[bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file

[bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file

[Tomas Volf]

When having an encrypted /boot, it is currently necessary to input a password
twice, once for the /boot (so that grub can find its configuration) and later
once more in order to actually unlock the / itself.  It is not very user
friendly and gets annoying quickly in more exotic setups.  For example with /
on RAID1 BTRFS, password needs to be entered 4 times.  And even without that,
for large encrypted arrays, password needs to be entered once per drive.

The obvious solution to this is to just use --key-file option of the luksOpen
command, however support for that was not implemented.  This series adds that
support.

Another problem is where to store the key file, since it needs to be both
present in the initrd, but it cannot be in the store (since that would make it
world-readable, and you do not want that for an encryption key).  Luckily for
us, grub can load multiple initrds and merge them, so option to specify
additional initrd (not from the store) is added as well.

Since extlinux does not look like supporting encrypted /boot (and this new
option should not be used for anything else), it was added only into into
grub.

Tomas Volf (2):
  mapped-devices: Allow unlocking by a key file
  gnu: bootloader: grub: Add support for loading an additional initrd

 doc/guix.texi                 | 32 +++++++++++++++++
 gnu/bootloader.scm            |  6 +++-
 gnu/bootloader/grub.scm       |  6 ++--
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 4 files changed, 83 insertions(+), 28 deletions(-)


base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
-- 
2.41.0

[bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by a key file

[Tomas Volf]

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
 doc/guix.texi                 | 12 +++++++
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 2 files changed, 54 insertions(+), 25 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
 @code{dm-crypt} Linux kernel module.
 @end defvar
 
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name.  It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file.  If it fails, password unlock is attempted as well.  Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
 @defvar raid-device-mapping
 This defines a RAID device, which is assembled using the @code{mdadm}
 command from the package with the same name.  It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..79b776e81e 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
             check-device-initrd-modules           ;XXX: needs a better place
 
             luks-device-mapping
+            luks-device-mapping-with-options
             raid-device-mapping
             lvm-device-mapping))
 
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'."
   (with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
       ((target)
        #~(let ((source #$(if (uuid? source)
                              (uuid-bytevector source)
-                             source)))
+                             source))
+               (keyfile #$key-file))
            ;; XXX: 'use-modules' should be at the top level.
            (use-modules (rnrs bytevectors) ;bytevector?
                         ((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
            ;; 'cryptsetup open' requires standard input to be a tty to allow
            ;; for interaction but shepherd sets standard input to /dev/null;
            ;; thus, explicitly request a tty.
-           (zero? (system*/tty
-                   #$(file-append cryptsetup-static "/sbin/cryptsetup")
-                   "open" "--type" "luks"
-
-                   ;; Note: We cannot use the "UUID=source" syntax here
-                   ;; because 'cryptsetup' implements it by searching the
-                   ;; udev-populated /dev/disk/by-id directory but udev may
-                   ;; be unavailable at the time we run this.
-                   (if (bytevector? source)
-                       (or (let loop ((tries-left 10))
-                             (and (positive? tries-left)
-                                  (or (find-partition-by-luks-uuid source)
-                                      ;; If the underlying partition is
-                                      ;; not found, try again after
-                                      ;; waiting a second, up to ten
-                                      ;; times.  FIXME: This should be
-                                      ;; dealt with in a more robust way.
-                                      (begin (sleep 1)
-                                             (loop (- tries-left 1))))))
-                           (error "LUKS partition not found" source))
-                       source)
-
-                   #$target)))))))
+	   (let ((partition
+		  ;; Note: We cannot use the "UUID=source" syntax here
+                  ;; because 'cryptsetup' implements it by searching the
+                  ;; udev-populated /dev/disk/by-id directory but udev may
+                  ;; be unavailable at the time we run this.
+                  (if (bytevector? source)
+                      (or (let loop ((tries-left 10))
+                            (and (positive? tries-left)
+                                 (or (find-partition-by-luks-uuid source)
+                                     ;; If the underlying partition is
+                                     ;; not found, try again after
+                                     ;; waiting a second, up to ten
+                                     ;; times.  FIXME: This should be
+                                     ;; dealt with in a more robust way.
+                                     (begin (sleep 1)
+                                            (loop (- tries-left 1))))))
+                          (error "LUKS partition not found" source))
+                      source)))
+	     ;; We want to fallback to the password unlock if the keyfile fails.
+             (or (and keyfile
+		      (zero? (system*/tty
+			      #$(file-append cryptsetup-static "/sbin/cryptsetup")
+			      "open" "--type" "luks"
+			      "--key-file" keyfile
+			      partition #$target)))
+		 (zero? (system*/tty
+			 #$(file-append cryptsetup-static "/sbin/cryptsetup")
+			 "open" "--type" "luks"
+			 partition #$target)))))))))
 
 (define (close-luks-device source targets)
   "Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
    (close close-luks-device)
    (check check-luks-device)))
 
+(define* (luks-device-mapping-with-options #:key key-file)
+  "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+  (mapped-device-kind
+   (inherit luks-device-mapping)
+   (open (λ (source targets) (open-luks-device source targets
+                                               #:key-file key-file)))))
+
 (define (open-raid-device sources targets)
   "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
 TARGET (e.g., \"/dev/md0\"), using 'mdadm'."
-- 
2.41.0

[bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd

[Tomas Volf]

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk.  However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys.  This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd.  There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
 doc/guix.texi           | 20 ++++++++++++++++++++
 gnu/bootloader.scm      |  6 +++++-
 gnu/bootloader/grub.scm |  6 ++++--
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load.  Should not point to a file in the
+store.  Typical use case is making keys to unlock LUKS device available
+during the boot process.  For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f))    ;string | #f
+  )
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))
-- 
2.41.0

[bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file

[Tomas Volf]

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
* gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
procedure
---
untabify
 doc/guix.texi                 | 12 +++++++
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 2 files changed, 54 insertions(+), 25 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 58cc3d7aad..a857654191 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17622,6 +17622,18 @@ Mapped Devices
 @code{dm-crypt} Linux kernel module.
 @end defvar
 
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name.  It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file.  If it fails, password unlock is attempted as well.  Key file
+is not stored in the store and needs to be available at the specified
+path at the time of the unlock attempt.
+@end deffn
+
 @defvar raid-device-mapping
 This defines a RAID device, which is assembled using the @code{mdadm}
 command from the package with the same name.  It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..0755036763 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2023 Tomas Volf <wolf@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
             check-device-initrd-modules           ;XXX: needs a better place
 
             luks-device-mapping
+            luks-device-mapping-with-options
             raid-device-mapping
             lvm-device-mapping))
 
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'."
   (with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
       ((target)
        #~(let ((source #$(if (uuid? source)
                              (uuid-bytevector source)
-                             source)))
+                             source))
+               (keyfile #$key-file))
            ;; XXX: 'use-modules' should be at the top level.
            (use-modules (rnrs bytevectors) ;bytevector?
                         ((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
            ;; 'cryptsetup open' requires standard input to be a tty to allow
            ;; for interaction but shepherd sets standard input to /dev/null;
            ;; thus, explicitly request a tty.
-           (zero? (system*/tty
-                   #$(file-append cryptsetup-static "/sbin/cryptsetup")
-                   "open" "--type" "luks"
-
-                   ;; Note: We cannot use the "UUID=source" syntax here
-                   ;; because 'cryptsetup' implements it by searching the
-                   ;; udev-populated /dev/disk/by-id directory but udev may
-                   ;; be unavailable at the time we run this.
-                   (if (bytevector? source)
-                       (or (let loop ((tries-left 10))
-                             (and (positive? tries-left)
-                                  (or (find-partition-by-luks-uuid source)
-                                      ;; If the underlying partition is
-                                      ;; not found, try again after
-                                      ;; waiting a second, up to ten
-                                      ;; times.  FIXME: This should be
-                                      ;; dealt with in a more robust way.
-                                      (begin (sleep 1)
-                                             (loop (- tries-left 1))))))
-                           (error "LUKS partition not found" source))
-                       source)
-
-                   #$target)))))))
+           (let ((partition
+                  ;; Note: We cannot use the "UUID=source" syntax here
+                  ;; because 'cryptsetup' implements it by searching the
+                  ;; udev-populated /dev/disk/by-id directory but udev may
+                  ;; be unavailable at the time we run this.
+                  (if (bytevector? source)
+                      (or (let loop ((tries-left 10))
+                            (and (positive? tries-left)
+                                 (or (find-partition-by-luks-uuid source)
+                                     ;; If the underlying partition is
+                                     ;; not found, try again after
+                                     ;; waiting a second, up to ten
+                                     ;; times.  FIXME: This should be
+                                     ;; dealt with in a more robust way.
+                                     (begin (sleep 1)
+                                            (loop (- tries-left 1))))))
+                          (error "LUKS partition not found" source))
+                      source)))
+             ;; We want to fallback to the password unlock if the keyfile fails.
+             (or (and keyfile
+                      (zero? (system*/tty
+                              #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                              "open" "--type" "luks"
+                              "--key-file" keyfile
+                              partition #$target)))
+                 (zero? (system*/tty
+                         #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                         "open" "--type" "luks"
+                         partition #$target)))))))))
 
 (define (close-luks-device source targets)
   "Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
    (close close-luks-device)
    (check check-luks-device)))
 
+(define* (luks-device-mapping-with-options #:key key-file)
+  "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+  (mapped-device-kind
+   (inherit luks-device-mapping)
+   (open (λ (source targets) (open-luks-device source targets
+                                               #:key-file key-file)))))
+
 (define (open-raid-device sources targets)
   "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
 TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5a293d0830aa9369e388d37fe767d5bf98af01b7
-- 
2.41.0

[bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd

[Tomas Volf]

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk.  However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys.  This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd.  There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
* gnu/bootloader/grub.scm: Use the new extra-initrd field
---
 doc/guix.texi           | 20 ++++++++++++++++++++
 gnu/bootloader.scm      |  6 +++++-
 gnu/bootloader/grub.scm |  6 ++++--
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index a857654191..c63f28786e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -40078,6 +40078,26 @@ Bootloader Configuration
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+Path to an additional initrd to load.  Should not point to a file in the
+store.  Typical use case is making keys to unlock LUKS device available
+during the boot process.  For any use case not involving secrets, you
+should use regular initrd (@pxref{operating-system Reference,
+@code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by grub.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index 2c36d8c6cf..8cebcf8965 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -77,6 +77,7 @@ (define-module (gnu bootloader)
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +280,10 @@ (define-record-type* <bootloader-configuration>
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f))    ;string | #f
+  )
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..49cb3f7725 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -386,7 +386,8 @@ (define* (make-grub-configuration grub config entries
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +398,12 @@ (define* (make-grub-configuration grub config entries
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))
-- 
2.41.0

[bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file

[Dominik Riva via Guix-patches via]

[-- Attachment #1.1: Type: text/plain, Size: 1369 bytes --]

Hi,

I can confirm, the patches work for me but as I'm still quite ignorant about Guile and Guix, examples would have helped a lot.


  ;; Use the UEFI variant of GRUB with the EFI System
  ;; Partition mounted on /boot/efi.
  ;; /root in /root/key-file.cpio refers to the 

  ;; /dev/mapper/enc btrfs root subvolume and not the home of root.
  (bootloader (bootloader-configuration
                (bootloader grub-efi-bootloader-luks2)
                (targets '("/boot/efi"))
                (keyboard-layout keyboard-layout)
                (extra-initrd "/root/key-file.cpio")))

  ;; Specify a mapped device for the encrypted root partition.
  ;; The UUID is that returned by 'cryptsetup luksUUID'.
  (mapped-devices
   (list (mapped-device
          (source (uuid "e3746b32-8e74-43b0-a111-78c3ea4436cf"))
          (target "enc")
          (type (luks-device-mapping-with-options #:key-file "/key-file.bin")))))


The snipped from https://issues.guix.gnu.org/55723#0 also needed a some changes.
I had to swap line 2 with 3, I switched ext2 with btrfs and the different format for the uuid ticked me as well.

But now I have a booting system and the passphrase only gets asked for once.


Thanks,
Dominik


[1] full config.scm: https://paste.debian.net/1288436/

[-- Attachment #1.2: publickey - driva@protonmail.ch - 0x1019089F.asc --]
[-- Type: application/pgp-keys, Size: 1718 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]

[bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file

[Ludovic Courtès]

Hello!

I know, I know, it’s taken way too long… My apologies!

Tomas Volf <wolf@wolfsden.cz> skribis:

> Requiring the user to input their password in order to unlock a device is not
> always reasonable, so having an option to unlock the device using a key file
> is a nice quality of life change.

Agreed; there’s interest for this feature, I’ve heard it quite a few
times.

> * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> procedure

No need to repeat the file name here.  Please also mention the
doc/guix.texi changes.

> +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> +Return a @code{luks-device-mapping} object, which defines LUKS block
> +device encryption using the @command{cryptsetup} command from the
> +package with the same name.  It relies on the @code{dm-crypt} Linux
> +kernel module.
> +
> +If @code{key-file} is provided, unlocking is first attempted using that
> +key file.  If it fails, password unlock is attempted as well.  Key file
> +is not stored in the store and needs to be available at the specified
> +path at the time of the unlock attempt.

s/specified path/given location/

Perhaps add a sentence or two saying that the advantage is that it
allows you to avoid typing the passphrase, for instance by passing the
key file on a USB key (would that work?), but that this may not be
suitable for all use cases.

I’d also add a short commented config example.

I wonder if we could have a system test; it doesn’t sound very easy so
maybe we’ll skip, but you can check that the “encrypted-root-os” test,
which exercises ‘luks-device-mapping’, still passes (it takes time and
disk space).

The rest LGTM!

Ludo’.

[bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd

[Ludovic Courtès]

Tomas Volf <wolf@wolfsden.cz> skribis:

> In order to be able to provide decryption keys for the LUKS device, they need
> to be available in the initial ram disk.  However they cannot be stored inside
> the usual initrd, since it is stored in the store and being a
> world-readable (as files in the store are) is not a desired property for a
> initrd containing decryption keys.

This explanation should go in the manual IMO (it’s already partly there).

> This commit adds an option to load additional initrd during the boot,
> one that is not stored inside the store and therefore can contain
> secrets.
>
> Since only grub supports encrypted /boot, only grub is modified to use the
> extra-initrd.  There is no use case for the other bootloaders.
>
> * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> field.
> * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> * gnu/bootloader/grub.scm: Use the new extra-initrd field

It’d be great if you could specify the entities changes in each file
(which variable/procedure is changed, what is added/removed).  A
committer can do it on your behalf later if you’re unsure.

> +@item @code{extra-initrd} (default: @code{#f})
> +Path to an additional initrd to load.  Should not point to a file in the

s/Path/File name/ (by convention)

Please make full sentences.  “Should not” is probably too strong;
perhaps: “It may or may not point to a file in the store, but the main
use case is for out-of-store files containing secrets.”

> +store.  Typical use case is making keys to unlock LUKS device available

Add a line break after “store.” to distinguish the reference from the
discussion of one possible use case.

> +during the boot process.  For any use case not involving secrets, you
> +should use regular initrd (@pxref{operating-system Reference,
> +@code{initrd}}) instead.
> +
> +Suitable image can be created for example like this:
> +
> +@example
> +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> +chmod 0000 /key-file.cpio
> +@end example
> +
> +Be careful when using this option, since pointing to a file that is not
> +readable by the grub while booting will cause the boot to fail and
> +require a manual edit of the initrd line in the grub menu.
> +
> +Currently only supported by grub.

s/grub/GRUB/

Would be great if you could include also a short config example here, or
add a cross-reference to the example for
‘luks-device-mapping-with-options’ if that covers both.

> +  (extra-initrd          bootloader-configuration-extra-initrd
> +                         (default #f))    ;string | #f
> +  )

No lonely paren please.  :-)

Otherwise LGTM.

Could you send updated patches with these minor changes?

Thanks!

Ludo’.

[bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file

[Tomas Volf]

[-- Attachment #1: Type: text/plain, Size: 2605 bytes --]

On 2024-01-10 00:21:19 +0100, Ludovic Courtès wrote:
> Hello!
> 
> I know, I know, it’s taken way too long… My apologies!

No worries, thank you for getting to it. :)
> 
> > * gnu/system/mapped-devices.scm (luks-device-mapping): New keyword argument
> > * gnu/system/mapped-devices.scm (luks-device-mapping-with-options): New
> > procedure
> 
> No need to repeat the file name here.  Please also mention the
> doc/guix.texi changes.

Adjusted.  I also fixed the name of the first procedure (should have been
open-luks-device).

> 
> > +@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
> > +Return a @code{luks-device-mapping} object, which defines LUKS block
> > +device encryption using the @command{cryptsetup} command from the
> > +package with the same name.  It relies on the @code{dm-crypt} Linux
> > +kernel module.
> > +
> > +If @code{key-file} is provided, unlocking is first attempted using that
> > +key file.  If it fails, password unlock is attempted as well.  Key file
> > +is not stored in the store and needs to be available at the specified
> > +path at the time of the unlock attempt.
> 
> s/specified path/given location/
> 
> Perhaps add a sentence or two saying that the advantage is that it
> allows you to avoid typing the passphrase, for instance by passing the
> key file on a USB key (would that work?), but that this may not be
> suitable for all use cases.

Added a sentence. As for the USB key, that would not currently work.  The file
needs to be accessible to the init script, so the USB would need to be mounted
first.  I believe extending the code to support it would not be hard (adding
e.g. #:device to luks-device-mapping-with-options), but I have not use for it,
so I did not intend to do it in this series.  Maybe later.

> 
> I’d also add a short commented config example.

Done.

> 
> I wonder if we could have a system test; it doesn’t sound very easy so
> maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> which exercises ‘luks-device-mapping’, still passes (it takes time and
> disk space).

It does not pass, but it fails even on master ¯\_ (ツ)_/¯:

    guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt

It seems somewhat hard to do it based on encrypted-root-os, but should be much
easier basing it on encrypted-home-os.  I might give it a try.

> 
> The rest LGTM!
> 
> Ludo’.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd

[Tomas Volf]

[-- Attachment #1: Type: text/plain, Size: 3807 bytes --]

On 2024-01-10 00:28:18 +0100, Ludovic Courtès wrote:
> Tomas Volf <wolf@wolfsden.cz> skribis:
> 
> > In order to be able to provide decryption keys for the LUKS device, they need
> > to be available in the initial ram disk.  However they cannot be stored inside
> > the usual initrd, since it is stored in the store and being a
> > world-readable (as files in the store are) is not a desired property for a
> > initrd containing decryption keys.
> 
> This explanation should go in the manual IMO (it’s already partly there).

Done.

> 
> > This commit adds an option to load additional initrd during the boot,
> > one that is not stored inside the store and therefore can contain
> > secrets.
> >
> > Since only grub supports encrypted /boot, only grub is modified to use the
> > extra-initrd.  There is no use case for the other bootloaders.
> >
> > * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> > field.
> > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> > * gnu/bootloader/grub.scm: Use the new extra-initrd field
> 
> It’d be great if you could specify the entities changes in each file
> (which variable/procedure is changed, what is added/removed).  A
> committer can do it on your behalf later if you’re unsure.

Done, this was one of my first patches and I was quite unsure about the commit
message format.  These days I am still unsure, but a little less so. ^_^

> 
> > +@item @code{extra-initrd} (default: @code{#f})
> > +Path to an additional initrd to load.  Should not point to a file in the
> 
> s/Path/File name/ (by convention)
> 
> Please make full sentences.  “Should not” is probably too strong;
> perhaps: “It may or may not point to a file in the store, but the main
> use case is for out-of-store files containing secrets.”

For content that can be present in the store, the regular `initrd' should be
used instead I think.  However I adjusted the wording.

> 
> > +store.  Typical use case is making keys to unlock LUKS device available
> 
> Add a line break after “store.” to distinguish the reference from the
> discussion of one possible use case.
> 
> > +during the boot process.  For any use case not involving secrets, you
> > +should use regular initrd (@pxref{operating-system Reference,
> > +@code{initrd}}) instead.
> > +
> > +Suitable image can be created for example like this:
> > +
> > +@example
> > +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> > +chmod 0000 /key-file.cpio
> > +@end example
> > +
> > +Be careful when using this option, since pointing to a file that is not
> > +readable by the grub while booting will cause the boot to fail and
> > +require a manual edit of the initrd line in the grub menu.
> > +
> > +Currently only supported by grub.
> 
> s/grub/GRUB/
> 
> Would be great if you could include also a short config example here, or
> add a cross-reference to the example for
> ‘luks-device-mapping-with-options’ if that covers both.

I added an example illustrating how these two work together.

> 
> > +  (extra-initrd          bootloader-configuration-extra-initrd
> > +                         (default #f))    ;string | #f
> > +  )
> 
> No lonely paren please.  :-)

Well I moved the paren, but now the comment (string | #f) looks like it is for
the whole top-level sexp, not just for the extra-initrd field.

> 
> Otherwise LGTM.
> 
> Could you send updated patches with these minor changes?

I will soon, just want spent a bit of time trying to make the system test for
this.

> 
> Thanks!

And thank you again for the review.

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by a key file.

[Tomas Volf]

From: Tomas Volf <wolf@wolfsden.cz>

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.

Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
 doc/guix.texi                 | 25 +++++++++++++
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 2 files changed, 67 insertions(+), 25 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
 Copyright @copyright{} 2023 Thomas Ieong@*
 Copyright @copyright{} 2023 Saku Laesvuori@*
 Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
 @code{dm-crypt} Linux kernel module.
 @end defvar
 
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name.  It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file.  This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot.  If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;;   cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+        #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
 @defvar raid-device-mapping
 This defines a RAID device, which is assembled using the @code{mdadm}
 command from the package with the same name.  It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
             check-device-initrd-modules           ;XXX: needs a better place
 
             luks-device-mapping
+            luks-device-mapping-with-options
             raid-device-mapping
             lvm-device-mapping))
 
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'."
   (with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
       ((target)
        #~(let ((source #$(if (uuid? source)
                              (uuid-bytevector source)
-                             source)))
+                             source))
+               (keyfile #$key-file))
            ;; XXX: 'use-modules' should be at the top level.
            (use-modules (rnrs bytevectors) ;bytevector?
                         ((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
            ;; 'cryptsetup open' requires standard input to be a tty to allow
            ;; for interaction but shepherd sets standard input to /dev/null;
            ;; thus, explicitly request a tty.
-           (zero? (system*/tty
-                   #$(file-append cryptsetup-static "/sbin/cryptsetup")
-                   "open" "--type" "luks"
-
-                   ;; Note: We cannot use the "UUID=source" syntax here
-                   ;; because 'cryptsetup' implements it by searching the
-                   ;; udev-populated /dev/disk/by-id directory but udev may
-                   ;; be unavailable at the time we run this.
-                   (if (bytevector? source)
-                       (or (let loop ((tries-left 10))
-                             (and (positive? tries-left)
-                                  (or (find-partition-by-luks-uuid source)
-                                      ;; If the underlying partition is
-                                      ;; not found, try again after
-                                      ;; waiting a second, up to ten
-                                      ;; times.  FIXME: This should be
-                                      ;; dealt with in a more robust way.
-                                      (begin (sleep 1)
-                                             (loop (- tries-left 1))))))
-                           (error "LUKS partition not found" source))
-                       source)
-
-                   #$target)))))))
+           (let ((partition
+                  ;; Note: We cannot use the "UUID=source" syntax here
+                  ;; because 'cryptsetup' implements it by searching the
+                  ;; udev-populated /dev/disk/by-id directory but udev may
+                  ;; be unavailable at the time we run this.
+                  (if (bytevector? source)
+                      (or (let loop ((tries-left 10))
+                            (and (positive? tries-left)
+                                 (or (find-partition-by-luks-uuid source)
+                                     ;; If the underlying partition is
+                                     ;; not found, try again after
+                                     ;; waiting a second, up to ten
+                                     ;; times.  FIXME: This should be
+                                     ;; dealt with in a more robust way.
+                                     (begin (sleep 1)
+                                            (loop (- tries-left 1))))))
+                          (error "LUKS partition not found" source))
+                      source)))
+             ;; We want to fallback to the password unlock if the keyfile fails.
+             (or (and keyfile
+                      (zero? (system*/tty
+                              #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                              "open" "--type" "luks"
+                              "--key-file" keyfile
+                              partition #$target)))
+                 (zero? (system*/tty
+                         #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                         "open" "--type" "luks"
+                         partition #$target)))))))))
 
 (define (close-luks-device source targets)
   "Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
    (close close-luks-device)
    (check check-luks-device)))
 
+(define* (luks-device-mapping-with-options #:key key-file)
+  "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+  (mapped-device-kind
+   (inherit luks-device-mapping)
+   (open (λ (source targets) (open-luks-device source targets
+                                               #:key-file key-file)))))
+
 (define (open-raid-device sources targets)
   "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
 TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
-- 
2.41.0

[bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.

[Tomas Volf]

From: Tomas Volf <wolf@wolfsden.cz>

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk.  However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys.  This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd.  There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
 doc/guix.texi           | 49 +++++++++++++++++++++++++++++++++++++++++
 gnu/bootloader.scm      |  6 ++++-
 gnu/bootloader/grub.scm |  7 ++++--
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot.  It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk.  However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys.  You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+  ...
+  (bootloader (bootloader-configuration
+               (bootloader grub-efi-bootloader)
+               (targets '("/boot/efi"))
+               ;; Load the initrd with a key file
+               (extra-initrd "/key-file.cpio")))
+  (mapped-devices
+   (list (mapped-device
+          (source (uuid "12345678-1234-1234-1234-123456789abc"))
+          (target "my-root")
+          (type (luks-device-mapping-with-options
+                 ;; And use it to unlock the root device
+                 #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f)))   ;string | #f
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
 ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
 ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))
-- 
2.41.0

[bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test.

[Tomas Volf]

Based on encrypted-home-os, this test verifies unlocking via a key file.

* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.

Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
 gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bootloaders)
   #:use-module (gnu packages commencement)       ;for 'guile-final'
+  #:use-module (gnu packages cpio)
   #:use-module (gnu packages cryptsetup)
   #:use-module (gnu packages disk)
   #:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
             %test-raid-root-os
             %test-encrypted-root-os
             %test-encrypted-home-os
+            %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
             %test-btrfs-root-os
             %test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
 mkfs.ext4 -L root-fs /dev/vdb2
 mkfs.ext4 -L home-fs /dev/mapper/the-home-device
 mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests.  So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+  echo /key-file.bin | cpio -oH newc > key-file.cpio
+  chmod 0000 key-file.cpio
+  mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+  cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
 mkdir /mnt/home
 mount /dev/mapper/the-home-device /mnt/home
 df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
     (mlet* %store-monad ((images (run-install %encrypted-home-os
                                               %encrypted-home-os-source
                                               #:script
-                                              %encrypted-home-installation-script))
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os command "encrypted-home-os"
                       #:initialization enter-luks-passphrase-for-home)))))
 
+\f
+;;;
+;;; LUKS-encrypted /home, unencrypted root.  The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+                        %encrypted-home-os-key-file-source)
+  (use-modules (gnu) (gnu tests))
+
+  (operating-system
+    (host-name "cipherhome")
+    (timezone "Europe/Prague")
+    (locale "en_US.utf8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets (list "/dev/vdb"))
+                 (extra-initrd "/key-file.cpio")))
+    (kernel-arguments '("console=ttyS0"))
+
+    (mapped-devices (list (mapped-device
+                           (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                           (target "the-home-device")
+                           (type (luks-device-mapping-with-options
+                                  #:key-file "/key-file.bin")))))
+    (file-systems (cons* (file-system
+                           (device (file-system-label "root-fs"))
+                           (mount-point "/")
+                           (type "ext4"))
+                         (file-system
+                           (device (file-system-label "home-fs"))
+                           (mount-point "/home")
+                           (type "ext4")
+                           (dependencies mapped-devices))
+                        %base-file-systems))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-home-os-key-file
+  (system-test
+   (name "encrypted-home-os-key-file")
+   (description
+    "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+                                              %encrypted-home-os-key-file-source
+                                              #:script
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-home-os-key-file
+                      command "encrypted-home-os-key-file")))))
+
 \f
 ;;;
 ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
-- 
2.41.0

[bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS.

[Tomas Volf]

For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key.  This commit therefore
sets the iteration time to the lowest possible value, 1(ms).

* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.

Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
 gnu/tests/install.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
   set 1 boot on \\
   set 1 bios_grub on
 echo -n " %luks-passphrase " | \\
-  cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+  cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
 echo -n " %luks-passphrase " | \\
   cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
 mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
   set 1 bios_grub on
 
 echo -n " %luks-passphrase " | \\
-  cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+  cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
 echo -n " %luks-passphrase " | \\
   cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
 
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
   mkpart primary ext2 50M 1.6G \\
   set 1 boot on \\
   set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
 echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
 mkfs.ext4 -L my-root /dev/mapper/root
 mkfs.ext4 -L my-boot /dev/vdb2
-- 
2.41.0

[bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test.

[Tomas Volf]

The installation no longer fits into the 1.6G, leading to a warning while
running the test:

    guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

     93% [####################################################################     ]note: build failure may have been caused by lack of free disk space
    builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.

Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
 gnu/tests/install.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
 ls -l /run/current-system/gc-roots
 parted --script /dev/vdb mklabel gpt \\
   mkpart primary ext2 1M 3M \\
-  mkpart primary ext2 3M 1.6G \\
+  mkpart primary ext2 3M 2G \\
   set 1 boot on \\
   set 1 bios_grub on
 echo -n " %luks-passphrase " | \\
-- 
2.41.0

[bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.

[Tomas Volf]

The installation no longer fits into the 1.6G, leading to a warning while
running the test:

    guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

     93% [####################################################################     ]note: build failure may have been caused by lack of free disk space
    builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.

Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
 gnu/tests/install.scm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
 export GUIX_BUILD_OPTIONS=--no-grafts
 parted --script /dev/vdb mklabel gpt \\
   mkpart primary ext2 1M 3M \\
-  mkpart primary ext2 3M 1.6G \\
-  mkpart primary 1.6G 2.0G \\
+  mkpart primary ext2 3M 2G \\
+  mkpart primary 2G 2.4G \\
   set 1 boot on \\
   set 1 bios_grub on
 
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
                                               %encrypted-home-os-source
                                               #:script
                                               %encrypted-home-installation-script
-                                              #:packages (list cpio)))
+                                              #:packages (list cpio)
+                                              #:target-size
+                                              (* 3000 MiB)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os command "encrypted-home-os"
                       #:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
                                               %encrypted-home-os-key-file-source
                                               #:script
                                               %encrypted-home-installation-script
-                                              #:packages (list cpio)))
+                                              #:packages (list cpio)
+                                              #:target-size
+                                              (* 3000 MiB)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os-key-file
                       command "encrypted-home-os-key-file")))))
-- 
2.41.0

[bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.

[Tomas Volf]

From: Tomas Volf <wolf@wolfsden.cz>

Requiring the user to input their password in order to unlock a device is not
always reasonable, so having an option to unlock the device using a key file
is a nice quality of life change.

* gnu/system/mapped-devices.scm (open-luks-device): Add #:key-file argument.
(luks-device-mapping-with-options): New procedure.
* doc/guix.texi (Mapped Devices): Describe the new procedure.

Change-Id: I1de4e045f8c2c11f9a94f1656e839c785b0c11c4
---
 doc/guix.texi                 | 25 +++++++++++++
 gnu/system/mapped-devices.scm | 67 ++++++++++++++++++++++-------------
 2 files changed, 67 insertions(+), 25 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 395545bed7..b1202f2182 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -123,6 +123,7 @@
 Copyright @copyright{} 2023 Thomas Ieong@*
 Copyright @copyright{} 2023 Saku Laesvuori@*
 Copyright @copyright{} 2023 Graham James Addis@*
+Copyright @copyright{} 2023 Tomas Volf@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -17992,6 +17993,30 @@ Mapped Devices
 @code{dm-crypt} Linux kernel module.
 @end defvar
 
+@deffn {Procedure} luks-device-mapping-with-options [#:key-file]
+Return a @code{luks-device-mapping} object, which defines LUKS block
+device encryption using the @command{cryptsetup} command from the
+package with the same name.  It relies on the @code{dm-crypt} Linux
+kernel module.
+
+If @code{key-file} is provided, unlocking is first attempted using that
+key file.  This has an advantage of not requiring a password entry, so
+it can be used (for example) to unlock RAID arrays automatically on
+boot.  If key file unlock fails, password unlock is attempted as well.
+Key file is not stored in the store and needs to be available at the
+given location at the time of the unlock attempt.
+
+@lisp
+;; Following definition would be equivalent to running:
+;;   cryptsetup open --key-file /crypto.key /dev/sdb1 data
+(mapped-device
+ (source "/dev/sdb1)
+ (target "data)
+ (type (luks-device-mapping-with-options
+        #:key-file "/crypto.key")))
+@end lisp
+@end deffn
+
 @defvar raid-device-mapping
 This defines a RAID device, which is assembled using the @code{mdadm}
 command from the package with the same name.  It requires a Linux kernel
diff --git a/gnu/system/mapped-devices.scm b/gnu/system/mapped-devices.scm
index e6b8970c12..c19a818453 100644
--- a/gnu/system/mapped-devices.scm
+++ b/gnu/system/mapped-devices.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2014-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2016 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2017, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -64,6 +65,7 @@ (define-module (gnu system mapped-devices)
             check-device-initrd-modules           ;XXX: needs a better place
 
             luks-device-mapping
+            luks-device-mapping-with-options
             raid-device-mapping
             lvm-device-mapping))
 
@@ -188,7 +190,7 @@ (define (check-device-initrd-modules device linux-modules location)
 ;;; Common device mappings.
 ;;;
 
-(define (open-luks-device source targets)
+(define* (open-luks-device source targets #:key key-file)
   "Return a gexp that maps SOURCE to TARGET as a LUKS device, using
 'cryptsetup'."
   (with-imported-modules (source-module-closure
@@ -198,7 +200,8 @@ (define (open-luks-device source targets)
       ((target)
        #~(let ((source #$(if (uuid? source)
                              (uuid-bytevector source)
-                             source)))
+                             source))
+               (keyfile #$key-file))
            ;; XXX: 'use-modules' should be at the top level.
            (use-modules (rnrs bytevectors) ;bytevector?
                         ((gnu build file-systems)
@@ -215,29 +218,35 @@ (define (open-luks-device source targets)
            ;; 'cryptsetup open' requires standard input to be a tty to allow
            ;; for interaction but shepherd sets standard input to /dev/null;
            ;; thus, explicitly request a tty.
-           (zero? (system*/tty
-                   #$(file-append cryptsetup-static "/sbin/cryptsetup")
-                   "open" "--type" "luks"
-
-                   ;; Note: We cannot use the "UUID=source" syntax here
-                   ;; because 'cryptsetup' implements it by searching the
-                   ;; udev-populated /dev/disk/by-id directory but udev may
-                   ;; be unavailable at the time we run this.
-                   (if (bytevector? source)
-                       (or (let loop ((tries-left 10))
-                             (and (positive? tries-left)
-                                  (or (find-partition-by-luks-uuid source)
-                                      ;; If the underlying partition is
-                                      ;; not found, try again after
-                                      ;; waiting a second, up to ten
-                                      ;; times.  FIXME: This should be
-                                      ;; dealt with in a more robust way.
-                                      (begin (sleep 1)
-                                             (loop (- tries-left 1))))))
-                           (error "LUKS partition not found" source))
-                       source)
-
-                   #$target)))))))
+           (let ((partition
+                  ;; Note: We cannot use the "UUID=source" syntax here
+                  ;; because 'cryptsetup' implements it by searching the
+                  ;; udev-populated /dev/disk/by-id directory but udev may
+                  ;; be unavailable at the time we run this.
+                  (if (bytevector? source)
+                      (or (let loop ((tries-left 10))
+                            (and (positive? tries-left)
+                                 (or (find-partition-by-luks-uuid source)
+                                     ;; If the underlying partition is
+                                     ;; not found, try again after
+                                     ;; waiting a second, up to ten
+                                     ;; times.  FIXME: This should be
+                                     ;; dealt with in a more robust way.
+                                     (begin (sleep 1)
+                                            (loop (- tries-left 1))))))
+                          (error "LUKS partition not found" source))
+                      source)))
+             ;; We want to fallback to the password unlock if the keyfile fails.
+             (or (and keyfile
+                      (zero? (system*/tty
+                              #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                              "open" "--type" "luks"
+                              "--key-file" keyfile
+                              partition #$target)))
+                 (zero? (system*/tty
+                         #$(file-append cryptsetup-static "/sbin/cryptsetup")
+                         "open" "--type" "luks"
+                         partition #$target)))))))))
 
 (define (close-luks-device source targets)
   "Return a gexp that closes TARGET, a LUKS device."
@@ -276,6 +285,14 @@ (define luks-device-mapping
    (close close-luks-device)
    (check check-luks-device)))
 
+(define* (luks-device-mapping-with-options #:key key-file)
+  "Return a luks-device-mapping object with open modified to pass the arguments
+into the open-luks-device procedure."
+  (mapped-device-kind
+   (inherit luks-device-mapping)
+   (open (λ (source targets) (open-luks-device source targets
+                                               #:key-file key-file)))))
+
 (define (open-raid-device sources targets)
   "Return a gexp that assembles SOURCES (a list of devices) to the RAID device
 TARGET (e.g., \"/dev/md0\"), using 'mdadm'."

base-commit: 5c0f77f4241c9beac0c82deae946bfdc70b49ff0
-- 
2.41.0

[bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd.

[Tomas Volf]

From: Tomas Volf <wolf@wolfsden.cz>

In order to be able to provide decryption keys for the LUKS device, they need
to be available in the initial ram disk.  However they cannot be stored inside
the usual initrd, since it is stored in the store and being a
world-readable (as files in the store are) is not a desired property for a
initrd containing decryption keys.  This commit adds an option to load
additional initrd during the boot, one that is not stored inside the store and
therefore can contain secrets.

Since only grub supports encrypted /boot, only grub is modified to use the
extra-initrd.  There is no use case for the other bootloaders.

* doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
field.
* gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field.
* gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd
field.
---
 doc/guix.texi           | 49 +++++++++++++++++++++++++++++++++++++++++
 gnu/bootloader.scm      |  6 ++++-
 gnu/bootloader/grub.scm |  7 ++++--
 3 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b1202f2182..87d41e0aae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ Bootloader Configuration
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot.  It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk.  However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys.  You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+  ...
+  (bootloader (bootloader-configuration
+               (bootloader grub-efi-bootloader)
+               (targets '("/boot/efi"))
+               ;; Load the initrd with a key file
+               (extra-initrd "/key-file.cpio")))
+  (mapped-devices
+   (list (mapped-device
+          (source (uuid "12345678-1234-1234-1234-123456789abc"))
+          (target "my-root")
+          (type (luks-device-mapping-with-options
+                 ;; And use it to unlock the root device
+                 #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,7 @@ (define-module (gnu bootloader)
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +281,9 @@ (define-record-type* <bootloader-configuration>
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f)))   ;string | #f
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
 ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
 ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -386,7 +387,8 @@ (define* (make-grub-configuration grub config entries
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ (define* (make-grub-configuration grub config entries
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))
-- 
2.41.0

[bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test.

[Tomas Volf]

Based on encrypted-home-os, this test verifies unlocking via a key file.

* gnu/tests/install.scm (%encrypted-home-os-key-file),
(%encrypted-home-os-key-file-source): New variables.
(%test-encrypted-home-os-key-file): New exported variables.
(%encrypted-home-installation-script): Generate initrd with a key file for
unlocking the LUKS.

Change-Id: I04460155284bdef7e18da645f2b4b26bd8e86636
---
 gnu/tests/install.scm | 74 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index daa4647299..6794bca145 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -35,6 +35,7 @@ (define-module (gnu tests install)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages bootloaders)
   #:use-module (gnu packages commencement)       ;for 'guile-final'
+  #:use-module (gnu packages cpio)
   #:use-module (gnu packages cryptsetup)
   #:use-module (gnu packages disk)
   #:use-module (gnu packages emacs)
@@ -67,6 +68,7 @@ (define-module (gnu tests install)
             %test-raid-root-os
             %test-encrypted-root-os
             %test-encrypted-home-os
+            %test-encrypted-home-os-key-file
             %test-encrypted-root-not-boot-os
             %test-btrfs-root-os
             %test-btrfs-root-on-subvolume-os
@@ -975,6 +977,18 @@ (define %encrypted-home-installation-script
 mkfs.ext4 -L root-fs /dev/vdb2
 mkfs.ext4 -L home-fs /dev/mapper/the-home-device
 mount /dev/vdb2 /mnt
+
+# This script is used for both encrypted-home-os and encrypted-home-os-key-file
+# tests.  So we also add the keyfile here.
+dd if=/dev/zero of=/key-file.bin bs=4096 count=1
+( cd /mnt;
+  echo /key-file.bin | cpio -oH newc > key-file.cpio
+  chmod 0000 key-file.cpio
+  mv /key-file.bin .
+)
+echo -n " %luks-passphrase " | \\
+  cryptsetup luksAddKey --key-file - -i 1 /dev/vdb3 /mnt/key-file.bin
+
 mkdir /mnt/home
 mount /dev/mapper/the-home-device /mnt/home
 df -h /mnt /mnt/home
@@ -1018,11 +1032,69 @@ (define %test-encrypted-home-os
     (mlet* %store-monad ((images (run-install %encrypted-home-os
                                               %encrypted-home-os-source
                                               #:script
-                                              %encrypted-home-installation-script))
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os command "encrypted-home-os"
                       #:initialization enter-luks-passphrase-for-home)))))
 
+\f
+;;;
+;;; LUKS-encrypted /home, unencrypted root.  The unlock is done using a key
+;;; file.
+;;;
+(define-os-with-source (%encrypted-home-os-key-file
+                        %encrypted-home-os-key-file-source)
+  (use-modules (gnu) (gnu tests))
+
+  (operating-system
+    (host-name "cipherhome")
+    (timezone "Europe/Prague")
+    (locale "en_US.utf8")
+
+    (bootloader (bootloader-configuration
+                 (bootloader grub-bootloader)
+                 (targets (list "/dev/vdb"))
+                 (extra-initrd "/key-file.cpio")))
+    (kernel-arguments '("console=ttyS0"))
+
+    (mapped-devices (list (mapped-device
+                           (source (uuid "12345678-1234-1234-1234-123456789abc"))
+                           (target "the-home-device")
+                           (type (luks-device-mapping-with-options
+                                  #:key-file "/key-file.bin")))))
+    (file-systems (cons* (file-system
+                           (device (file-system-label "root-fs"))
+                           (mount-point "/")
+                           (type "ext4"))
+                         (file-system
+                           (device (file-system-label "home-fs"))
+                           (mount-point "/home")
+                           (type "ext4")
+                           (dependencies mapped-devices))
+                        %base-file-systems))
+    (services (cons (service marionette-service-type
+                             (marionette-configuration
+                              (imported-modules '((gnu services herd)
+                                                  (guix combinators)))))
+                    %base-services))))
+
+(define %test-encrypted-home-os-key-file
+  (system-test
+   (name "encrypted-home-os-key-file")
+   (description
+    "Test functionality of an OS installed with a LUKS /home partition with
+unlock done using a key file")
+   (value
+    (mlet* %store-monad ((images (run-install %encrypted-home-os-key-file
+                                              %encrypted-home-os-key-file-source
+                                              #:script
+                                              %encrypted-home-installation-script
+                                              #:packages (list cpio)))
+                         (command (qemu-command* images)))
+      (run-basic-test %encrypted-home-os-key-file
+                      command "encrypted-home-os-key-file")))))
+
 \f
 ;;;
 ;;; LUKS-encrypted root file system and /boot in a non-encrypted partition.
-- 
2.41.0

[bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS.

[Tomas Volf]

For testing that installation works, there is no need to spent 2000ms (the
default) iterating while generating the encryption key.  This commit therefore
sets the iteration time to the lowest possible value, 1(ms).

* gnu/tests/install.scm (%encrypted-root-installation-script):
(%encrypted-home-installation-script):
(%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
invocation.

Change-Id: Iab79459b48bebe4d293b18290a236c6414fb27fc
---
 gnu/tests/install.scm | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index 6794bca145..c5243f2ed9 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -755,7 +755,7 @@ (define %encrypted-root-installation-script
   set 1 boot on \\
   set 1 bios_grub on
 echo -n " %luks-passphrase " | \\
-  cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
+  cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb2 -
 echo -n " %luks-passphrase " | \\
   cryptsetup open --type luks --key-file - /dev/vdb2 the-root-device
 mkfs.ext4 -L my-root /dev/mapper/the-root-device
@@ -970,7 +970,7 @@ (define %encrypted-home-installation-script
   set 1 bios_grub on
 
 echo -n " %luks-passphrase " | \\
-  cryptsetup luksFormat --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
+  cryptsetup luksFormat -i 1 --uuid=12345678-1234-1234-1234-123456789abc -q /dev/vdb3 -
 echo -n " %luks-passphrase " | \\
   cryptsetup open --type luks --key-file - /dev/vdb3 the-home-device
 
@@ -1155,7 +1155,7 @@ (define %encrypted-root-not-boot-installation-script
   mkpart primary ext2 50M 1.6G \\
   set 1 boot on \\
   set 1 bios_grub on
-echo -n \"~a\" | cryptsetup luksFormat --uuid=\"~a\" -q /dev/vdb3 -
+echo -n \"~a\" | cryptsetup luksFormat -i 1 --uuid=\"~a\" -q /dev/vdb3 -
 echo -n \"~a\" | cryptsetup open --type luks --key-file - /dev/vdb3 root
 mkfs.ext4 -L my-root /dev/mapper/root
 mkfs.ext4 -L my-boot /dev/vdb2
-- 
2.41.0

[bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test.

[Tomas Volf]

The installation no longer fits into the 1.6G, leading to a warning while
running the test:

    guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

     93% [####################################################################     ]note: build failure may have been caused by lack of free disk space
    builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.

Change-Id: I4cc5c78cfbd93ab2ae92ec77603ce6fee0289843
---
 gnu/tests/install.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index c5243f2ed9..f553eeaa3e 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -751,7 +751,7 @@ (define %encrypted-root-installation-script
 ls -l /run/current-system/gc-roots
 parted --script /dev/vdb mklabel gpt \\
   mkpart primary ext2 1M 3M \\
-  mkpart primary ext2 3M 1.6G \\
+  mkpart primary ext2 3M 2G \\
   set 1 boot on \\
   set 1 bios_grub on
 echo -n " %luks-passphrase " | \\
-- 
2.41.0

[bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests.

[Tomas Volf]

The installation no longer fits into the 1.6G, leading to a warning while
running the test:

    guix system: warning: at least 1526.8 MB needed but only 1408.4 MB available in /mnt

Followed by a failure:

     93% [####################################################################     ]note: build failure may have been caused by lack of free disk space
    builder for `/gnu/store/8wl8q8nc1za0vlyv21jpzwgml45njgk2-module-import-compiled.drv' failed with exit code 1

This commit increases the root partition to 2G, making the test pass again.

* gnu/tests/install.scm (%encrypted-root-installation-script): Increase the
root partition to 2G.
(%test-encrypted-home-os), (%test-encrypted-home-os-key-file): Increase the
target size to 3G to accommodate for the larger root partition.

Change-Id: I0f7092f7b7fc9992d3f895a1eaecf1f2065b7360
---
 gnu/tests/install.scm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/gnu/tests/install.scm b/gnu/tests/install.scm
index f553eeaa3e..f9e766e532 100644
--- a/gnu/tests/install.scm
+++ b/gnu/tests/install.scm
@@ -964,8 +964,8 @@ (define %encrypted-home-installation-script
 export GUIX_BUILD_OPTIONS=--no-grafts
 parted --script /dev/vdb mklabel gpt \\
   mkpart primary ext2 1M 3M \\
-  mkpart primary ext2 3M 1.6G \\
-  mkpart primary 1.6G 2.0G \\
+  mkpart primary ext2 3M 2G \\
+  mkpart primary 2G 2.4G \\
   set 1 boot on \\
   set 1 bios_grub on
 
@@ -1033,7 +1033,9 @@ (define %test-encrypted-home-os
                                               %encrypted-home-os-source
                                               #:script
                                               %encrypted-home-installation-script
-                                              #:packages (list cpio)))
+                                              #:packages (list cpio)
+                                              #:target-size
+                                              (* 3000 MiB)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os command "encrypted-home-os"
                       #:initialization enter-luks-passphrase-for-home)))))
@@ -1090,7 +1092,9 @@ (define %test-encrypted-home-os-key-file
                                               %encrypted-home-os-key-file-source
                                               #:script
                                               %encrypted-home-installation-script
-                                              #:packages (list cpio)))
+                                              #:packages (list cpio)
+                                              #:target-size
+                                              (* 3000 MiB)))
                          (command (qemu-command* images)))
       (run-basic-test %encrypted-home-os-key-file
                       command "encrypted-home-os-key-file")))))
-- 
2.41.0

[bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file

[Tomas Volf]

[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]

On 2024-01-11 13:39:36 +0100, Tomas Volf wrote:

> 
> > 
> > I wonder if we could have a system test; it doesn’t sound very easy so
> > maybe we’ll skip, but you can check that the “encrypted-root-os” test,
> > which exercises ‘luks-device-mapping’, still passes (it takes time and
> > disk space).
> 
> It does not pass, but it fails even on master ¯\_ (ツ)_/¯:
> 
>     guix system: warning: at least 1526.8 MB needed but only 1408.3 MB available in /mnt
> 
> It seems somewhat hard to do it based on encrypted-root-os, but should be much
> easier basing it on encrypted-home-os.  I might give it a try.

I managed to figure out the system test for this, however it required unrelated
changes, since encrypted-root-os and encrypted-home-os were broken even on
master.  I included my new test (together with the fixes) in v3.

Also, I messed up, and sent this *without* the v3 by accident.  When I realized,
I sent it once more, this time properly as v3.  Sorry for the noise.

Tomas

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file.

[Ludovic Courtès]

Hi Tomas,

I finally applied v3 of this patch series, it looks great to me.

Thank you, and again apologies for the long delay!

Ludo’.

[bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS.

[Ludovic Courtès]

Tomas Volf <~@wolfsden.cz> skribis:

> For testing that installation works, there is no need to spent 2000ms (the
> default) iterating while generating the encryption key.  This commit therefore
> sets the iteration time to the lowest possible value, 1(ms).
>
> * gnu/tests/install.scm (%encrypted-root-installation-script):
> (%encrypted-home-installation-script):
> (%encrypted-root-not-boot-installation-script): Pass -i 1 to luksFormat
> invocation.

This and the fixes that follow are much welcome, thanks a lot!