Skip to content

grub module: add extraInitrd option#22969

Merged
fpletz merged 1 commit intoNixOS:masterfrom
symphorien:extrainitrd
Feb 20, 2017
Merged

grub module: add extraInitrd option#22969
fpletz merged 1 commit intoNixOS:masterfrom
symphorien:extrainitrd

Conversation

@symphorien
Copy link
Member

@symphorien symphorien commented Feb 18, 2017

Motivation for this change

This adds a NixOS option which enables to configure grub to give the kernel a second ,additional initramfs.

My use case is the following:
I have a LUKS encrypted root filesystem, and no /boot partition. Grub asks me a passphrase to open /, read its configuration in /boot and then loads the kernel.
The initramfs then asks me the same passphrase a second time to mount /.
The solution is to create a LUKS keyfile, readable by root only, and put it in the initramfs so that stage1 doesn't need the passphrase anymore. But because of issue #8 one cannot but secret files in the store and thus in the initramfs.
So I have a second, static initramfs in /boot/custom_initramfs/initramfs.gz, readable by root only, and containing only the keyfile /key and the following setup:

boot.loader.grub = {
...
enableCryptodisk=true;
extraInitrd=/boot/custom_initramfs/initramfs.gz;
};  
boot.initrd.luks.devices = [ { 
...
keyFile="/key";
} ];
Things done
  • Tested using sandboxing
    (nix.useSandbox on NixOS,
    or option build-use-sandbox in nix.conf
    on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

Only tested on grub2, although the syntax should be the same with grub1.

@mention-bot
Copy link

mention-bot commented Feb 18, 2017

@symphorien, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @wkennington and @obadz to be potential reviewers.

joachifm
joachifm reviewed Feb 19, 2017
View reviewed changes
nixos/modules/system/boot/loader/grub/grub.nix Outdated
Copy link
Contributor

@joachifm joachifm Feb 19, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The example needs to be quoted, otherwise the evaluator will try to actually read it.

@symphorien
Copy link
Member Author

symphorien commented Feb 19, 2017

Sorry, this is now fixed.

@fpletz
Copy link
Member

fpletz commented Feb 19, 2017

Wow, awesome. Didn't know you could add a second initrd. What are the semantics here? Does the kernel just mount the second initrd over the first one are the contents copied? Seems a bit weird at first glance that the contents of both initrds are available at /.

@fpletz fpletz added the 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS label Feb 19, 2017
@fpletz fpletz self-assigned this Feb 19, 2017
@fpletz fpletz added this to the 17.03 milestone Feb 19, 2017
@dezgeg
Copy link
Contributor

dezgeg commented Feb 19, 2017

The contents are copied. The cpio format that's used for initrds cannot be mounted as it doesn't support efficient random access.

@fpletz
Copy link
Member

fpletz commented Feb 19, 2017

Thanks for the explanation @dezgeg!

@fpletz fpletz merged commit 60555c7 into NixOS:master Feb 20, 2017
@symphorien symphorien mentioned this pull request Jul 13, 2017
Closed
@lopsided98 lopsided98 mentioned this pull request Mar 31, 2018
Merged
8 tasks
@symphorien symphorien deleted the extrainitrd branch March 21, 2020 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@joachifm joachifm joachifm left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@fpletz fpletz

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS

Projects

None yet

Milestone

17.03

Development

Successfully merging this pull request may close these issues.

5 participants

@symphorien @mention-bot @fpletz @dezgeg @joachifm