bootloader: grub: Add support for loading an additional initrd.

In order to be able to provide decryption keys for the LUKS device, they need to be available in the initial ram disk. However they cannot be stored inside the usual initrd, since it is stored in the store and being a world-readable (as files in the store are) is not a desired property for a initrd containing decryption keys. This commit adds an option to load additional initrd during the boot, one that is not stored inside the store and therefore can contain secrets. Since only grub supports encrypted /boot, only grub is modified to use the extra-initrd. There is no use case for the other bootloaders. * doc/guix.texi (Bootloader Configuration): Describe the new extra-initrd field. * gnu/bootloader.scm (<bootloader-configuration>): Add extra-initrd field. * gnu/bootloader/grub.scm (make-grub-configuration): Use the extra-initrd field. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Change-Id: I995989bb623bb594ccdafbf4a1a6de941bd4189f
2024-01-11 18:35:40 +01:00 · 2024-01-11 18:35:40 +01:00 · 086850e5b2
parent d082312ef7
commit 086850e5b2
3 changed files with 59 additions and 3 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -41070,6 +41070,55 @@ This option in enabled by default.  In some cases involving the
@code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
@code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot.  It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk.  However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys.  You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+  ...
+  (bootloader (bootloader-configuration
+               (bootloader grub-efi-bootloader)
+               (targets '("/boot/efi"))
+               ;; Load the initrd with a key file
+               (extra-initrd "/key-file.cpio")))
+  (mapped-devices
+   (list (mapped-device
+          (source (uuid "12345678-1234-1234-1234-123456789abc"))
+          (target "my-root")
+          (type (luks-device-mapping-with-options
+                 ;; And use it to unlock the root device
+                 #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
@end table

@end deftp
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -77,6 +78,7 @@
            bootloader-configuration-serial-unit
            bootloader-configuration-serial-speed
            bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd

            %bootloaders
            lookup-bootloader-by-name
@ -279,7 +281,9 @@ instead~%")))
  (serial-speed          bootloader-configuration-serial-speed
                         (default #f))    ;integer | #f
  (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f)))   ;string | #f

 (define-deprecated (bootloader-configuration-target config)
  bootloader-configuration-targets
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
 ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
 ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@ -386,7 +387,8 @@ when booting a root file system on a Btrfs subvolume."
                                     store-directory-prefix))
              (initrd (normalize-file (menu-entry-initrd entry)
                                      device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
          ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
          ;; Use the right file names for LINUX and INITRD in case
          ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@ -397,11 +399,12 @@ when booting a root file system on a Btrfs subvolume."
          #~(format port "menuentry ~s {
  ~a
  linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                    #$label
                    #$(grub-root-search device linux)
                    #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                    #$initrd)))
       (multiboot-kernel
        (let* ((kernel (menu-entry-multiboot-kernel entry))