From: Tomas Volf <~@wolfsden.cz>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 65002@debbugs.gnu.org
Subject: [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd
Date: Thu, 11 Jan 2024 14:32:26 +0100 [thread overview]
Message-ID: <ZZ_t6oGZnHG_y4ne@ws> (raw)
In-Reply-To: <87edeqw0h9.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 3807 bytes --]
On 2024-01-10 00:28:18 +0100, Ludovic Courtès wrote:
> Tomas Volf <wolf@wolfsden.cz> skribis:
>
> > In order to be able to provide decryption keys for the LUKS device, they need
> > to be available in the initial ram disk. However they cannot be stored inside
> > the usual initrd, since it is stored in the store and being a
> > world-readable (as files in the store are) is not a desired property for a
> > initrd containing decryption keys.
>
> This explanation should go in the manual IMO (it’s already partly there).
Done.
>
> > This commit adds an option to load additional initrd during the boot,
> > one that is not stored inside the store and therefore can contain
> > secrets.
> >
> > Since only grub supports encrypted /boot, only grub is modified to use the
> > extra-initrd. There is no use case for the other bootloaders.
> >
> > * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd
> > field.
> > * gnu/bootloader.scm: Add extra-initrd field to bootloader-configuration
> > * gnu/bootloader/grub.scm: Use the new extra-initrd field
>
> It’d be great if you could specify the entities changes in each file
> (which variable/procedure is changed, what is added/removed). A
> committer can do it on your behalf later if you’re unsure.
Done, this was one of my first patches and I was quite unsure about the commit
message format. These days I am still unsure, but a little less so. ^_^
>
> > +@item @code{extra-initrd} (default: @code{#f})
> > +Path to an additional initrd to load. Should not point to a file in the
>
> s/Path/File name/ (by convention)
>
> Please make full sentences. “Should not” is probably too strong;
> perhaps: “It may or may not point to a file in the store, but the main
> use case is for out-of-store files containing secrets.”
For content that can be present in the store, the regular `initrd' should be
used instead I think. However I adjusted the wording.
>
> > +store. Typical use case is making keys to unlock LUKS device available
>
> Add a line break after “store.” to distinguish the reference from the
> discussion of one possible use case.
>
> > +during the boot process. For any use case not involving secrets, you
> > +should use regular initrd (@pxref{operating-system Reference,
> > +@code{initrd}}) instead.
> > +
> > +Suitable image can be created for example like this:
> > +
> > +@example
> > +echo /key-file.bin | cpio -oH newc >/key-file.cpio
> > +chmod 0000 /key-file.cpio
> > +@end example
> > +
> > +Be careful when using this option, since pointing to a file that is not
> > +readable by the grub while booting will cause the boot to fail and
> > +require a manual edit of the initrd line in the grub menu.
> > +
> > +Currently only supported by grub.
>
> s/grub/GRUB/
>
> Would be great if you could include also a short config example here, or
> add a cross-reference to the example for
> ‘luks-device-mapping-with-options’ if that covers both.
I added an example illustrating how these two work together.
>
> > + (extra-initrd bootloader-configuration-extra-initrd
> > + (default #f)) ;string | #f
> > + )
>
> No lonely paren please. :-)
Well I moved the paren, but now the comment (string | #f) looks like it is for
the whole top-level sexp, not just for the extra-initrd field.
>
> Otherwise LGTM.
>
> Could you send updated patches with these minor changes?
I will soon, just want spent a bit of time trying to make the system test for
this.
>
> Thanks!
And thank you again for the review.
Tomas
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-01-11 13:33 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-01 20:53 [bug#65002] [PATCH 0/2] Add support for unlocking root device via a key file Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 1/2] mapped-devices: Allow unlocking by " Tomas Volf
2023-08-01 21:09 ` [bug#65002] [PATCH 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Tomas Volf
2023-08-02 13:02 ` [bug#65002] [PATCH v2 2/2] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-09 23:28 ` Ludovic Courtès
2024-01-11 13:32 ` Tomas Volf [this message]
2024-01-09 23:21 ` [bug#65002] [PATCH v2 1/2] mapped-devices: Allow unlocking by a key file Ludovic Courtès
2024-01-11 12:39 ` Tomas Volf
2024-01-11 17:39 ` Tomas Volf
2023-08-10 0:22 ` [bug#65002] [PATCH 0/2] Add support for unlocking root device via " Dominik Riva via Guix-patches via
2024-01-11 17:32 ` [bug#65002] [PATCH 1/6] mapped-devices: Allow unlocking by " Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
2024-01-11 17:32 ` [bug#65002] [PATCH 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 2/6] gnu: bootloader: grub: Add support for loading an additional initrd Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 3/6] tests: Add `encrypted-home-os-key-file' installation test Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 4/6] tests: install: Use the smallest possible iteration time for LUKS Tomas Volf
2024-01-14 20:54 ` Ludovic Courtès
2024-01-11 17:35 ` [bug#65002] [PATCH v3 5/6] tests: install: Fix encrypted-root-os test Tomas Volf
2024-01-11 17:35 ` [bug#65002] [PATCH v3 6/6] tests: install: Fix encrypted-home-os, encrypted-home-os-key-file tests Tomas Volf
2024-01-14 20:53 ` bug#65002: [PATCH v3 1/6] mapped-devices: Allow unlocking by a key file Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZZ_t6oGZnHG_y4ne@ws \
--to=~@wolfsden.cz \
--cc=65002@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.