From 2038d9ad1ef877558946323cb925574f4d1a5970 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Tue, 31 Dec 2024 08:58:54 +0000 Subject: [PATCH 1/2] nixos/luksroot: Implement keyFileTimeout The user can then specify a very large timeout if they want to e.g. use remote unlocking to provision the key to the machine. --- nixos/modules/system/boot/luksroot.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index c8dc81383d6eb..aa9f13ca6cb28 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -224,7 +224,8 @@ let # LUKS open_normally() { ${if (dev.keyFile != null) then '' - if wait_target "key file" ${dev.keyFile}; then + local timeout=${optionalString (dev.keyFileTimeout != null) (toString dev.keyFileTimeout)} + if wait_target "key file" ${dev.keyFile} "$timeout"; then ${csopen} --key-file=${dev.keyFile} \ ${optionalString (dev.keyFileSize != null) "--keyfile-size=${toString dev.keyFileSize}"} \ ${optionalString (dev.keyFileOffset != null) "--keyfile-offset=${toString dev.keyFileOffset}"} @@ -964,10 +965,6 @@ in message = "boot.initrd.luks.devices..bypassWorkqueues is not supported for kernels older than 5.9"; } - { assertion = !config.boot.initrd.systemd.enable -> all (x: x.keyFileTimeout == null) (attrValues luks.devices); - message = "boot.initrd.luks.devices..keyFileTimeout is only supported for systemd initrd"; - } - { assertion = config.boot.initrd.systemd.enable -> all (dev: !dev.fallbackToPassword) (attrValues luks.devices); message = "boot.initrd.luks.devices..fallbackToPassword is implied by systemd stage 1."; } From 4a3574da4590b06c0ac7e9259311920fe38dba79 Mon Sep 17 00:00:00 2001 From: Vladimir Panteleev Date: Tue, 31 Dec 2024 09:00:45 +0000 Subject: [PATCH 2/2] nixos/luksroot: Replace string substitutions with while loops Avoid a very large string expansion when the "$secs" argument is a large number. --- nixos/modules/system/boot/luksroot.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/nixos/modules/system/boot/luksroot.nix b/nixos/modules/system/boot/luksroot.nix index aa9f13ca6cb28..3f413add51e6b 100644 --- a/nixos/modules/system/boot/luksroot.nix +++ b/nixos/modules/system/boot/luksroot.nix @@ -35,9 +35,11 @@ let if ! dev_exist $target; then echo -n "Waiting $secs seconds for $desc..." local success=false; - for try in $(seq $secs); do + local try=0 + while [ $try -lt $secs ] ; do echo -n "." sleep 1 + try=$((try+1)) if dev_exist $target; then success=true break @@ -61,9 +63,11 @@ let if [ $? != 0 ]; then echo -n "Waiting $secs seconds for YubiKey to appear..." local success=false - for try in $(seq $secs); do - echo -n . + local try=0 + while [ $try -lt $secs ] ; do + echo -n "." sleep 1 + try=$((try+1)) ykinfo -v 1>/dev/null 2>&1 if [ $? == 0 ]; then success=true @@ -88,9 +92,11 @@ let if [ $? != 0 ]; then echo -n "Waiting $secs seconds for GPG Card to appear" local success=false - for try in $(seq $secs); do - echo -n . + local try=0 + while [ $try -lt $secs ] ; do + echo -n "." sleep 1 + try=$((try+1)) gpg --card-status > /dev/null 2> /dev/null if [ $? == 0 ]; then success=true