From a5cc2d090e0d8b62e843f955c9148d54895fa415 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Tue, 31 Dec 2024 09:21:25 +0000 Subject: [PATCH] nixos/luksroot: Check if the device was opened while reading password Helps the following situation: - SSH in initrd is enabled - NixOS is waiting for a password to be typed at the console (or provided via cryptsetup-askpass) - The user logs in via SSH, but instead of running cryptsetup-askpass, they run "cryptsetup open" directly (because they don't know that they need to use NixOS's cryptsetup-askpass script, or because they want to use a non-trivial unlocking method that is not natively supported by this module) Currently, in the above situation, NixOS will keep waiting for a password to be entered even though the device is already unlocked. If a password is entered, it will print a confusing "already exists" error and keep asking for the same password. We can improve on this by simply checking if the device is already unlocked in our read loop. In this case, we don't need to do anything other than return from the function and continue booting. --- nixos/modules/system/boot/luksroot.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index c8dc81383d6eb..5c84af45b828e 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -185,6 +185,10 @@ let echo "reused" passphrase=$(cat /crypt-ramfs/passphrase) break + elif [ -e /dev/mapper/${dev.name} ]; then + echo "opened externally" + rm -f /crypt-ramfs/device + return else # ask cryptsetup-askpass echo -n "${dev.device}" > /crypt-ramfs/device