diff options
| author | Janne Heß <janne@hess.ooo> | 2021-12-08 15:38:02 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-12-08 15:38:02 +0100 |
| commit | e36ceb65e6914265f1b0ad8d8d04aa5786c546e2 (patch) | |
| tree | 6cc2cfd1e36059a4f5fb371e82f55107b9294e3a /nixos | |
| parent | 0b75a168930d64bd1531469cf52f2eb6aa7d917b (diff) | |
| parent | 30b97d7ccaf25324926301524d040c4524470046 (diff) | |
Merge pull request #129449 from ddz/copy-initrd-secrets-after-early-mount-script
nixos/stage1: copy initrd secrets into place after special mounts
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/system/boot/stage-1-init.sh | 12 | ||||
| -rw-r--r-- | nixos/modules/system/boot/stage-1.nix | 4 | ||||
| -rw-r--r-- | nixos/tests/initrd-secrets.nix | 10 |
3 files changed, 22 insertions, 4 deletions
diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index 3dfcc010b64e..e8e32bab6e3c 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -119,6 +119,18 @@ specialMount() { } source @earlyMountScript@ +# Copy initrd secrets from /.initrd-secrets to their actual destinations +if [ -d "/.initrd-secrets" ]; then + # + # Secrets are named by their full destination pathname and stored + # under /.initrd-secrets/ + # + for secret in $(cd "/.initrd-secrets"; find . -type f); do + mkdir -p $(dirname "/$secret") + cp "/.initrd-secrets/$secret" "$secret" + done +fi + # Log the script output to /dev/kmsg or /run/log/stage-1-init.log. mkdir -p /tmp mkfifo /tmp/stage-1-init.log.fifo diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index adbed9d8d58e..409424a5b0f6 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -411,8 +411,8 @@ let ${lib.concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else toString source; in '' - mkdir -p $(dirname "$tmp/${dest}") - cp -a ${source'} "$tmp/${dest}" + mkdir -p $(dirname "$tmp/.initrd-secrets/${dest}") + cp -a ${source'} "$tmp/.initrd-secrets/${dest}" '' ) config.boot.initrd.secrets) } diff --git a/nixos/tests/initrd-secrets.nix b/nixos/tests/initrd-secrets.nix index 10dd908502d5..113a9cebf788 100644 --- a/nixos/tests/initrd-secrets.nix +++ b/nixos/tests/initrd-secrets.nix @@ -13,7 +13,12 @@ let machine = { ... }: { virtualisation.useBootLoader = true; - boot.initrd.secrets."/test" = secretInStore; + boot.initrd.secrets = { + "/test" = secretInStore; + + # This should *not* need to be copied in postMountCommands + "/run/keys/test" = secretInStore; + }; boot.initrd.postMountCommands = '' cp /test /mnt-root/secret-from-initramfs ''; @@ -26,7 +31,8 @@ let start_all() machine.wait_for_unit("multi-user.target") machine.succeed( - "cmp ${secretInStore} /secret-from-initramfs" + "cmp ${secretInStore} /secret-from-initramfs", + "cmp ${secretInStore} /run/keys/test", ) ''; }; |