diff options
-rw-r--r-- | doc/guix.texi | 49 | ||||
-rw-r--r-- | gnu/bootloader.scm | 6 | ||||
-rw-r--r-- | gnu/bootloader/grub.scm | 7 |
3 files changed, 59 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index c216d1b4a6..a66005ee9d 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -41070,6 +41070,55 @@ This option in enabled by default. In some cases involving the @code{u-boot} bootloader, where the device tree has already been loaded in RAM, it can be handy to disable the option by setting it to @code{#f}. + +@item @code{extra-initrd} (default: @code{#f}) +File name of an additional initrd to load during the boot. It may or +may not point to a file in the store, but the main use case is for +out-of-store files containing secrets. + +In order to be able to provide decryption keys for the LUKS device, they +need to be available in the initial ram disk. However they cannot be +stored inside the usual initrd, since it is stored in the store and +being a world-readable (as files in the store are) is not a desired +property for a initrd containing decryption keys. You can therefore use +this field to instruct GRUB to also load a manually created initrd not +stored in the store. + +For any use case not involving secrets, you should use regular initrd +(@pxref{operating-system Reference, @code{initrd}}) instead. + +Suitable image can be created for example like this: + +@example +echo /key-file.bin | cpio -oH newc >/key-file.cpio +chmod 0000 /key-file.cpio +@end example + +After it is created, you can use it in this manner: + +@lisp +;; Operating system with encrypted boot partition +(operating-system + ... + (bootloader (bootloader-configuration + (bootloader grub-efi-bootloader) + (targets '("/boot/efi")) + ;; Load the initrd with a key file + (extra-initrd "/key-file.cpio"))) + (mapped-devices + (list (mapped-device + (source (uuid "12345678-1234-1234-1234-123456789abc")) + (target "my-root") + (type (luks-device-mapping-with-options + ;; And use it to unlock the root device + #:key-file "/key-file.bin")))))) +@end lisp + +Be careful when using this option, since pointing to a file that is not +readable by the grub while booting will cause the boot to fail and +require a manual edit of the initrd line in the grub menu. + +Currently only supported by GRUB. @end table @end deftp diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm index ba06de7618..f32e90e79d 100644 --- a/gnu/bootloader.scm +++ b/gnu/bootloader.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz> ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org> +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -77,6 +78,7 @@ bootloader-configuration-serial-unit bootloader-configuration-serial-speed bootloader-configuration-device-tree-support? + bootloader-configuration-extra-initrd %bootloaders lookup-bootloader-by-name @@ -279,7 +281,9 @@ instead~%"))) (serial-speed bootloader-configuration-serial-speed (default #f)) ;integer | #f (device-tree-support? bootloader-configuration-device-tree-support? - (default #t))) ;boolean + (default #t)) ;boolean + (extra-initrd bootloader-configuration-extra-initrd + (default #f))) ;string | #f (define-deprecated (bootloader-configuration-target config) bootloader-configuration-targets diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm index 5f3fcd7074..2723eda5f4 100644 --- a/gnu/bootloader/grub.scm +++ b/gnu/bootloader/grub.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de> ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com> ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> +;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz> ;;; ;;; This file is part of GNU Guix. ;;; @@ -386,7 +387,8 @@ when booting a root file system on a Btrfs subvolume." store-directory-prefix)) (initrd (normalize-file (menu-entry-initrd entry) device-mount-point - store-directory-prefix))) + store-directory-prefix)) + (extra-initrd (bootloader-configuration-extra-initrd config))) ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point. ;; Use the right file names for LINUX and INITRD in case ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a @@ -397,11 +399,12 @@ when booting a root file system on a Btrfs subvolume." #~(format port "menuentry ~s { ~a linux ~a ~a - initrd ~a + initrd ~a ~a }~%" #$label #$(grub-root-search device linux) #$linux (string-join (list #$@arguments)) + (or #$extra-initrd "") #$initrd))) (multiboot-kernel (let* ((kernel (menu-entry-multiboot-kernel entry)) |