From: Tomas Volf <wolf@wolfsden.cz>
To: 65002@debbugs.gnu.org
Cc: Tomas Volf <wolf@wolfsden.cz>
Subject: [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
Date: Tue, 1 Aug 2023 23:09:21 +0200 [thread overview]
Message-ID: <01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz> (raw)
In-Reply-To: <cover.1690922760.git.wolf@wolfsden.cz>
In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk. However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys. This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.
Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd. There is no use case for the other bootloaders.
* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
doc/guix.texi | 20 ++++++++++++++++++++
gnu/bootloader.scm | 6 +++++-
gnu/bootloader/grub.scm | 6 ++++--
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
@code{u-boot} bootloader, where the device tree has already been loaded
in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load. Should not point to a file in the
+store. Typical use case is making keys to unlock LUKS device available
+during the boot process. For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
@end table
@end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
bootloader-configuration-serial-unit
bootloader-configuration-serial-speed
bootloader-configuration-device-tree-support?
+ bootloader-configuration-extra-initrd
%bootloaders
lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
(serial-speed bootloader-configuration-serial-speed
(default #f)) ;integer | #f
(device-tree-support? bootloader-configuration-device-tree-support?
- (default #t))) ;boolean
+ (default #t)) ;boolean
+ (extra-initrd bootloader-configuration-extra-initrd
+ (default #f)) ;string | #f
+ )
(define-deprecated (bootloader-configuration-target config)
bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
store-directory-prefix))
(initrd (normalize-file (menu-entry-initrd entry)
device-mount-point
- store-directory-prefix)))
+ store-directory-prefix))
+ (extra-initrd (bootloader-configuration-extra-initrd config)))
;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
;; Use the right file names for LINUX and INITRD in case
;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
#~(format port "menuentry ~s {
~a
linux ~a ~a
- initrd ~a
+ initrd ~a ~a
}~%"
#$label
#$(grub-root-search device linux)
#$linux (string-join (list #$@arguments))
+ (or #$extra-initrd "")
#$initrd)))
(multiboot-kernel
(let* ((kernel (menu-entry-multiboot-kernel entry))
--
2.41.0
next prev parent reply other threads:[~2023-08-01 22:51 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by " Tomas Volf
2023-08-01 21:09 ` Tomas Volf [this message]
2023-08-02 13:02 ` [bug#65002] [PATCH v2 " Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-09 23:28 ` Ludovic Courtès
2024-01-11 13:32 ` Tomas Volf
2024-01-09 23:21 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Ludovic Courtès
2024-01-11 12:39 ` Tomas Volf
2024-01-11 17:39 ` Tomas Volf
2023-08-10 0:22 ` [bug#65002] [PATCH 0/2] Add support for unlocking root device via " Dominik Riva via Guix-patches via
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
2024-01-14 20:54 ` Ludovic Courtès
2024-01-11 17:35 ` [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
2024-01-14 20:53 ` bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz \
--to=wolf@wolfsden.cz \
--cc=65002@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).