diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 15:27:19 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 15:27:19 +0200 |
commit | 1514c30e46768eb978996660ad46ca8e48cef5b7 (patch) | |
tree | c27da4992f00b4c7372020c367e8560d2355cfc7 /modules/luksroot.nix | |
parent | 9dddbe15c421b9f62cddee6f8cc4147f9d40cd86 (diff) | |
download | nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.gz nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.bz2 nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.xz nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.zip |
...
Diffstat (limited to 'modules/luksroot.nix')
-rw-r--r-- | modules/luksroot.nix | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/modules/luksroot.nix b/modules/luksroot.nix index e1a910d7..abaee692 100644 --- a/modules/luksroot.nix +++ b/modules/luksroot.nix | |||
@@ -140,7 +140,7 @@ let | |||
140 | umount /crypt-ramfs 2>/dev/null | 140 | umount /crypt-ramfs 2>/dev/null |
141 | ''; | 141 | ''; |
142 | 142 | ||
143 | openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; | 143 | openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; |
144 | let | 144 | let |
145 | csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; | 145 | csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; |
146 | cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; | 146 | cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; |
@@ -451,10 +451,30 @@ let | |||
451 | 451 | ||
452 | ''} | 452 | ''} |
453 | 453 | ||
454 | ${optionalString (luks.dmiSupport && dmi) '' | ||
455 | |||
456 | open_with_hardware() { | ||
457 | dmidecode -s system-uuid > /crypt-ramfs/passphrase | ||
458 | |||
459 | ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null | ||
460 | |||
461 | if [ $? -ne 0 ]; then | ||
462 | echo "Unlocking with system-uuid failed, falling back to normal open procedure" | ||
463 | rm -f /crypt-ramfs/passphrase | ||
464 | open_normally | ||
465 | ${optionalString (!luks.reusePassphrases) '' | ||
466 | else | ||
467 | rm -f /crypt-ramfs/passphrase | ||
468 | ''} | ||
469 | fi | ||
470 | } | ||
471 | |||
472 | ''} | ||
473 | |||
454 | # commands to run right before we mount our device | 474 | # commands to run right before we mount our device |
455 | ${preOpenCommands} | 475 | ${preOpenCommands} |
456 | 476 | ||
457 | ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then '' | 477 | ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then '' |
458 | open_with_hardware | 478 | open_with_hardware |
459 | '' else '' | 479 | '' else '' |
460 | open_normally | 480 | open_normally |
@@ -789,6 +809,14 @@ in | |||
789 | ''; | 809 | ''; |
790 | }; | 810 | }; |
791 | 811 | ||
812 | dmi = mkOption { | ||
813 | type = types.bool; | ||
814 | default = false; | ||
815 | description = '' | ||
816 | Unlock device via system-uuid (via dmidecode) | ||
817 | ''; | ||
818 | }; | ||
819 | |||
792 | preOpenCommands = mkOption { | 820 | preOpenCommands = mkOption { |
793 | type = types.lines; | 821 | type = types.lines; |
794 | default = ""; | 822 | default = ""; |
@@ -849,6 +877,14 @@ in | |||
849 | Enables support for unlocking luks volumes via clevis (e.g. with a tpm) | 877 | Enables support for unlocking luks volumes via clevis (e.g. with a tpm) |
850 | ''; | 878 | ''; |
851 | }; | 879 | }; |
880 | |||
881 | boot.initrd.luks.dmiSupport = mkOption { | ||
882 | default = false; | ||
883 | type = types.bool; | ||
884 | description = '' | ||
885 | Enables support for unlocking luks volumes via system-uuid (via dmidecode) | ||
886 | ''; | ||
887 | }; | ||
852 | 888 | ||
853 | }; | 889 | }; |
854 | 890 | ||
@@ -866,6 +902,10 @@ in | |||
866 | { assertion = !(luks.gpgSupport && luks.clevisSupport); | 902 | { assertion = !(luks.gpgSupport && luks.clevisSupport); |
867 | message = "Clevis and GPG Card may not be used at the same time."; | 903 | message = "Clevis and GPG Card may not be used at the same time."; |
868 | } | 904 | } |
905 | |||
906 | { assertion = !(luks.gpgSupport && luks.dmiSupport); | ||
907 | message = "DMI and GPG Card may not be used at the same time."; | ||
908 | } | ||
869 | 909 | ||
870 | { assertion = !(luks.fido2Support && luks.yubikeySupport); | 910 | { assertion = !(luks.fido2Support && luks.yubikeySupport); |
871 | message = "FIDO2 and YubiKey may not be used at the same time."; | 911 | message = "FIDO2 and YubiKey may not be used at the same time."; |
@@ -875,10 +915,18 @@ in | |||
875 | message = "FIDO2 and Clevis may not be used at the same time."; | 915 | message = "FIDO2 and Clevis may not be used at the same time."; |
876 | } | 916 | } |
877 | 917 | ||
918 | { assertion = !(luks.fido2Support && luks.dmiSupport); | ||
919 | message = "FIDO2 and DMI may not be used at the same time."; | ||
920 | } | ||
921 | |||
878 | { assertion = !(luks.yubikeySupport && luks.clevisSupport); | 922 | { assertion = !(luks.yubikeySupport && luks.clevisSupport); |
879 | message = "Clevis and YubiKey may not be used at the same time."; | 923 | message = "Clevis and YubiKey may not be used at the same time."; |
880 | } | 924 | } |
881 | 925 | ||
926 | { assertion = !(luks.yubikeySupport && luks.dmiSupport); | ||
927 | message = "DMI and YubiKey may not be used at the same time."; | ||
928 | } | ||
929 | |||
882 | ]; | 930 | ]; |
883 | 931 | ||
884 | # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested | 932 | # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested |
@@ -989,6 +1037,10 @@ in | |||
989 | fi | 1037 | fi |
990 | done | 1038 | done |
991 | ''} | 1039 | ''} |
1040 | |||
1041 | ${optionalString luks.dmiSupport '' | ||
1042 | copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode | ||
1043 | ''} | ||
992 | ''; | 1044 | ''; |
993 | 1045 | ||
994 | boot.initrd.extraUtilsCommandsTest = '' | 1046 | boot.initrd.extraUtilsCommandsTest = '' |
@@ -1009,6 +1061,9 @@ in | |||
1009 | ${optionalString luks.clevisSupport '' | 1061 | ${optionalString luks.clevisSupport '' |
1010 | $out/bin/jose alg | 1062 | $out/bin/jose alg |
1011 | ''} | 1063 | ''} |
1064 | ${optionalString luks.dmiSupport '' | ||
1065 | $out/bin/dmidecode --version | ||
1066 | ''} | ||
1012 | ''; | 1067 | ''; |
1013 | 1068 | ||
1014 | boot.initrd.preFailCommands = postCommands; | 1069 | boot.initrd.preFailCommands = postCommands; |