summaryrefslogtreecommitdiff
path: root/modules/luksroot.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/luksroot.nix')
-rw-r--r--modules/luksroot.nix59
1 files changed, 57 insertions, 2 deletions
diff --git a/modules/luksroot.nix b/modules/luksroot.nix
index e1a910d7..abaee692 100644
--- a/modules/luksroot.nix
+++ b/modules/luksroot.nix
@@ -140,7 +140,7 @@ let
140 umount /crypt-ramfs 2>/dev/null 140 umount /crypt-ramfs 2>/dev/null
141 ''; 141 '';
142 142
143 openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name; 143 openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
144 let 144 let
145 csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}"; 145 csopen = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
146 cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}"; 146 cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@@ -451,10 +451,30 @@ let
451 451
452 ''} 452 ''}
453 453
454 ${optionalString (luks.dmiSupport && dmi) ''
455
456 open_with_hardware() {
457 dmidecode -s system-uuid > /crypt-ramfs/passphrase
458
459 ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null
460
461 if [ $? -ne 0 ]; then
462 echo "Unlocking with system-uuid failed, falling back to normal open procedure"
463 rm -f /crypt-ramfs/passphrase
464 open_normally
465 ${optionalString (!luks.reusePassphrases) ''
466 else
467 rm -f /crypt-ramfs/passphrase
468 ''}
469 fi
470 }
471
472 ''}
473
454 # commands to run right before we mount our device 474 # commands to run right before we mount our device
455 ${preOpenCommands} 475 ${preOpenCommands}
456 476
457 ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then '' 477 ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then ''
458 open_with_hardware 478 open_with_hardware
459 '' else '' 479 '' else ''
460 open_normally 480 open_normally
@@ -789,6 +809,14 @@ in
789 ''; 809 '';
790 }; 810 };
791 811
812 dmi = mkOption {
813 type = types.bool;
814 default = false;
815 description = ''
816 Unlock device via system-uuid (via dmidecode)
817 '';
818 };
819
792 preOpenCommands = mkOption { 820 preOpenCommands = mkOption {
793 type = types.lines; 821 type = types.lines;
794 default = ""; 822 default = "";
@@ -849,6 +877,14 @@ in
849 Enables support for unlocking luks volumes via clevis (e.g. with a tpm) 877 Enables support for unlocking luks volumes via clevis (e.g. with a tpm)
850 ''; 878 '';
851 }; 879 };
880
881 boot.initrd.luks.dmiSupport = mkOption {
882 default = false;
883 type = types.bool;
884 description = ''
885 Enables support for unlocking luks volumes via system-uuid (via dmidecode)
886 '';
887 };
852 888
853 }; 889 };
854 890
@@ -866,6 +902,10 @@ in
866 { assertion = !(luks.gpgSupport && luks.clevisSupport); 902 { assertion = !(luks.gpgSupport && luks.clevisSupport);
867 message = "Clevis and GPG Card may not be used at the same time."; 903 message = "Clevis and GPG Card may not be used at the same time.";
868 } 904 }
905
906 { assertion = !(luks.gpgSupport && luks.dmiSupport);
907 message = "DMI and GPG Card may not be used at the same time.";
908 }
869 909
870 { assertion = !(luks.fido2Support && luks.yubikeySupport); 910 { assertion = !(luks.fido2Support && luks.yubikeySupport);
871 message = "FIDO2 and YubiKey may not be used at the same time."; 911 message = "FIDO2 and YubiKey may not be used at the same time.";
@@ -875,10 +915,18 @@ in
875 message = "FIDO2 and Clevis may not be used at the same time."; 915 message = "FIDO2 and Clevis may not be used at the same time.";
876 } 916 }
877 917
918 { assertion = !(luks.fido2Support && luks.dmiSupport);
919 message = "FIDO2 and DMI may not be used at the same time.";
920 }
921
878 { assertion = !(luks.yubikeySupport && luks.clevisSupport); 922 { assertion = !(luks.yubikeySupport && luks.clevisSupport);
879 message = "Clevis and YubiKey may not be used at the same time."; 923 message = "Clevis and YubiKey may not be used at the same time.";
880 } 924 }
881 925
926 { assertion = !(luks.yubikeySupport && luks.dmiSupport);
927 message = "DMI and YubiKey may not be used at the same time.";
928 }
929
882 ]; 930 ];
883 931
884 # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested 932 # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@@ -989,6 +1037,10 @@ in
989 fi 1037 fi
990 done 1038 done
991 ''} 1039 ''}
1040
1041 ${optionalString luks.dmiSupport ''
1042 copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode
1043 ''}
992 ''; 1044 '';
993 1045
994 boot.initrd.extraUtilsCommandsTest = '' 1046 boot.initrd.extraUtilsCommandsTest = ''
@@ -1009,6 +1061,9 @@ in
1009 ${optionalString luks.clevisSupport '' 1061 ${optionalString luks.clevisSupport ''
1010 $out/bin/jose alg 1062 $out/bin/jose alg
1011 ''} 1063 ''}
1064 ${optionalString luks.dmiSupport ''
1065 $out/bin/dmidecode --version
1066 ''}
1012 ''; 1067 '';
1013 1068
1014 boot.initrd.preFailCommands = postCommands; 1069 boot.initrd.preFailCommands = postCommands;
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-11 06:15:54 +0000