whether to recreate the boot device


     

       

       
382

       
+

       
            on each instantiaton or allow it to persist.


     

       

       
383

       
+

       
            '';


     

       
371

       
384

       
 

       
      };


     

       
372

       
385

       
 

       



     

       
373

       
386

       
 

       
    virtualisation.emptyDiskImages =


     
···

       
853

       
866

       
 

       
    # * The disks are attached in `virtualisation.qemu.drives`.


     

       
854

       
867

       
 

       
    #   Their order makes them appear as devices `a`, `b`, etc.


     

       
855

       
868

       
 

       
    # * `fileSystems."/boot"` is adjusted to be on device `b`.


     

       

       
869

       
+

       
    # * The disk.img is recreated each time the VM is booted unless


     

       

       
870

       
+

       
    #   virtualisation.persistBootDevice is set.


     

       
856

       
871

       
 

       



     

       
857

       
872

       
 

       
    # If `useBootLoader`, GRUB goes to the second disk, see


     

       
858

       
873

       
 

       
    # note [Disk layout with `useBootLoader`].
+1
nixos/tests/all-tests.nix 
···

       
311

       
311

       
 

       
  initrd-network-ssh = handleTest ./initrd-network-ssh {};


     

       
312

       
312

       
 

       
  initrdNetwork = handleTest ./initrd-network.nix {};


     

       
313

       
313

       
 

       
  initrd-secrets = handleTest ./initrd-secrets.nix {};


     

       

       
314

       
+

       
  initrd-secrets-changing = handleTest ./initrd-secrets-changing.nix {};


     

       
314

       
315

       
 

       
  input-remapper = handleTest ./input-remapper.nix {};


     

       
315

       
316

       
 

       
  inspircd = handleTest ./inspircd.nix {};


     

       
316

       
317

       
 

       
  installer = handleTest ./installer.nix {};
+58
nixos/tests/initrd-secrets-changing.nix 
···

       

       
1

       
+

       
{ system ? builtins.currentSystem


     

       

       
2

       
+

       
, config ? {}


     

       

       
3

       
+

       
, pkgs ? import ../.. { inherit system config; }


     

       

       
4

       
+

       
, lib ? pkgs.lib


     

       

       
5

       
+

       
, testing ? import ../lib/testing-python.nix { inherit system pkgs; }


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       



     

       

       
8

       
+

       
let


     

       

       
9

       
+

       
  secret1InStore = pkgs.writeText "topsecret" "iamasecret1";


     

       

       
10

       
+

       
  secret2InStore = pkgs.writeText "topsecret" "iamasecret2";


     

       

       
11

       
+

       
in


     

       

       
12

       
+

       



     

       

       
13

       
+

       
testing.makeTest {


     

       

       
14

       
+

       
  name = "initrd-secrets-changing";


     

       

       
15

       
+

       



     

       

       
16

       
+

       
  nodes.machine = { ... }: {


     

       

       
17

       
+

       
    virtualisation.useBootLoader = true;


     

       

       
18

       
+

       
    virtualisation.persistBootDevice = true;


     

       

       
19

       
+

       



     

       

       
20

       
+

       
    boot.loader.grub.device = "/dev/vda";


     

       

       
21

       
+

       



     

       

       
22

       
+

       
    boot.initrd.secrets = {


     

       

       
23

       
+

       
      "/test" = secret1InStore;


     

       

       
24

       
+

       
      "/run/keys/test" = secret1InStore;


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       
    boot.initrd.postMountCommands = "cp /test /mnt-root/secret-from-initramfs";


     

       

       
27

       
+

       



     

       

       
28

       
+

       
    specialisation.secrets2System.configuration = {


     

       

       
29

       
+

       
      boot.initrd.secrets = lib.mkForce {


     

       

       
30

       
+

       
        "/test" = secret2InStore;


     

       

       
31

       
+

       
        "/run/keys/test" = secret2InStore;


     

       

       
32

       
+

       
      };


     

       

       
33

       
+

       
    };


     

       

       
34

       
+

       
  };


     

       

       
35

       
+

       



     

       

       
36

       
+

       
  testScript = ''


     

       

       
37

       
+

       
    start_all()


     

       

       
38

       
+

       



     

       

       
39

       
+

       
    machine.wait_for_unit("multi-user.target")


     

       

       
40

       
+

       
    print(machine.succeed("cat /run/keys/test"))


     

       

       
41

       
+

       
    machine.succeed(


     

       

       
42

       
+

       
        "cmp ${secret1InStore} /secret-from-initramfs",


     

       

       
43

       
+

       
        "cmp ${secret1InStore} /run/keys/test",


     

       

       
44

       
+

       
    )


     

       

       
45

       
+

       
    # Select the second boot entry corresponding to the specialisation secrets2System.


     

       

       
46

       
+

       
    machine.succeed("grub-reboot 1")


     

       

       
47

       
+

       
    machine.shutdown()


     

       

       
48

       
+

       



     

       

       
49

       
+

       
    with subtest("Check that the specialisation's secrets are distinct despite identical kernels"):


     

       

       
50

       
+

       
        machine.wait_for_unit("multi-user.target")


     

       

       
51

       
+

       
        print(machine.succeed("cat /run/keys/test"))


     

       

       
52

       
+

       
        machine.succeed(


     

       

       
53

       
+

       
            "cmp ${secret2InStore} /secret-from-initramfs",


     

       

       
54

       
+

       
            "cmp ${secret2InStore} /run/keys/test",


     

       

       
55

       
+

       
        )


     

       

       
56

       
+

       
        machine.shutdown()


     

       

       
57

       
+

       
  '';


     

       

       
58

       
+

       
}