diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 15:27:19 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-05-15 15:27:19 +0200 |
| commit | 1514c30e46768eb978996660ad46ca8e48cef5b7 (patch) | |
| tree | c27da4992f00b4c7372020c367e8560d2355cfc7 /modules | |
| parent | 9dddbe15c421b9f62cddee6f8cc4147f9d40cd86 (diff) | |
| download | nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.gz nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.bz2 nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.tar.xz nixos-1514c30e46768eb978996660ad46ca8e48cef5b7.zip | |
...
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/luksroot.nix | 59 |
1 files changed, 57 insertions, 2 deletions
diff --git a/modules/luksroot.nix b/modules/luksroot.nix index e1a910d7..abaee692 100644 --- a/modules/luksroot.nix +++ b/modules/luksroot.nix | |||
| @@ -140,7 +140,7 @@ let | |||
| 140 | umount /crypt-ramfs 2>/dev/null | 140 | umount /crypt-ramfs 2>/dev/null |
| 141 | ''; | 141 | ''; |
| 142 | 142 | ||
| 143 | openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; | 143 | openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; |
| 144 | let | 144 | let |
| 145 | csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; | 145 | csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; |
| 146 | cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; | 146 | cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; |
| @@ -451,10 +451,30 @@ let | |||
| 451 | 451 | ||
| 452 | ''} | 452 | ''} |
| 453 | 453 | ||
| 454 | ${optionalString (luks.dmiSupport && dmi) '' | ||
| 455 | |||
| 456 | open_with_hardware() { | ||
| 457 | dmidecode -s system-uuid > /crypt-ramfs/passphrase | ||
| 458 | |||
| 459 | ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null | ||
| 460 | |||
| 461 | if [ $? -ne 0 ]; then | ||
| 462 | echo "Unlocking with system-uuid failed, falling back to normal open procedure" | ||
| 463 | rm -f /crypt-ramfs/passphrase | ||
| 464 | open_normally | ||
| 465 | ${optionalString (!luks.reusePassphrases) '' | ||
| 466 | else | ||
| 467 | rm -f /crypt-ramfs/passphrase | ||
| 468 | ''} | ||
| 469 | fi | ||
| 470 | } | ||
| 471 | |||
| 472 | ''} | ||
| 473 | |||
| 454 | # commands to run right before we mount our device | 474 | # commands to run right before we mount our device |
| 455 | ${preOpenCommands} | 475 | ${preOpenCommands} |
| 456 | 476 | ||
| 457 | ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then '' | 477 | ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then '' |
| 458 | open_with_hardware | 478 | open_with_hardware |
| 459 | '' else '' | 479 | '' else '' |
| 460 | open_normally | 480 | open_normally |
| @@ -789,6 +809,14 @@ in | |||
| 789 | ''; | 809 | ''; |
| 790 | }; | 810 | }; |
| 791 | 811 | ||
| 812 | dmi = mkOption { | ||
| 813 | type = types.bool; | ||
| 814 | default = false; | ||
| 815 | description = '' | ||
| 816 | Unlock device via system-uuid (via dmidecode) | ||
| 817 | ''; | ||
| 818 | }; | ||
| 819 | |||
| 792 | preOpenCommands = mkOption { | 820 | preOpenCommands = mkOption { |
| 793 | type = types.lines; | 821 | type = types.lines; |
| 794 | default = ""; | 822 | default = ""; |
| @@ -849,6 +877,14 @@ in | |||
| 849 | Enables support for unlocking luks volumes via clevis (e.g. with a tpm) | 877 | Enables support for unlocking luks volumes via clevis (e.g. with a tpm) |
| 850 | ''; | 878 | ''; |
| 851 | }; | 879 | }; |
| 880 | |||
| 881 | boot.initrd.luks.dmiSupport = mkOption { | ||
| 882 | default = false; | ||
| 883 | type = types.bool; | ||
| 884 | description = '' | ||
| 885 | Enables support for unlocking luks volumes via system-uuid (via dmidecode) | ||
| 886 | ''; | ||
| 887 | }; | ||
| 852 | 888 | ||
| 853 | }; | 889 | }; |
| 854 | 890 | ||
| @@ -866,6 +902,10 @@ in | |||
| 866 | { assertion = !(luks.gpgSupport && luks.clevisSupport); | 902 | { assertion = !(luks.gpgSupport && luks.clevisSupport); |
| 867 | message = "Clevis and GPG Card may not be used at the same time."; | 903 | message = "Clevis and GPG Card may not be used at the same time."; |
| 868 | } | 904 | } |
| 905 | |||
| 906 | { assertion = !(luks.gpgSupport && luks.dmiSupport); | ||
| 907 | message = "DMI and GPG Card may not be used at the same time."; | ||
| 908 | } | ||
| 869 | 909 | ||
| 870 | { assertion = !(luks.fido2Support && luks.yubikeySupport); | 910 | { assertion = !(luks.fido2Support && luks.yubikeySupport); |
| 871 | message = "FIDO2 and YubiKey may not be used at the same time."; | 911 | message = "FIDO2 and YubiKey may not be used at the same time."; |
| @@ -875,10 +915,18 @@ in | |||
| 875 | message = "FIDO2 and Clevis may not be used at the same time."; | 915 | message = "FIDO2 and Clevis may not be used at the same time."; |
| 876 | } | 916 | } |
| 877 | 917 | ||
| 918 | { assertion = !(luks.fido2Support && luks.dmiSupport); | ||
| 919 | message = "FIDO2 and DMI may not be used at the same time."; | ||
| 920 | } | ||
| 921 | |||
| 878 | { assertion = !(luks.yubikeySupport && luks.clevisSupport); | 922 | { assertion = !(luks.yubikeySupport && luks.clevisSupport); |
| 879 | message = "Clevis and YubiKey may not be used at the same time."; | 923 | message = "Clevis and YubiKey may not be used at the same time."; |
| 880 | } | 924 | } |
| 881 | 925 | ||
| 926 | { assertion = !(luks.yubikeySupport && luks.dmiSupport); | ||
| 927 | message = "DMI and YubiKey may not be used at the same time."; | ||
| 928 | } | ||
| 929 | |||
| 882 | ]; | 930 | ]; |
| 883 | 931 | ||
| 884 | # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested | 932 | # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested |
| @@ -989,6 +1037,10 @@ in | |||
| 989 | fi | 1037 | fi |
| 990 | done | 1038 | done |
| 991 | ''} | 1039 | ''} |
| 1040 | |||
| 1041 | ${optionalString luks.dmiSupport '' | ||
| 1042 | copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode | ||
| 1043 | ''} | ||
| 992 | ''; | 1044 | ''; |
| 993 | 1045 | ||
| 994 | boot.initrd.extraUtilsCommandsTest = '' | 1046 | boot.initrd.extraUtilsCommandsTest = '' |
| @@ -1009,6 +1061,9 @@ in | |||
| 1009 | ${optionalString luks.clevisSupport '' | 1061 | ${optionalString luks.clevisSupport '' |
| 1010 | $out/bin/jose alg | 1062 | $out/bin/jose alg |
| 1011 | ''} | 1063 | ''} |
| 1064 | ${optionalString luks.dmiSupport '' | ||
| 1065 | $out/bin/dmidecode --version | ||
| 1066 | ''} | ||
| 1012 | ''; | 1067 | ''; |
| 1013 | 1068 | ||
| 1014 | boot.initrd.preFailCommands = postCommands; | 1069 | boot.initrd.preFailCommands = postCommands; |