pyrox.dev / nixpkgs
lol
fork atom

nixos/systemd-stage-1: Fix FIDO2 udev rules

Fixes #368856

Will Fancher fd8696a1 1944a966

options
unified split
Changed files
+34 -6
nixos
modules
module-list.nix
system
boot
systemd
fido2.nix
initrd.nix
pkgs
os-specific
linux
systemd
default.nix
+1
nixos/modules/module-list.nix 
···

       
1690

       
1690

       
 

       
  ./system/boot/systemd.nix


     

       
1691

       
1691

       
 

       
  ./system/boot/systemd/coredump.nix


     

       
1692

       
1692

       
 

       
  ./system/boot/systemd/dm-verity.nix


     

       

       
1693

       
+

       
  ./system/boot/systemd/fido2.nix


     

       
1693

       
1694

       
 

       
  ./system/boot/systemd/initrd-secrets.nix


     

       
1694

       
1695

       
 

       
  ./system/boot/systemd/initrd.nix


     

       
1695

       
1696

       
 

       
  ./system/boot/systemd/journald.nix
+32
nixos/modules/system/boot/systemd/fido2.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  config,


     

       

       
4

       
+

       
  pkgs,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
let


     

       

       
8

       
+

       
  cfg = config.boot.initrd.systemd;


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       
{


     

       

       
11

       
+

       
  options = {


     

       

       
12

       
+

       
    boot.initrd.systemd.fido2.enable = lib.mkEnableOption "systemd FIDO2 support" // {


     

       

       
13

       
+

       
      default = cfg.package.withFido2;


     

       

       
14

       
+

       
      defaultText = lib.literalExpression "config.boot.initrd.systemd.package.withFido2";


     

       

       
15

       
+

       
    };


     

       

       
16

       
+

       
  };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
  config = lib.mkIf cfg.fido2.enable {


     

       

       
19

       
+

       
    boot.initrd.services.udev.packages = [


     

       

       
20

       
+

       
      # TODO: Add a better way to include upstream rules files.


     

       

       
21

       
+

       
      (pkgs.runCommand "udev-fido2" { } ''


     

       

       
22

       
+

       
        mkdir -p $out/lib/udev/rules.d/


     

       

       
23

       
+

       
        cp ${cfg.package}/lib/udev/rules.d/60-fido-id.rules $out/lib/udev/rules.d/60-fido-id.rules


     

       

       
24

       
+

       
      '')


     

       

       
25

       
+

       
    ];


     

       

       
26

       
+

       
    boot.initrd.systemd.storePaths = [


     

       

       
27

       
+

       
      "${pkgs.systemd}/lib/udev/fido_id"


     

       

       
28

       
+

       
      "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"


     

       

       
29

       
+

       
      "${pkgs.libfido2}/lib/libfido2.so.1"


     

       

       
30

       
+

       
    ];


     

       

       
31

       
+

       
  };


     

       

       
32

       
+

       
}
-5
nixos/modules/system/boot/systemd/initrd.nix 
···

       
547

       
547

       
 

       
          # Resolving sysroot symlinks without code exec


     

       
548

       
548

       
 

       
          "${pkgs.chroot-realpath}/bin/chroot-realpath"


     

       
549

       
549

       
 

       
        ]


     

       
550

       

       
-

       
        ++ optionals cfg.package.withCryptsetup [


     

       
551

       

       
-

       
          # fido2 support


     

       
552

       

       
-

       
          "${cfg.package}/lib/cryptsetup/libcryptsetup-token-systemd-fido2.so"


     

       
553

       

       
-

       
          "${pkgs.libfido2}/lib/libfido2.so.1"


     

       
554

       

       
-

       
        ]


     

       
555

       
550

       
 

       
        ++ jobScripts


     

       
556

       
551

       
 

       
        ++ map (c: builtins.removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents);


     

       
557

       
552
+1 -1
pkgs/os-specific/linux/systemd/default.nix 
···

       
778

       
778

       
 

       
    # needed - and therefore `interfaceVersion` should be incremented.


     

       
779

       
779

       
 

       
    interfaceVersion = 2;


     

       
780

       
780

       
 

       



     

       
781

       

       
-

       
    inherit withBootloader withCryptsetup withEfi withHostnamed withImportd withKmod


     

       

       
781

       
+

       
    inherit withBootloader withCryptsetup withEfi withFido2 withHostnamed withImportd withKmod


     

       
782

       
782

       
 

       
      withLocaled withMachined withPortabled withTimedated withTpm2Tss withUtmp


     

       
783

       
783

       
 

       
      util-linux kmod kbd;


     

       
784

       
784