From patchwork Thu Jan 11 17:35:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tomas Volf <~@wolfsden.cz> X-Patchwork-Id: 58797 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5161127BBE9; Thu, 11 Jan 2024 17:36:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7D4C327BBEB for ; Thu, 11 Jan 2024 17:36:38 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rNyyM-0006bt-W7; Thu, 11 Jan 2024 12:36:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rNyyL-0006bG-Tj for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1rNyyL-00038N-Jz for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1rNyyJ-0007on-1R for guix-patches@gnu.org; Thu, 11 Jan 2024 12:36:03 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd. Resent-From: Tomas Volf <~@wolfsden.cz> Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 11 Jan 2024 17:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.170499456030002 (code B ref 65002); Thu, 11 Jan 2024 17:36:02 +0000 Received: (at 65002) by debbugs.gnu.org; 11 Jan 2024 17:36:00 +0000 Received: from localhost ([127.0.0.1]:33788 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1rNyyF-0007no-Ca for submit@debbugs.gnu.org; Thu, 11 Jan 2024 12:36:00 -0500 Received: from wolfsden.cz ([37.205.8.62]:49794) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <~@wolfsden.cz>) id 1rNyy6-0007mg-3s for 65002@debbugs.gnu.org; Thu, 11 Jan 2024 12:35:52 -0500 Received: by wolfsden.cz (Postfix, from userid 104) id CD83825082E; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= Received: from localhost (unknown [193.32.127.158]) by wolfsden.cz (Postfix) with ESMTPSA id 4B38624F361; Thu, 11 Jan 2024 17:35:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1704994551; bh=qX7LRq03g5vzjHhWvoyWy4m3AVYPwBLXGMjLzM9WNqQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=I2ykNlxs+wMdSCoE0C7V8oiJwhCFaJcHW9on3u9jGx6si4H0gOri9q7/RG5/hTzdF 6G3yd1uYCZeCtnwaYEOay9s13sUzb04Pu1jYn2dNY545924rXP1DsS/uvebfC7LAPe 04E6zDl50bHbsrnatsjLSXSGrco3slFpfdxciybQCsokIOtiOK+VBnrJu4967Ozhes scklJhDfCWUylsSlEF+dP78tgqEbrZyPxvP7m7FhzJ/rilwkDjeusgjhKc7ZR1i8q5 BjkARrGLIEW5Obws6gbrfFWMK/3hzVbSJGF7Rj0pLdY6DtD+L8XPo2gVmT1eSS0a6w iNhI2QnUvl55nJG0cXBtaXHJsAwj3kDfu8SAP5q017bXfzjJ5rtbVKbz57YY4txipX vI62IGp9C0/Q8jJ/MYPCsIRzLSymrBN8quzD/N0t+EnFh19dIYb0lmDnR0Qgp60d87 9tkkGRkSq0wduh2G1SGCmgg0R3A5QQngXrH/bcmZCZXFQDf4HGH2WUY4nScvQu5ueY NTyz8tXUQbpfvOjhpjWHJpbQ7wM5a+F30cmUSSc0DkOgRzhdM3VbfZQdMtt3uMCxyb 3JnjthnF2Vl9zdZPH+TGnA0tpl0JCTuLQVpAnW79U3raSYBfdYvUyZXotf78vWQEfI Xrv4i6TCe5T3jOp3qmqt+Meg= From: Tomas Volf <~@wolfsden.cz> Date: Thu, 11 Jan 2024 18:35:40 +0100 Message-ID: <1f9c251cf379b579a0e04f5698da0bfdd62f2b90.1704994535.git.~@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Tomas Volf In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm (): Add extra-initrd field. * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd field. --- doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++ gnu/bootloader.scm | 6 ++++- gnu/bootloader/grub.scm | 7 ++++-- 3 files changed, 59 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index b1202f2182..87d41e0aae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41070,6 +41070,55 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +File name of an additional initrd to load during the boot. It may or +may not point to a file in the store, but the main use case is for +out-of-store files containing secrets. + +In order to be able to provide decryption keys for the LUKS device, they +need to be available in the initial ram disk. However they cannot be +stored inside the usual initrd, since it is stored in the store and +being a world-readable (as files in the store are) is not a desired +property for a initrd containing decryption keys. You can therefore use +this field to instruct GRUB to also load a manually created initrd not +stored in the store. + +For any use case not involving secrets, you should use regular initrd +(@pxref{operating-system Reference, @code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +After it is created, you can use it in this manner: + +@lisp +;; Operating system with encrypted boot partition +(operating-system + ... + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Load the initrd with a key file + (extra-initrd "/key-file.cpio"))) + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "my-root") + (type (luks-device-mapping-with-options + ;; And use it to unlock the root device + #:key-file "/key-file.bin")))))) +@end lisp + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by GRUB. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index ba06de7618..f32e90e79d 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2022 Josselin Poiret ;;; Copyright © 2022 Reza Alizadeh Majd +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +281,9 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f))) ;string | #f (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..2723eda5f4 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020 Stefan ;;; Copyright © 2022 Karl Hallsby ;;; Copyright © 2022 Denis 'GNUtoo' Carikli +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry))