From 1514c30e46768eb978996660ad46ca8e48cef5b7 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sat, 15 May 2021 15:27:19 +0200
Subject: ...

---
 modules/luksroot.nix | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 57 insertions(+), 2 deletions(-)

(limited to 'modules/luksroot.nix')

diff --git a/modules/luksroot.nix b/modules/luksroot.nix
index e1a910d7..abaee692 100644
--- a/modules/luksroot.nix
+++ b/modules/luksroot.nix
@@ -140,7 +140,7 @@ let
     umount /crypt-ramfs 2>/dev/null
   '';
 
-  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
+  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
   let
     csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
     cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
@@ -451,10 +451,30 @@ let
 
     ''}
 
+    ${optionalString (luks.dmiSupport && dmi) ''
+
+    open_with_hardware() {
+      dmidecode -s system-uuid > /crypt-ramfs/passphrase
+
+      ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null
+
+      if [ $? -ne 0 ]; then
+        echo "Unlocking with system-uuid failed, falling back to normal open procedure"
+        rm -f /crypt-ramfs/passphrase
+        open_normally
+      ${optionalString (!luks.reusePassphrases) ''
+        else
+          rm -f /crypt-ramfs/passphrase
+      ''}
+      fi
+    }
+
+    ''}
+
     # commands to run right before we mount our device
     ${preOpenCommands}
 
-    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) then ''
+    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then ''
     open_with_hardware
     '' else ''
     open_normally
@@ -789,6 +809,14 @@ in
             '';
           };
 
+          dmi = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              Unlock device via system-uuid (via dmidecode)
+            '';
+          };
+
           preOpenCommands = mkOption {
             type = types.lines;
             default = "";
@@ -849,6 +877,14 @@ in
         Enables support for unlocking luks volumes via clevis (e.g. with a tpm)
       '';
     };
+    
+    boot.initrd.luks.dmiSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for unlocking luks volumes via system-uuid (via dmidecode)
+      '';
+    };
 
   };
 
@@ -866,6 +902,10 @@ in
         { assertion = !(luks.gpgSupport && luks.clevisSupport);
           message = "Clevis and GPG Card may not be used at the same time.";
         }
+        
+        { assertion = !(luks.gpgSupport && luks.dmiSupport);
+          message = "DMI and GPG Card may not be used at the same time.";
+        }
 
         { assertion = !(luks.fido2Support && luks.yubikeySupport);
           message = "FIDO2 and YubiKey may not be used at the same time.";
@@ -875,10 +915,18 @@ in
           message = "FIDO2 and Clevis may not be used at the same time.";
         }
 
+        { assertion = !(luks.fido2Support && luks.dmiSupport);
+          message = "FIDO2 and DMI may not be used at the same time.";
+        }
+
         { assertion = !(luks.yubikeySupport && luks.clevisSupport);
           message = "Clevis and YubiKey may not be used at the same time.";
         }
 
+        { assertion = !(luks.yubikeySupport && luks.dmiSupport);
+          message = "DMI and YubiKey may not be used at the same time.";
+        }
+
       ];
 
     # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
@@ -989,6 +1037,10 @@ in
                fi
              done
            ''}
+
+           ${optionalString luks.dmiSupport ''
+             copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode
+           ''}
     '';
 
     boot.initrd.extraUtilsCommandsTest = ''
@@ -1009,6 +1061,9 @@ in
       ${optionalString luks.clevisSupport ''
         $out/bin/jose alg
       ''}
+      ${optionalString luks.dmiSupport ''
+        $out/bin/dmidecode --version
+      ''}
     '';
 
     boot.initrd.preFailCommands = postCommands;
-- 
cgit v1.2.3