[Nix-dev] How to add file to initrd?

Tomasz Czyż tomasz.czyz at gmail.com
Fri Sep 11 17:15:37 CEST 2015


Thanks for all the tips Bryan.

2015-09-11 16:02 GMT+01:00 Bryan Gardiner <bog at khumba.net>:

> On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote:
> > 2015-09-11 15:31 GMT+01:00 Bryan Gardiner <bog at khumba.net>:
> >
> > > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi
> >:
> > > >
> > > > > (Argh, replying to the list this time...)
> > > > >
> > > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <bog at khumba.net>:
> > > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > > > [...]
> > > > > >
> > > > > > How about doing something like:
> > > > > >
> > > > > >     preLVMCommands =
> > > > > >       let key = builtins.readFile ./keyfile; in
> > > > > >       "echo '${key}' >/key"
> > > > > >
> > > > >
> > > > > Do note that by doing this, the key will get embedded somewhere in
> > > > > /nix/store, with world-readable unix permissions.
> > > >
> > > > Mhm, that's definitely not cool. I thought it will appear only inside
> > > > initrd image :[
> > > > Do you think is there any other way to put this key in initrd?
> > >
> > > If you don't want it in plain text, you could compress or obfuscate it
> > > by any means, then reverse that in the initrd...  The
> > > extraUtilsCommands method will certainly result in "not simply plain
> > > text."  Though this is security by obscurity, and I don't know a quick
> > > way to truly secure it without having to enter your password an extra
> > > time.  Nix doesn't support non-world-readable data in the store.
> > >
> > Thanks for explenation.
> >
> > >
> > > Can Grub pass its unlock password to the initrd?  If so, you could
> > > decrypt the keyfile with that, and only put an encrypted keyfile in
> > > the store.
> > >
> > Not really, that's why I want to put key inside initrd. Otherwise I could
> > decrypt partitions with the pass from grub.
> >
> > >
> > > Or maybe you could restrict non-root users from accessing the initrds
> > > in the store via grsec or apparmor.
> > >
> > Mhm, I see.
> > What about putting something into initrd but not adding it to nixstore?
> > Do you think is there any initrd hook I can use to add stuff?
>
> That could work, if you find how the initrd is copied over.  Grub
> manages to make /boot/grub have 700 permissions, so if you extract +
> insert + rebuild the initrd during its installation, and make
> /boot/kernels 700 as well?  In my readings of nixpkgs/nixos, I haven't
> gotten to the bottom of the rabbit hole and found out how nixos
> modules *actually* have an effect on the world yet :).
>
> Cheers,
> Bryan
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>


-- 
Tomasz Czyż
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150911/b9c75075/attachment-0001.html 


More information about the nix-dev mailing list