Merge pull request NixOS#85418 from lopsided98/grub-initrd-secrets

bbjubjub2494 · Jun 5, 2020 · 7048a81 · 7048a81
2 parents 7f8f722 + 14eceb5
commit 7048a81
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 29 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -441,6 +441,20 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
        recommended to only use lower-case characters.
      </para>
    </listitem>
+   <listitem>
+    <para>
+     The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
+     has been replaced with the generic option
+     <option>boot.initrd.secrets</option>. This option creates a secondary
+     initrd from the specified files, rather than using a manually created
+     initrd file.
+
+     Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>,
+     it is not possible to directly boot an older generation that used that
+     option. It is still possible to rollback to that generation if the required
+     initrd file has not been deleted.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix
@@ -60,7 +60,7 @@ let
       inherit (efi) canTouchEfiVariables;
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
-        extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels
+        extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
         default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios gfxpayloadEfi gfxpayloadBios;
       path = with pkgs; makeBinPath (
         [ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ]
@@ -292,19 +292,6 @@ in
         '';
       };
 
-      extraInitrd = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        example = "/boot/extra_initramfs.gz";
-        description = ''
-          The path to a second initramfs to be supplied to the kernel.
-          This ramfs will not be copied to the store, so that it can
-          contain secrets such as LUKS keyfiles or ssh keys.
-          This implies that rolling back to a previous configuration
-          won't rollback the state of this file.
-        '';
-      };
-
       useOSProber = mkOption {
         default = false;
         type = types.bool;
@@ -608,6 +595,8 @@ in
         { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
       ];
 
+      boot.loader.supportsInitrdSecrets = true;
+
       system.build.installBootLoader =
         let
           install-grub-pl = pkgs.substituteAll {
@@ -705,6 +694,24 @@ in
       (mkRenamedOptionModule [ "boot" "grubDevice" ] [ "boot" "loader" "grub" "device" ])
       (mkRenamedOptionModule [ "boot" "bootMount" ] [ "boot" "loader" "grub" "bootDevice" ])
       (mkRenamedOptionModule [ "boot" "grubSplashImage" ] [ "boot" "loader" "grub" "splashImage" ])
+      (mkRemovedOptionModule [ "boot" "loader" "grub" "extraInitrd" ] ''
+        This option has been replaced with the bootloader agnostic
+        boot.initrd.secrets option. To migrate to the initrd secrets system,
+        extract the extraInitrd archive into your main filesystem:
+
+          # zcat /boot/extra_initramfs.gz | cpio -idvmD /etc/secrets/initrd
+          /path/to/secret1
+          /path/to/secret2
+
+        then replace boot.loader.grub.extraInitrd with boot.initrd.secrets:
+
+          boot.initrd.secrets = {
+            "/path/to/secret1" = "/etc/secrets/initrd/path/to/secret1";
+            "/path/to/secret2" = "/etc/secrets/initrd/path/to/secret2";
+          };
+
+        See the boot.initrd.secrets option documentation for more information.
+      '')
     ];
 
 }
diff --git a/nixos/modules/system/boot/loader/grub/install-grub.pl b/nixos/modules/system/boot/loader/grub/install-grub.pl
@@ -49,7 +49,6 @@ sub runCommand {
 my $extraPerEntryConfig = get("extraPerEntryConfig");
 my $extraEntries = get("extraEntries");
 my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
-my $extraInitrd = get("extraInitrd");
 my $splashImage = get("splashImage");
 my $splashMode = get("splashMode");
 my $backgroundColor = get("backgroundColor");
@@ -232,13 +231,6 @@ sub GrubFs {
 if ($copyKernels == 0) {
     $grubStore = GrubFs($storePath);
 }
-my $extraInitrdPath;
-if ($extraInitrd) {
-    if (! -f $extraInitrd) {
-        print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
-    }
-    $extraInitrdPath = GrubFs($extraInitrd);
-}
 
 # Generate the header.
 my $conf .= "# Automatically generated.  DO NOT EDIT THIS FILE!\n";
@@ -363,9 +355,30 @@ sub addEntry {
 
     my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
     my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
-    if ($extraInitrd) {
-        $initrd .= " " .$extraInitrdPath->path;
+
+    # Include second initrd with secrets
+    if (-e -x "$path/append-initrd-secrets") {
+      my $initrdName = basename($initrd);
+      my $initrdSecretsPath = "$bootPath/kernels/$initrdName-secrets";
+
+      mkpath(dirname($initrdSecretsPath), 0, 0755);
+      my $oldUmask = umask;
+      # Make sure initrd is not world readable (won't work if /boot is FAT)
+      umask 0137;
+      my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
+      system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
+      # Check whether any secrets were actually added
+      if (-e $initrdSecretsPathTemp && ! -z _) {
+        rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
+        $copied{$initrdSecretsPath} = 1;
+        $initrd .= " " . ($grubBoot->path eq "/" ? "" : $grubBoot->path) . "/kernels/$initrdName-secrets";
+      } else {
+        unlink $initrdSecretsPathTemp;
+        rmdir dirname($initrdSecretsPathTemp);
+      }
+      umask $oldUmask;
     }
+
     my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
 
     # FIXME: $confName
@@ -388,9 +401,6 @@ sub addEntry {
         if ($copyKernels == 0) {
             $conf .= $grubStore->search . "\n";
         }
-        if ($extraInitrd) {
-            $conf .= $extraInitrdPath->search . "\n";
-        }
         $conf .= "  $extraPerEntryConfig\n" if $extraPerEntryConfig;
         $conf .= "  multiboot $xen $xenParams\n" if $xen;
         $conf .= "  " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";

diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
@@ -517,8 +517,7 @@ in
     };
 
     boot.initrd.secrets = mkOption
-      { internal = true;
-        default = {};
+      { default = {};
         type = types.attrsOf (types.nullOr types.path);
         description =
           ''