system-profiles/initrd-all-crypto-modules.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

{ lib, pkgs, config, ...}:
let
  moduleList = builtins.fromJSON (builtins.readFile (pkgs.runCommandCC "crypto-modules" { buildInputs = with pkgs; [ jq ]; } ''
    echo "[]" > $out
    while IFS= read -r -d $'\0' file; do
      unpacked=$(basename "''${file}" .xz)
      xz -cd "''${file}" > "''${unpacked}"

      module=$(readelf -Wp .gnu.linkonce.this_module "''${unpacked}" | sed -rn '/\[\s*[0-9]+\] /{ s/^[^]]*\]\s*//; p; q; }')
      jq '. + [ $name ]' $out --arg name "''${module}" > out.json && mv out.json $out
    done < <(find ${config.system.modulesTree}/lib/modules/*/kernel{,/arch/*}/crypto -iname '*.ko.xz' -print0 | sort -z)
  ''));
in {
  boot.initrd.luks.cryptoModules = moduleList ++ [
    "encrypted_keys" "trusted" "rng"
  ];
  boot.kernelPatches = [
    {
      name = "encrypted_key";
      patch = null;
      extraStructuredConfig.ENCRYPTED_KEYS = lib.kernel.yes;
    }
  ];
}