From patchwork Wed Aug 2 13:02:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Tomas Volf X-Patchwork-Id: 52459 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id CBC5527BBEA; Wed, 2 Aug 2023 14:04:12 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id DDB6727BBE9 for ; Wed, 2 Aug 2023 14:04:11 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qRBWF-0005fT-OP; Wed, 02 Aug 2023 09:04:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qRBWE-0005eo-1I for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qRBWD-0004qU-PI for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qRBWD-0004vm-Kf for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file References: In-Reply-To: Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Aug 2023 13:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169098141418909 (code B ref 65002); Wed, 02 Aug 2023 13:04:01 +0000 Received: (at 65002) by debbugs.gnu.org; 2 Aug 2023 13:03:34 +0000 Received: from localhost ([127.0.0.1]:49126 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVm-0004uu-1g for submit@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:34554) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVi-0004ud-QR for 65002@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id F122726954E; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 7594D26B986; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981408; bh=o1DQWolTJQWBaolJy5Uy13XFPLHZUmoqKMvz8csQvIQ=; h=From:To:Cc:Subject:Date; b=ZMuZrmUkRtXZwZTn+BN0KNB93T9iX6ntZEVO9gy3W1z97gCSSCyh35i4p+8e7qGIH ui7YDmqXfb3JeCfZADc23AKUu21lf0l10i1FJdI8XxDJITJlMVv5YSneOn7yotLaOq Dr/y8Tx3VDgbSWgu2p+MPCHzL3wQQ6vZh2I0bCxVnHGeFiBMaTUjC2XQHa2Bz7Zvwv e3f9Tk/8IZMX4J1+ooseLtQCD/22T9CKe8mhHkTy7ZaLUms6yN+OnyN3OK4Oij4ksN lTRD8zJSio5rFqZDsJuxi7F1OcLlmngy6WtcXKg6nho0XQO0zBal2YyzIOG3fnnrMk tuIc2lptcswZ96jZOL9DR8YGgtJtOT9w5uBGIu2bFOA1vs6OYR4WmdCSCEEunDDndm WUbiiOgto+4ij4hMf+F3dbLbT/YeaRz/Nd/wwzH3mEZPdPqoCfOgwpG7YcjWbUjCS5 53z/wPd3Ennl5r10DVje8Wiy9Z/KXz4qTos8CSh5vgI1IjVmMV9XjMJXYCoSTqD0Xd IOLhyOn8cdjEXoBXfJypU2AHH8feGXlzIMgzM6WRoRwDhT93mOVv6eHGJv0xGMl0nf U7IRKOCvmltsnLS462817OARBcr/660WPMdCObKzZVspKeA0ey7ZRkbqlfvpt7azLD nKz2Rl4m6a8QpUUFFsuK/tvU= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id ec9f89d1; Wed, 2 Aug 2023 13:03:27 +0000 (UTC) From: Tomas Volf Date: Wed, 2 Aug 2023 15:02:44 +0200 Message-ID: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Requiring the user to input their password in order to unlock a device is not always reasonable, so having an option to unlock the device using a key file is a nice quality of life change. * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New procedure --- untabify doc/guix.texi | 12 +++++++ gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 25 deletions(-) base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7 diff --git a/doc/guix.texi b/doc/guix.texi index 58cc3d7aad..a857654191 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17622,6 +17622,18 @@ Mapped Devices @code{dm-crypt} Linux kernel module. @end defvar +@deffn {Procedure} luks-device-mapping-with-options [#:key-file] +Return a @code{luks-device-mapping} object, which defines LUKS block +device encryption using the @command{cryptsetup} command from the +package with the same name. It relies on the @code{dm-crypt} Linux +kernel module. + +If @code{key-file} is provided, unlocking is first attempted using that +key file. If it fails, password unlock is attempted as well. Key file +is not stored in the store and needs to be available at the specified +path at the time of the unlock attempt. +@end deffn + @defvar raid-device-mapping This defines a RAID device, which is assembled using the @code{mdadm} command from the package with the same name. It requires a Linux kernel diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm index e6b8970c12..0755036763 100644 --- a/gnu/system/mapped-devices.scm +++ b/gnu/system/mapped-devices.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2014-2022 Ludovic Courtès ;;; Copyright © 2016 Andreas Enge ;;; Copyright © 2017, 2018 Mark H Weaver +;;; Copyright © 2023 Tomas Volf ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices) check-device-initrd-modules ;XXX: needs a better place luks-device-mapping + luks-device-mapping-with-options raid-device-mapping lvm-device-mapping)) @@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location) ;;; Common device mappings. ;;; -(define (open-luks-device source targets) +(define* (open-luks-device source targets #:key key-file) "Return a gexp that maps SOURCE to TARGET as a LUKS device, using 'cryptsetup'." (with-imported-modules (source-module-closure @@ -198,7 +200,8 @@ (define (open-luks-device source targets) ((target) #~(let ((source #$(if (uuid? source) (uuid-bytevector source) - source))) + source)) + (keyfile #$key-file)) ;; XXX: 'use-modules' should be at the top level. (use-modules (rnrs bytevectors) ;bytevector? ((gnu build file-systems) @@ -215,29 +218,35 @@ (define (open-luks-device source targets) ;; 'cryptsetup open' requires standard input to be a tty to allow ;; for interaction but shepherd sets standard input to /dev/null; ;; thus, explicitly request a tty. - (zero? (system*/tty - #$(file-append cryptsetup-static "/sbin/cryptsetup") - "open" "--type" "luks" - - ;; Note: We cannot use the "UUID=source" syntax here - ;; because 'cryptsetup' implements it by searching the - ;; udev-populated /dev/disk/by-id directory but udev may - ;; be unavailable at the time we run this. - (if (bytevector? source) - (or (let loop ((tries-left 10)) - (and (positive? tries-left) - (or (find-partition-by-luks-uuid source) - ;; If the underlying partition is - ;; not found, try again after - ;; waiting a second, up to ten - ;; times. FIXME: This should be - ;; dealt with in a more robust way. - (begin (sleep 1) - (loop (- tries-left 1)))))) - (error "LUKS partition not found" source)) - source) - - #$target))))))) + (let ((partition + ;; Note: We cannot use the "UUID=source" syntax here + ;; because 'cryptsetup' implements it by searching the + ;; udev-populated /dev/disk/by-id directory but udev may + ;; be unavailable at the time we run this. + (if (bytevector? source) + (or (let loop ((tries-left 10)) + (and (positive? tries-left) + (or (find-partition-by-luks-uuid source) + ;; If the underlying partition is + ;; not found, try again after + ;; waiting a second, up to ten + ;; times. FIXME: This should be + ;; dealt with in a more robust way. + (begin (sleep 1) + (loop (- tries-left 1)))))) + (error "LUKS partition not found" source)) + source))) + ;; We want to fallback to the password unlock if the keyfile fails. + (or (and keyfile + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + "--key-file" keyfile + partition #$target))) + (zero? (system*/tty + #$(file-append cryptsetup-static "/sbin/cryptsetup") + "open" "--type" "luks" + partition #$target))))))))) (define (close-luks-device source targets) "Return a gexp that closes TARGET, a LUKS device." @@ -276,6 +285,14 @@ (define luks-device-mapping (close close-luks-device) (check check-luks-device))) +(define* (luks-device-mapping-with-options #:key key-file) + "Return a luks-device-mapping object with open modified to pass the arguments +into the open-luks-device procedure." + (mapped-device-kind + (inherit luks-device-mapping) + (open (λ (source targets) (open-luks-device source targets + #:key-file key-file))))) + (define (open-raid-device sources targets) "Return a gexp that assembles SOURCES (a list of devices) to the RAID device TARGET (e.g., \"/dev/md0\"), using 'mdadm'." From patchwork Wed Aug 2 13:02:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf X-Patchwork-Id: 52460 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E254E27BBEA; Wed, 2 Aug 2023 14:04:22 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0828927BBE2 for ; Wed, 2 Aug 2023 14:04:22 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qRBWF-0005fM-9Y; Wed, 02 Aug 2023 09:04:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qRBWE-0005ey-EU for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qRBWE-0004qZ-6b for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qRBWE-0004vt-2W for guix-patches@gnu.org; Wed, 02 Aug 2023 09:04:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Aug 2023 13:04:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.169098141518916 (code B ref 65002); Wed, 02 Aug 2023 13:04:02 +0000 Received: (at 65002) by debbugs.gnu.org; 2 Aug 2023 13:03:35 +0000 Received: from localhost ([127.0.0.1]:49128 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVm-0004uw-K1 for submit@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:34 -0400 Received: from wolfsden.cz ([37.205.8.62]:34570) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qRBVi-0004uf-QT for 65002@debbugs.gnu.org; Wed, 02 Aug 2023 09:03:32 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 003CF269A5A; Wed, 2 Aug 2023 13:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981410; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=xozZ9ZRWo1NeYLCK8oBGBYn+bfnkIEW3FfoySN2bnlUXlI/4Gn9o4ml+9zHaS6zoE B407apQeXawUfDDjoaU+UOoHTVJa0OKKrGtjpQr0BoGQ9erYIr1qnMA4IpS2ssZt/H +2eoSjS0jlZkS6BMG1JLlVdmcziyzjJaRQerLd7iWCHxlfybP1imepzH/Mn62hXsAy cYi+BhayzGYEpQN4CvyQfvip1Oh1GW/DVrqtAwLm5UXiHgfKaHxZsAsLYeyUmd/KsD wDDsJv/PwG93C83EpDGEBvR88PiaFpiFQPy1xT4ahEICq/RY99PasToBk8JQnbtY/v Jq5iz1iLPLnRh0+qWW71BcDak4hTx0C+IDaR/b3Kq4yG+AnXuOGD2ams4U4G5/USAm cF+oDBaBdLgFI8UozW04HQ7xDBwMBAzETVyHLZJgzvKdJet2HqBeHUM47ylOJmydQh 89xxdaHAsQl8dZGMYNkQXN6ccxoO8qp/ViA64xgNfkT8tId0NWHxEVjePao2gUyDw3 7XLwbWDuVjSk7UZj1AgRDB67Og92hNDIxse05nctZxWu0XGiIgl1YXJ6FExokK6H1q rcNrLQ2v7Viti2im5r+bkdu0ZOfoXBmphfofU5ISmRAfU6w3Y148rgtf7GNIBovblx 4YYs+7Zszdmkd+EDX6JuFE2M= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id 8DE9C267476; Wed, 2 Aug 2023 13:03:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690981409; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=INBcvWng31lJLuilz/eRkn4Xd0o4fG2qo+VjVFVVWaaO9wEXeiKsyq/1zolUKjm6B f66u0fCPufWIWJoIYHRtBvxxg5qss5+seqbqw2/4sLBjYJtRnjPZdgGBGtjqad/Qjv +w2/+cMerYnGrF20Fk4Z9pjVi55Ume33e3pam+nP9eennaHrP0rnFwQDonbWZ5blyI 1AubyZsiSOxdVdoxOSA3KxyqYhlqiUPUd0yQh67Ovh4lssS55QkR/x6LZefNFJkBPS s1vKKCfJI1pvxDVSmRpu2+Ao51uu5tZTsm5XOMllvYXzJTJ0b+1bdVwLIpUuTD7pjk c61tbVjYCFm6jgFyElay1Sp41iq2linAYYkJtdFmc9ExeAA8mXgt7UdPa5TuJ4hp6x XEIdAVSn22Sb7EHcU29Cy2UK1DpKvSxTk2GG3Of/Mt6u5Df6X6Mr8xB01sxxFE0lMp ly/EkYt1YeUIf2j4sVEgzYLJyBnxKVq7caEDnOvAbg590+4Ugbi3OZA0GsYe4TRUcI hL6yG6T9tFa3iSmCOEhKtdi+Dq5c/0wOQhcLBN4CaMtE+Dg5Kef1SMrYq6eowckwxz U6sc8gA2tzOFEp/O5C89FYqFDuh2WJFoeDUoOwJ9skiefwfSHMmlezZyLgYzRlmYzd AgoH6Pdir7UOzJXGasGZLecY= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 14f588b7; Wed, 2 Aug 2023 13:03:28 +0000 (UTC) From: Tomas Volf Date: Wed, 2 Aug 2023 15:02:45 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 In-Reply-To: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> References: <058b41c5060e1811048fe44c20278c64fdfc3ece.1690981365.git.wolf@wolfsden.cz> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration * gnu/bootloader/grub.scm: Use the new extra-initrd field --- doc/guix.texi | 20 ++++++++++++++++++++ gnu/bootloader.scm | 6 +++++- gnu/bootloader/grub.scm | 6 ++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a857654191..c63f28786e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40078,6 +40078,26 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +Path to an additional initrd to load. Should not point to a file in the +store. Typical use case is making keys to unlock LUKS device available +during the boot process. For any use case not involving secrets, you +should use regular initrd (@pxref{operating-system Reference, +@code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by grub. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index 2c36d8c6cf..8cebcf8965 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -77,6 +77,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +280,10 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f)) ;string | #f + ) (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..49cb3f7725 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry))