-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/stage1: copy initrd secrets into place after special mounts #129449
nixos/stage1: copy initrd secrets into place after special mounts #129449
Conversation
4ffbf45
to
5e9de99
Compare
Thanks for the review! I responded to your suggestion re: |
5e9de99
to
142c6a4
Compare
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
142c6a4
to
b1bc6cc
Compare
Since /run/keys is a ramfs, it is not paged out and a good place to copy secrets to. Test whether secrets with a path in /run/keys exist after initrd.
b1bc6cc
to
442dc55
Compare
This modifies initialRamdiskSecretAppender to stage secrets in /.initrd-secrets/ and stage-1-init to copy them into place after mounting special file systems. This allows secrets to be copied into ramfs mounts like /run/keys for use after stage-1 finishes without copying them to disk (which would not be very secure).
442dc55
to
30b97d7
Compare
cc: @Mic92 - you reviewed one of my PRs a few years back, would you mind taking a look at this small one? |
How would that approach be secure in any way? Your initrd is usually unencrypted and so are the secrets inside. Since your secrets are already in your unencrypted initrd in your unencrypted /boot, why not store them in your regular filesystem as well? |
@dasJ: Thank you for the review! This PR doesn't change how secrets are stored or where. It is only modifying them in a way to permit the system configuration to keep a copy on one of the special file systems after the initrd is done (to have, for example a clean contract between initrd and runtime where needed secrets are available in |
# Secrets are named by their full destination pathname and stored | ||
# under /.initrd-secrets/ | ||
# | ||
for secret in $(cd "/.initrd-secrets"; find . -type f); do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for secret in $(cd "/.initrd-secrets"; find . -type f); do | |
for secret in $(find /.initrd-secrets -not -type d); do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello! @SuperSandro2000 suggested the same thing here, but that changes the output and paths assigned to secret
(they would have /.initrd-secrets/
still prepended vs. being the full path specified as the attribute name to boot.initrd.secrets
). I chose this approach rather than having to strip the first path component inside the loop, which would be less precise. In addition, -not -type d
is not equivalent to explicitly including files (-type f
), it could include links, sockets, device nodes, etc.
I tried to explain the above in the comment preceding the loop, but if it's still not clear to reviewers, I should try to clarify more.
I still don't see any point in having "secrets" that are in the plain initrd but there's really also no reason we shouldn't allow for this if this is functionality people want to have |
Thank you for the merge! |
Motivation for this change
This modifies
initialRamdiskSecretAppender
to stage secrets in/initrd-secrets/
andstage-1-init
to copy them into place after mounting special file systems. This allows secrets to be copied intoramfs
mounts like/run/keys
for use afterstage-1
finishes without copying them to disk (which would not be very secure). This is useful for ZFS filesystem key files, which are mounted later, as well as when rebuilding system configurations to be able to pull secret from/run/keys
to rebuild the initrd.Things done
Tested on
release-21.05
branch andmaster
to preserve existing functionality as well as enable a destinations for secrets in/run/keys
which were present after system had booted.Updated test in
tests/initrd-secrets.nix
to verify new behavior.sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)