Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request ZFS/LUKS passwords via Plymouth #88789

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft

Request ZFS/LUKS passwords via Plymouth #88789

wants to merge 6 commits into from

Conversation

puckipedia
Copy link
Contributor

Plymouth currently starts after FDE passphrases have been entered, which is not very useful on modern systems, where booting takes less than 10 seconds. This PR contains a few (partially untested, but works for plymouth + ZFS for me) commits that move Plymouth to earlier in the boot process, and then handle passwords via the bootsplash.

To be done:

  • Test with more obscure LUKS setups (the luksroot test worked, but that doesn't guarantee yubikey / GPG card do, and I'm not entirely sure how to test those in a VM.)
  • Clean up some of the commits
  • Figure out if cryptsetup-askpass was actually used

If anyone wants to help with testing this out, that'd be highly appreciated!

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

puckipedia and others added 5 commits May 24, 2020 19:17
@puckipedia
nixos/stage-1: Add helper function for password requests
c7efbe1 
When using Plymouth, it's possible to have a graphical interface for
requesting passwords and showing boot info. To accomodate this, we add
a hook that allows other stage-1 code to seamlessly use this when
available.
@puckipedia
nixos/zfs: use stage-1 hooks for requesting passphrases
ef0867e
@puckipedia
nixos/luksroot: Use new stage-1 password hooks
74e90f3 
This allows for entering passwords inside plymouth.
@puckipedia
nixos/plymouth: Use password hook
329b9b9 
This loads Plymouth way earlier in the boot process, and sets it up so
password prompts are processed by Plymouth, instead of the terminal.
@puckipedia
nixos/plymouth: Include label module and fonts
70f8ca8 
To show text, Plymouth needs the label plugin. We also copy in both
Cantarell and DejaVu Sans, as these are used by the default Plymouth
themes.
@amaxine
Copy link
Member

amaxine commented May 26, 2020

Tested and works with luks, but this breaks scaling in plymouth during boot for me. Prior to enabling this, regardless of whether I used hidpi console fonts, plymouth would always scale "correctly", during boot and shutdown. Now it only does so during shutdown.

Setting DeviceScale (previously completely unset) in /etc/plymouth/plymouthd.conf affects shutdown scaling but not boot scaling, so this could just be a plymouth bug.

@puckipedia
Copy link
Contributor Author

@maxeaubrey Interesting. There's no direct reason this'd cause a scaling issue, unless you use console.earlySetup, I think.. Any other details on your config?

@amaxine
Copy link
Member

amaxine commented May 26, 2020

Here's my system configuration: https://github.com/maxeaubrey/systems
console.earlySetup is enabled, but I just checked and with it disabled I still get no scaling in plymouth during boot, whether DeviceScale is set or not.

@puckipedia
Copy link
Contributor Author

Meh. I suspect the issue might be that it's no longer using the DRM backend but instead the plain framebuffer backend. (Maybe because the DRM driver doesn't exist yet?) I'm not entirely sure how to verify this (does plymouth without this patch the backlight once / re-sync the display before showing up, I guess?), I could add a config flag that allows you to set DeviceScale though, if that'd help.

@puckipedia
Copy link
Contributor Author

oh dang, didn't notice @eadwu had a patchset (#84158) making (tho it's mostly aiming at the flicker-free part). Might look at the differences and merge those in..

@cole-h cole-h mentioned this pull request Jun 2, 2020
Open
@ElvishJerricco ElvishJerricco mentioned this pull request Jun 23, 2020
Merged
10 tasks
jtojnar
jtojnar reviewed Aug 4, 2020
View reviewed changes
nixos/modules/system/boot/plymouth.nix
cp -r ${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf $out/usr/share/fonts/truetype

cp ${pkgs.fontconfig.out}/share/fontconfig/conf.avail/60-latin.conf $out/etc/fonts/2.11/conf.d
cp ${pkgs.fontconfig.out}/etc/fonts/fonts.conf $out/etc/fonts/2.11
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break with #73795, since fontconfig now includes configuration from ${fontconfig}/etc/fonts/conf.d, which is not in allowed references:

output '/nix/store/4gkpl38kjw3qskfz5gy7f74ahlps04c7-extra-utils' is not allowed to refer to the following paths:
  /nix/store/whh21mr17whyq1mm2h7lzj98ixi4w3ps-fontconfig-2.13.92

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guess i'll have to actually build my own fontconfig xml..

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to use the versioned fonts.conf path since our fontconfig no longer uses the unversioned one.

Something like this might work:

--- a/nixos/modules/system/boot/plymouth.nix
+++ b/nixos/modules/system/boot/plymouth.nix
@@ -105,7 +105,13 @@ in
     systemd.services.systemd-ask-password-plymouth.wantedBy = ["multi-user.target"];
     systemd.paths.systemd-ask-password-plymouth.wantedBy = ["multi-user.target"];
 
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = let
+      fonts_conf = (pkgs.makeFontsConf {
+        fontDirectories = [];
+      }).override {
+        dejavu_fonts.minimal = "/usr/share/fonts";
+      };
+    in ''
       copy_bin_and_libs ${pkgs.plymouth}/bin/plymouthd
       copy_bin_and_libs ${pkgs.plymouth}/bin/plymouth
 
@@ -135,13 +141,15 @@ in
       cp ${cfg.logo} $out/share/plymouth/logo.png
 
       mkdir -p $out/usr/share/fonts/truetype
-      mkdir -p $out/etc/fonts/2.11/conf.d
+      mkdir -p $out/etc/fonts/${pkgs.fontconfig.configVersion}/conf.d
       cp -r ${pkgs.cantarell-fonts}/share/fonts/cantarell/Cantarell-{Thin,Regular}.otf $out/usr/share/fonts/truetype
       cp -r ${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf $out/usr/share/fonts/truetype
 
-      cp ${pkgs.fontconfig.out}/share/fontconfig/conf.avail/60-latin.conf $out/etc/fonts/2.11/conf.d
-      cp ${pkgs.fontconfig.out}/etc/fonts/fonts.conf $out/etc/fonts/2.11
-      sed -i 's@<dir>${pkgs.dejavu_fonts.minimal}</dir>@<dir>/usr/share/fonts</dir>@g' $out/etc/fonts/2.11/fonts.conf
+      cp ${pkgs.fontconfig.out}/share/fontconfig/conf.avail/60-latin.conf $out/etc/fonts/${pkgs.fontconfig.configVersion}/conf.d
+      cp ${fonts_conf} $out/etc/fonts/${pkgs.fontconfig.configVersion}/fonts.conf
+
+      # Do not include default config files since they are not available in stage-1.
+      sed -i 's@<include>${pkgs.fontconfig.out}/etc/fonts/conf.d</include>@@g' $out/etc/fonts/${pkgs.fontconfig.configVersion}/fonts.conf
     '';
 
     boot.initrd.extraUtilsCommandsTest = ''

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In #95358, we have stopped using versioned configs altogether.

@cole-h cole-h mentioned this pull request Sep 30, 2020
Open
@Ninlives
Copy link
Contributor

Hi, what's the status of this pr?

@worldofpeace worldofpeace mentioned this pull request Feb 22, 2021
Merged
16 tasks
@ymarkus
Copy link
Contributor

ymarkus commented Feb 25, 2021
edited

@jtojnar @puckipedia @cole-h Is there any progress on this issue? I'd be happy to try myself, but I'd have to invest quite some time, so I wanted to ask first...

@jtojnar
Copy link
Contributor

jtojnar commented Feb 25, 2021

@ymarkus it has been recently discussed on IRC: https://logs.nix.samueldr.com/nixos-dev/2021-02-22#1613999739-1614013629;

@ymarkus
Copy link
Contributor

ymarkus commented Feb 25, 2021

Ok thanks, so I guess @puckipedia will rebase this PR on that one when it gets merged? If you need any help or someone to test it out, feel free to ping me!

@andersk
Copy link
Contributor

andersk commented Feb 25, 2021

Is systemd-ask-password a better way to do this? See also #74842.

@TLATER
Copy link
Contributor

TLATER commented Mar 5, 2021

@andersk probably, but there's a bit of a gridlock going on between all the systemd initrd changes. It'd be nice to have plymouth password prompts for the time being, and do the proper thing when the systemd-related issues are resolved.

Let's not shave yaks ;)

@stale
Copy link

stale bot commented Sep 3, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Sep 3, 2021
@maydayv7
Copy link

maydayv7 commented Oct 6, 2021

bumping....

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 6, 2021
@stale
Copy link

stale bot commented Apr 16, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Apr 16, 2022
@yorickvP
Copy link
Contributor

Should integrate with #164943

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Apr 16, 2022
@ners
Copy link
Member

ners commented May 13, 2022

@puckipedia I've merged the latest nixos-unstable branch into plymouth-fixes: ners@4620d13
Feel free to grab that commit to resolve the merge conflicts.
I've tested out the branch with #164943 enabled, but haven't managed to get a Plymouth prompt to show up.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Nov 12, 2022
@flokli
Copy link
Contributor

flokli commented Apr 21, 2023

I've plymouth prompts on a LUKS initrd setup for a while now. What's the status of this PR, what's missing from here in the main branch? Could this be rebased?

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Apr 21, 2023
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar jtojnar left review comments

@cole-h cole-h cole-h left review comments

@RaitoBezarius RaitoBezarius Awaiting requested review from RaitoBezarius RaitoBezarius will be requested when the pull request is marked ready for review RaitoBezarius is a code owner

@dasJ dasJ Awaiting requested review from dasJ dasJ will be requested when the pull request is marked ready for review dasJ is a code owner

Assignees
No one assigned
Labels
2.status: merge conflict 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet