Revert "Merge pull request #38263 from lopsided98/grub-initrd-secrets"

This reverts commit c06d7950f1, reversing
changes made to 4c25fbe338.

See https://github.com/NixOS/nixpkgs/issues/41608
This commit is contained in:
Joachim Fasting 2018-06-07 14:23:37 +02:00
parent 01040d9c27
commit 2be28b1df5
No known key found for this signature in database
GPG key ID: 5C204DF675C90294
3 changed files with 28 additions and 31 deletions

View file

@ -121,15 +121,6 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
<literal>gnucash24</literal>.
</para>
</listitem>
<listitem>
<para>
The GRUB specific option <option>boot.loader.grub.extraInitrd</option>
has been replaced with the generic option
<option>boot.initrd.secrets</option>. This option creates a secondary
initrd from the specified files, rather than using a manually created
initrd file.
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -35,7 +35,6 @@ let
let
efiSysMountPoint = if args.efiSysMountPoint == null then args.path else args.efiSysMountPoint;
efiSysMountPoint' = replaceChars [ "/" ] [ "-" ] efiSysMountPoint;
initrdSecrets = config.boot.initrd.secrets != {};
in
pkgs.writeText "grub-config.xml" (builtins.toXML
{ splashImage = f cfg.splashImage;
@ -50,12 +49,12 @@ let
storePath = config.boot.loader.grub.storePath;
bootloaderId = if args.efiBootloaderId == null then "NixOS${efiSysMountPoint'}" else args.efiBootloaderId;
timeout = if config.boot.loader.timeout == null then -1 else config.boot.loader.timeout;
inherit efiSysMountPoint initrdSecrets;
inherit efiSysMountPoint;
inherit (args) devices;
inherit (efi) canTouchEfiVariables;
inherit (cfg)
version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels
default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
path = (makeBinPath ([
pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
@ -285,6 +284,19 @@ in
'';
};
extraInitrd = mkOption {
type = types.nullOr types.path;
default = null;
example = "/boot/extra_initramfs.gz";
description = ''
The path to a second initramfs to be supplied to the kernel.
This ramfs will not be copied to the store, so that it can
contain secrets such as LUKS keyfiles or ssh keys.
This implies that rolling back to a previous configuration
won't rollback the state of this file.
'';
};
useOSProber = mkOption {
default = false;
type = types.bool;
@ -529,8 +541,6 @@ in
{ path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
];
boot.loader.supportsInitrdSecrets = true;
system.build.installBootLoader =
let
install-grub-pl = pkgs.substituteAll {

View file

@ -49,7 +49,7 @@ my $extraPrepareConfig = get("extraPrepareConfig");
my $extraPerEntryConfig = get("extraPerEntryConfig");
my $extraEntries = get("extraEntries");
my $extraEntriesBeforeNixOS = get("extraEntriesBeforeNixOS") eq "true";
my $initrdSecrets = get("initrdSecrets");
my $extraInitrd = get("extraInitrd");
my $splashImage = get("splashImage");
my $configurationLimit = int(get("configurationLimit"));
my $copyKernels = get("copyKernels") eq "true";
@ -228,6 +228,13 @@ my $grubStore;
if ($copyKernels == 0) {
$grubStore = GrubFs($storePath);
}
my $extraInitrdPath;
if ($extraInitrd) {
if (! -f $extraInitrd) {
print STDERR "Warning: the specified extraInitrd " . $extraInitrd . " doesn't exist. Your system won't boot without it.\n";
}
$extraInitrdPath = GrubFs($extraInitrd);
}
# Generate the header.
my $conf .= "# Automatically generated. DO NOT EDIT THIS FILE!\n";
@ -347,23 +354,9 @@ sub addEntry {
my $kernel = copyToKernelsDir(Cwd::abs_path("$path/kernel"));
my $initrd = copyToKernelsDir(Cwd::abs_path("$path/initrd"));
# Include second initrd with secrets
if ($initrdSecrets) {
# Get last element of path
$initrd =~ /\/([^\/]+)$/;
my $initrdSecretsPath = "$bootPath/kernels/$1-secrets";
$initrd .= " $initrd-secrets";
my $oldUmask = umask;
# Make sure initrd is not world readable (won't work if /boot is FAT)
umask 0137;
my $initrdSecretsPathTemp = File::Temp::mktemp("$initrdSecretsPath.XXXXXXXX");
system("$path/append-initrd-secrets", $initrdSecretsPathTemp) == 0 or die "failed to create initrd secrets\n";
rename $initrdSecretsPathTemp, $initrdSecretsPath or die "failed to move initrd secrets into place\n";
umask $oldUmask;
$copied{$initrdSecretsPath} = 1;
if ($extraInitrd) {
$initrd .= " " .$extraInitrdPath->path;
}
my $xen = -e "$path/xen.gz" ? copyToKernelsDir(Cwd::abs_path("$path/xen.gz")) : undef;
# FIXME: $confName
@ -386,6 +379,9 @@ sub addEntry {
if ($copyKernels == 0) {
$conf .= $grubStore->search . "\n";
}
if ($extraInitrd) {
$conf .= $extraInitrdPath->search . "\n";
}
$conf .= " $extraPerEntryConfig\n" if $extraPerEntryConfig;
$conf .= " multiboot $xen $xenParams\n" if $xen;
$conf .= " " . ($xen ? "module" : "linux") . " $kernel $kernelParams\n";