nixos/stage1: copy initrd secrets into place after special mounts
This modifies initialRamdiskSecretAppender to stage secrets in /.initrd-secrets/ and stage-1-init to copy them into place after mounting special file systems. This allows secrets to be copied into ramfs mounts like /run/keys for use after stage-1 finishes without copying them to disk (which would not be very secure).
This commit is contained in:
parent
b089c39a23
commit
30b97d7cca
|
@ -119,6 +119,18 @@ specialMount() {
|
|||
}
|
||||
source @earlyMountScript@
|
||||
|
||||
# Copy initrd secrets from /.initrd-secrets to their actual destinations
|
||||
if [ -d "/.initrd-secrets" ]; then
|
||||
#
|
||||
# Secrets are named by their full destination pathname and stored
|
||||
# under /.initrd-secrets/
|
||||
#
|
||||
for secret in $(cd "/.initrd-secrets"; find . -type f); do
|
||||
mkdir -p $(dirname "/$secret")
|
||||
cp "/.initrd-secrets/$secret" "$secret"
|
||||
done
|
||||
fi
|
||||
|
||||
# Log the script output to /dev/kmsg or /run/log/stage-1-init.log.
|
||||
mkdir -p /tmp
|
||||
mkfifo /tmp/stage-1-init.log.fifo
|
||||
|
|
|
@ -380,8 +380,8 @@ let
|
|||
${lib.concatStringsSep "\n" (mapAttrsToList (dest: source:
|
||||
let source' = if source == null then dest else toString source; in
|
||||
''
|
||||
mkdir -p $(dirname "$tmp/${dest}")
|
||||
cp -a ${source'} "$tmp/${dest}"
|
||||
mkdir -p $(dirname "$tmp/.initrd-secrets/${dest}")
|
||||
cp -a ${source'} "$tmp/.initrd-secrets/${dest}"
|
||||
''
|
||||
) config.boot.initrd.secrets)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue