Merge pull request #278609 from RaitoBezarius/initrd-secrets

2024-01-04 23:45:39 +01:00 · 2024-01-04 23:45:39 +01:00 · 7afe9bc384
commit 7afe9bc384
parent 958a633270 861431f282
3 changed files with 35 additions and 5 deletions
--- a/nixos/modules/system/activation/bootspec.nix
+++ b/nixos/modules/system/activation/bootspec.nix
@ -11,6 +11,7 @@
 let
  cfg = config.boot.bootspec;
  children = lib.mapAttrs (childName: childConfig: childConfig.configuration.system.build.toplevel) config.specialisation;
+  hasAtLeastOneInitrdSecret = lib.length (lib.attrNames config.boot.initrd.secrets) > 0;
  schemas = {
    v1 = rec {
      filename = "boot.json";
@ -27,6 +28,7 @@ let
              label = "${config.system.nixos.distroName} ${config.system.nixos.codeName} ${config.system.nixos.label} (Linux ${config.boot.kernelPackages.kernel.modDirVersion})";
            } // lib.optionalAttrs config.boot.initrd.enable {
              initrd = "${config.system.build.initialRamdisk}/${config.system.boot.loader.initrdFile}";
+            } // lib.optionalAttrs hasAtLeastOneInitrdSecret {
              initrdSecrets = "${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets";
            };
          }));
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@ -20,13 +20,13 @@ from dataclasses import dataclass
 class BootSpec:
    init: str
    initrd: str
-    initrdSecrets: str
    kernel: str
    kernelParams: List[str]
    label: str
    system: str
    toplevel: str
    specialisations: Dict[str, "BootSpec"]
+    initrdSecrets: str | None = None



@ -131,9 +131,8 @@ def write_entry(profile: str | None, generation: int, specialisation: str | None
        specialisation=" (%s)" % specialisation if specialisation else "")

    try:
-        subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)])
-    except FileNotFoundError:
-        pass
+        if bootspec.initrdSecrets is not None:
+            subprocess.check_call([bootspec.initrdSecrets, "@efiSysMountPoint@%s" % (initrd)])
    except subprocess.CalledProcessError:
        if current:
            print("failed to create initrd secrets!", file=sys.stderr)
--- a/nixos/tests/bootspec.nix
+++ b/nixos/tests/bootspec.nix
@ -112,10 +112,39 @@ in

      bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json"))

-      assert all(key in bootspec for key in ('initrd', 'initrdSecrets')), "Bootspec should contain initrd or initrdSecrets field when initrd is enabled"
+      assert 'initrd' in bootspec, "Bootspec should contain initrd field when initrd is enabled"
+      assert 'initrdSecrets' not in bootspec, "Bootspec should not contain initrdSecrets when there's no initrdSecrets"
    '';
  };

+  # Check that initrd secrets create corresponding entries in bootspec.
+  initrd-secrets = makeTest {
+    name = "bootspec-with-initrd-secrets";
+    meta.maintainers = with pkgs.lib.maintainers; [ raitobezarius ];
+
+    nodes.machine = {
+      imports = [ standard ];
+      environment.systemPackages = [ pkgs.jq ];
+      # It's probably the case, but we want to make it explicit here.
+      boot.initrd.enable = true;
+      boot.initrd.secrets."/some/example" = pkgs.writeText "example-secret" "test";
+    };
+
+    testScript = ''
+      import json
+
+      machine.start()
+      machine.wait_for_unit("multi-user.target")
+
+      machine.succeed("test -e /run/current-system/boot.json")
+
+      bootspec = json.loads(machine.succeed("jq -r '.\"org.nixos.bootspec.v1\"' /run/current-system/boot.json"))
+
+      assert 'initrdSecrets' in bootspec, "Bootspec should contain an 'initrdSecrets' field given there's an initrd secret"
+    '';
+  };
+
+
  # Check that specialisations create corresponding entries in bootspec.
  specialisation = makeTest {
    name = "bootspec-with-specialisation";