[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
03/12: bootloader: grub: Add support for loading an additional initrd.
From: |
guix-commits |
Subject: |
03/12: bootloader: grub: Add support for loading an additional initrd. |
Date: |
Sun, 14 Jan 2024 17:01:35 -0500 (EST) |
civodul pushed a commit to branch master
in repository guix.
commit 086850e5b2b4a1744565fe83624d256524b64a49
Author: Tomas Volf <wolf@wolfsden.cz>
AuthorDate: Thu Jan 11 18:35:40 2024 +0100
bootloader: grub: Add support for loading an additional initrd.
In order to be able to provide decryption keys for the LUKS device, they
need
to be available in the initial ram disk. However they cannot be stored
inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store
and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Change-Id: I995989bb623bb594ccdafbf4a1a6de941bd4189f
---
doc/guix.texi | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 7 +++++--
3 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index c216d1b4a6..a66005ee9d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ This option in enabled by default. In some cases
involving the
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot. It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk. However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys. You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+ ...
+ (bootloader (bootloader-configuration
+ (bootloader grub-efi-bootloader)
+ (targets '("/boot/efi"))
+ ;; Load the initrd with a key file
+ (extra-initrd "/key-file.cpio")))
+ (mapped-devices
+ (list (mapped-device
+ (source (uuid "12345678-1234-1234-1234-123456789abc"))
+ (target "my-root")
+ (type (luks-device-mapping-with-options
+ ;; And use it to unlock the root device
+ #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -77,6 +78,7 @@
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +281,9 @@ instead~%")))
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f))) ;string | #f
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -386,7 +387,8 @@ when booting a root file system on a Btrfs subvolume."
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount
point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ when booting a root file system on a Btrfs subvolume."
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
- branch master updated (3f301ddc4f -> f6afaf58b0), guix-commits, 2024/01/14
- 02/12: mapped-devices: Allow unlocking by a key file., guix-commits, 2024/01/14
- 03/12: bootloader: grub: Add support for loading an additional initrd.,
guix-commits <=
- 05/12: tests: install: Use the smallest possible iteration time for LUKS., guix-commits, 2024/01/14
- 10/12: gnu: openssh: Fix build on ppc64le., guix-commits, 2024/01/14
- 09/12: gnu: guile-ssh: Update to 0.16.4., guix-commits, 2024/01/14
- 04/12: tests: Add `encrypted-home-os-key-file' installation test., guix-commits, 2024/01/14
- 12/12: gnu: fish-foreign-env: Update to 0.20230823., guix-commits, 2024/01/14
- 01/12: gnu: Make intermediate packages public but hidden., guix-commits, 2024/01/14
- 11/12: gnu: cuirass: Update to 7bcd3d0., guix-commits, 2024/01/14
- 07/12: tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests., guix-commits, 2024/01/14
- 08/12: gnu: hpcguix-web: Update to 0.4.1., guix-commits, 2024/01/14
- 06/12: tests: install: Fix encrypted-root-os test., guix-commits, 2024/01/14