03/12: bootloader: grub: Add support for loading an additional initrd.

[guix-commits]

civodul pushed a commit to branch master
in repository guix.

commit 086850e5b2b4a1744565fe83624d256524b64a49
Author: Tomas Volf <wolf@wolfsden.cz>
AuthorDate: Thu Jan 11 18:35:40 2024 +0100

    bootloader: grub: Add support for loading an additional initrd.
    
    In order to be able to provide decryption keys for the LUKS device, they 
need
    to be available in the initial ram disk.  However they cannot be stored 
inside
    the usual initrd, since it is stored in the store and being a
    world-readable (as files in the store are) is not a desired property for a
    initrd containing decryption keys.  This commit adds an option to load
    additional initrd during the boot, one that is not stored inside the store 
and
    therefore can contain secrets.
    
    Since only grub supports encrypted /boot, only grub is modified to use the
    extra-initrd.  There is no use case for the other bootloaders.
    
    * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
    field.
    * gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
    * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
    field.
    
    Signed-off-by: Ludovic Courtès <ludo@gnu.org>
    Change-Id: I995989bb623bb594ccdafbf4a1a6de941bd4189f
---
 doc/guix.texi           | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 gnu/bootloader.scm      |  6 +++++-
 gnu/bootloader/grub.scm |  7 +++++--
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c216d1b4a6..a66005ee9d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ This option in enabled by default.  In some cases 
involving the
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot.  It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk.  However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys.  You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+  ...
+  (bootloader (bootloader-configuration
+               (bootloader grub-efi-bootloader)
+               (targets '("/boot/efi"))
+               ;; Load the initrd with a key file
+               (extra-initrd "/key-file.cpio")))
+  (mapped-devices
+   (list (mapped-device
+          (source (uuid "12345678-1234-1234-1234-123456789abc"))
+          (target "my-root")
+          (type (luks-device-mapping-with-options
+                 ;; And use it to unlock the root device
+                 #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,7 @@
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +281,9 @@ instead~%")))
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f)))   ;string | #f
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
 ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
 ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -386,7 +387,8 @@ when booting a root file system on a Btrfs subvolume."
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount 
point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ when booting a root file system on a Btrfs subvolume."
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))