[Nix-dev] Smart Card support in initramfs

Nicolas Pierron nicolas.b.pierron at gmail.com
Sat Aug 16 19:49:36 CEST 2014


Hi,

On Wed, Aug 13, 2014 at 9:06 PM, tsuraan <tsuraan at gmail.com> wrote:
> So, I'm wondering, how can I get gnupg, pcscd, and ccid into a Nix
> initramfs, and how can I get the initramfs's init to use gpg in its
> luksOpen call? I'm thinking that, from the configuration.nix side, I'd
> want to just specify a pgp blob (boot.initrd.luks.encryptedkey =
> ''-----BEGIN PGP MESSAGE----- ...'') and specify that I want to use a
> smart card (boot.initrd.luks.smartcard=true), or something like that.
> Where should I look to start hacking?

You should look at luksroot.nix [1], this file is a NixOS module which
handle all luks options.  These options are then used to generate the
script which is written in the initrd.

> The other bit is whether the Nix kernel builder can handle
> dependencies in its kernelExtraConfig
> (kernelExtraConfig="INITRAMFS_SOURCE=\"/boot/initramfs\""), and build
> the initramfs before it builds the kernel. I haven't tried that yet,
> and I'm actually not even really sure where Nix writes its initramfs
> file, so that's something else I'm curious about, I guess.

Is that similar to what is currently implemented with yubikey.ramfsMountPoint ?

Otherwise, if the current setup does not satisfy you, you might either
checkout NixOS and modify this file, in which case you will need to
update your NIX_PATH.

Or you can copy this file and rename any luks to luks2, and customize
it as you want and later merge your modification back into nixos.  In
which case you will have to include it in you configuration.nix file
(as done for the hardware-configuration.nix file) to make the option
visible in your configuration.nix file.

[1] https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/boot/luksroot.nix

-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/


More information about the nix-dev mailing list