From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 2F0jAWqMyWRR7wAASxT56A (envelope-from ) for ; Wed, 02 Aug 2023 00:51:22 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id cMBGAWqMyWSd1wAA9RJhRA (envelope-from ) for ; Wed, 02 Aug 2023 00:51:22 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 47B604B07D for ; Wed, 2 Aug 2023 00:51:21 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=lggRhuZn; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=PaQGJcKi; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1690930281; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7V/4XA59GNQ7LW0qmeBH4Ogu+Gqe6GqcH0MX1geZNdE=; b=XksC736WBlQabYha/dTtrah3jGxrvdlIXnWHnbPHG2Tipcvtmb+PAWZFslzpmvAHUDOQQR ByW8I1tNJEDRnWd2kpMfTpl+Yz4M/Qiq3HmYQb7S+RfECk4Y65b3xUF0Xa0w6E7f4GWN2R QPWbZM8pya78UIz57m+gSD0caifsYBsHUypcIBy2eI6em0u+FcnB269+jbIWcdGPh3b2X7 aQb2/g3PCeaSO2R0+AdBsCdmeaynabuQoURKd+6P63n694bqPIvFkfFbadhvcv8JakXCLQ wvfRjfDrKFZNfzdH87vbuHBxY4Q4eEEkQhWqXYZRAVCD7nfGplsQy6PQrU/KhQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=lggRhuZn; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=PaQGJcKi; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1690930281; a=rsa-sha256; cv=none; b=AtjlSZCLlulQ8BLBRk2l3c0PwKGR8Vymg0wDJ9xCv2AMtr+kMWpTb36hlAuoxSI67/R9LT 6t1ApxQ8fLT1SHsN5gK8CKA6H6yGSlk77lxrO9Ovy9MP+yVdU3eWcKNZ75nUO6sSlgLYk6 Lc8mUVPNFn+m1iDorMM2eeITfuxMI+f9LVv0lfGHkZfBu73Is5UyDyQzmKc+kcySecA84k ZGeWXfpAu3Wa5fG8Dqfsal08lVLVFcdfN8FVz/tHkayuMN+2UigeOcU+qzHIqtA2hqivDX LcecaFhMrtUuzjHYeIwhbZh1rIInL/upSTvzT53UcXWl8XwSKHnRX61z21eXbw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qQwd3-000879-Hg; Tue, 01 Aug 2023 17:10:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qQwd2-00084l-2g for guix-patches@gnu.org; Tue, 01 Aug 2023 17:10:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qQwd0-0005Rt-AI for guix-patches@gnu.org; Tue, 01 Aug 2023 17:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qQwd0-0002II-5x for guix-patches@gnu.org; Tue, 01 Aug 2023 17:10:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Aug 2023 21:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 65002 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65002@debbugs.gnu.org Cc: Tomas Volf Received: via spool by 65002-submit@debbugs.gnu.org id=B65002.16909241758772 (code B ref 65002); Tue, 01 Aug 2023 21:10:02 +0000 Received: (at 65002) by debbugs.gnu.org; 1 Aug 2023 21:09:35 +0000 Received: from localhost ([127.0.0.1]:48397 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcY-0002HL-Uw for submit@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:35 -0400 Received: from wolfsden.cz ([37.205.8.62]:38950) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qQwcV-0002H5-Nn for 65002@debbugs.gnu.org; Tue, 01 Aug 2023 17:09:33 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 26B762681E5; Tue, 1 Aug 2023 21:09:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924171; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=lggRhuZneq4k0f2kLKJr39FOxF1BBztT4WPbpIDjRkJ5i9VvPwZNBZttQ7W7cMY3N lrOotfM65cDVRmVdw+9DrZmU6p1XLD8JdOSIAdcUH7AuhiZPt9KxVWL1PMfOFalNqM KB6RZHvmcB7zJdVJbGx363IaK3vvnq4OYqJ7UnhyeranZwHz7FOTFRU+zbfDbo7cSd S8wPicQMQDsZr55PGLdL0F+Pg/GuQFw0ZEph/8ctAgLyMaMYTvToNIsexFfaL2GHJg VTRLx6KZ6yjagU956rUYfORBnC4Oh9yDtNeh+eYqgsi9qmQnz7aK0vd6jj7fsrBru7 UNMfdv1dQ8bFUCuR0j65DourLSdIYft9wwjyZqlKHGZDcvmTY3+RnJOvZlthDEjkLw ICK1twET+75AbW6L2d7pwDjynpOAVvkdRsQDnA9YX89d/36KzJhg5eSJf+yuXVzqbg eF6kXp+TdRV49XHOsmCko9dRjyREdVUXZIkNms7qXk21shxrQgQtVecWuA6dPa7DMl YriM7Tk0OHmi1nPH8lFmsYVEGR/W1hv0W+kXn7qHmcX0MCauAyFYV5BBSOAz7k16s4 n0AEkZLCEAh8K70HypDDjG2AIS7UV4CqpA8rEREniV4HR+J4D+n4I8zzjPioAMtwIt MHbmn2xQwqVuJHMnWdqFflk4= Received: from localhost (unknown [128.0.188.242]) by wolfsden.cz (Postfix) with ESMTPSA id B46BF26985C; Tue, 1 Aug 2023 21:09:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1690924170; bh=H3o4VWBJFRBDCTPIn9sdJRunY6hUg3BcfyGOtH+x/B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=PaQGJcKiT5ujHs1Bc7ZcyN2d0ZY+hdsFH+j+qG1M1DCMYf6Nl9RZwZILuVkYHyUUD mZeZgHz4asjofB3gwf9XzQvVs5N9kpRfqutImhyv2Ps5NobyfK7JzMOtb0FQyayVhI I/VzNkPxONfpN+G4Op+j0S6Qw/mjdPvQIZ8kxXNeZyedo/BGsn0RWR9f7ELvqP4N9J fvVjsKgMzsdL+6VjPEfm2nOjDsRG7EVi6+vDEvXOKVg6lr0LXGcQsmUZiMjjEJtwSo ufx3BFX5YnzB4P/vU2FDR5CX3Z+ILPHtGRiI15xmDKv5DVDZGGehJig+qo/1U6IgRE A7Qm86fMfEVvmVAYzFG2uW9ouV/dVM10K62ZNdXYiTFNlYJu0wNgOUVZm/kttcQTn+ Jse6qN2T5GAY1aBSFZdFkKDInWRjfiqJ+RDgmT52NbNenvZdM9eupi9JFlYtH6AAXH FVbsUynwYaN5+b7hn15Y7mZk+J33IGcXTbh8Ftdbco/ot0LRKhDs/3Ho77G02LVKQO 00XhpGKvYFwiyERslKXLILLentNVY7YcrPLRSybC8Yxz1O+lKKDq9Y8QtIgqJP5VgL WXo39ZroElWIxwrFfgqRpMwYllrSGVdvKCt4oOPAdO51PqXyKdLd0xbcUfs+LFBLpR GImEg2euMezf1oYwBzWfAt6E= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id e84ebce9; Tue, 1 Aug 2023 21:09:30 +0000 (UTC) From: Tomas Volf Date: Tue, 1 Aug 2023 23:09:21 +0200 Message-ID: <01792b1d4bf827da9d10b4f06cfe9127b9cfbe45.1690922760.git.wolf@wolfsden.cz> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -3.55 X-Spam-Score: -3.55 X-Migadu-Queue-Id: 47B604B07D X-Migadu-Scanner: mx1.migadu.com X-TUID: dGF9WTK+TTRW In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration * gnu/bootloader/grub.scm: Use the new extra-initrd field --- doc/guix.texi | 20 ++++++++++++++++++++ gnu/bootloader.scm | 6 +++++- gnu/bootloader/grub.scm | 6 ++++-- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a857654191..c63f28786e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -40078,6 +40078,26 @@ Bootloader Configuration @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +Path to an additional initrd to load. Should not point to a file in the +store. Typical use case is making keys to unlock LUKS device available +during the boot process. For any use case not involving secrets, you +should use regular initrd (@pxref{operating-system Reference, +@code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by grub. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index 2c36d8c6cf..8cebcf8965 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -77,6 +77,7 @@ (define-module (gnu bootloader) bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +280,10 @@ (define-record-type* (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f)) ;string | #f + ) (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..49cb3f7725 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) -- 2.41.0