Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

grub module: add extraInitrd option #22969

Merged
merged 1 commit into from
Feb 20, 2017
Merged

grub module: add extraInitrd option #22969

merged 1 commit into from
Feb 20, 2017

Conversation

symphorien
Copy link
Member

Motivation for this change

This adds a NixOS option which enables to configure grub to give the kernel a second ,additional initramfs.

My use case is the following:
I have a LUKS encrypted root filesystem, and no /boot partition. Grub asks me a passphrase to open /, read its configuration in /boot and then loads the kernel.
The initramfs then asks me the same passphrase a second time to mount /.
The solution is to create a LUKS keyfile, readable by root only, and put it in the initramfs so that stage1 doesn't need the passphrase anymore. But because of issue #8 one cannot but secret files in the store and thus in the initramfs.
So I have a second, static initramfs in /boot/custom_initramfs/initramfs.gz, readable by root only, and containing only the keyfile /key and the following setup:

boot.loader.grub = {
...
enableCryptodisk=true;
extraInitrd=/boot/custom_initramfs/initramfs.gz;
};  
boot.initrd.luks.devices = [ { 
...
keyFile="/key";
} ];
Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Only tested on grub2, although the syntax should be the same with grub1.

@mention-bot
Copy link

@symphorien, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @wkennington and @obadz to be potential reviewers.

joachifm
joachifm reviewed Feb 19, 2017
View reviewed changes
nixos/modules/system/boot/loader/grub/grub.nix Outdated
extraInitrd = mkOption {
type = types.nullOr types.path;
default = null;
example = /boot/extra_initrafms.gz;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example needs to be quoted, otherwise the evaluator will try to actually read it.

@symphorien
Copy link
Member Author

Sorry, this is now fixed.

@fpletz
Copy link
Member

fpletz commented Feb 19, 2017

Wow, awesome. Didn't know you could add a second initrd. What are the semantics here? Does the kernel just mount the second initrd over the first one are the contents copied? Seems a bit weird at first glance that the contents of both initrds are available at /.

@fpletz fpletz self-assigned this Feb 19, 2017
@fpletz fpletz added this to the 17.03 milestone Feb 19, 2017
@dezgeg
Copy link
Contributor

dezgeg commented Feb 19, 2017

The contents are copied. The cpio format that's used for initrds cannot be mounted as it doesn't support efficient random access.

@fpletz
Copy link
Member

fpletz commented Feb 19, 2017

Thanks for the explanation @dezgeg!

@fpletz fpletz merged commit 60555c7 into NixOS:master Feb 20, 2017
@symphorien symphorien mentioned this pull request Jul 13, 2017
Closed
@lopsided98 lopsided98 mentioned this pull request Mar 31, 2018
Merged
8 tasks
@symphorien symphorien deleted the extrainitrd branch March 21, 2020 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachifm joachifm joachifm left review comments

Assignees

@fpletz fpletz

Labels
6.topic: nixos
Projects
None yet
Milestone
17.03
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@symphorien @mention-bot @fpletz @dezgeg @joachifm