From 30b97d7ccaf25324926301524d040c4524470046 Mon Sep 17 00:00:00 2001 From: "Dino A. Dai Zovi" Date: Mon, 5 Jul 2021 14:08:35 +0000 Subject: [PATCH] nixos/stage1: copy initrd secrets into place after special mounts This modifies initialRamdiskSecretAppender to stage secrets in /.initrd-secrets/ and stage-1-init to copy them into place after mounting special file systems. This allows secrets to be copied into ramfs mounts like /run/keys for use after stage-1 finishes without copying them to disk (which would not be very secure). --- nixos/modules/system/boot/stage-1-init.sh | 12 ++++++++++++ nixos/modules/system/boot/stage-1.nix | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/nixos/modules/system/boot/stage-1-init.sh b/nixos/modules/system/boot/stage-1-init.sh index ddaf985878e..82e39c96fac 100644 --- a/nixos/modules/system/boot/stage-1-init.sh +++ b/nixos/modules/system/boot/stage-1-init.sh @@ -119,6 +119,18 @@ specialMount() { } source @earlyMountScript@ +# Copy initrd secrets from /.initrd-secrets to their actual destinations +if [ -d "/.initrd-secrets" ]; then + # + # Secrets are named by their full destination pathname and stored + # under /.initrd-secrets/ + # + for secret in $(cd "/.initrd-secrets"; find . -type f); do + mkdir -p $(dirname "/$secret") + cp "/.initrd-secrets/$secret" "$secret" + done +fi + # Log the script output to /dev/kmsg or /run/log/stage-1-init.log. mkdir -p /tmp mkfifo /tmp/stage-1-init.log.fifo diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix index d606d473d91..95c419deb70 100644 --- a/nixos/modules/system/boot/stage-1.nix +++ b/nixos/modules/system/boot/stage-1.nix @@ -380,8 +380,8 @@ let ${lib.concatStringsSep "\n" (mapAttrsToList (dest: source: let source' = if source == null then dest else toString source; in '' - mkdir -p $(dirname "$tmp/${dest}") - cp -a ${source'} "$tmp/${dest}" + mkdir -p $(dirname "$tmp/.initrd-secrets/${dest}") + cp -a ${source'} "$tmp/.initrd-secrets/${dest}" '' ) config.boot.initrd.secrets) }