[Nix-dev] How to add file to initrd?

Bryan Gardiner bog at khumba.net
Fri Sep 11 17:02:43 CEST 2015 

On Fri, Sep 11, 2015 at 03:39:34PM +0100, Tomasz Czyż wrote:
> 2015-09-11 15:31 GMT+01:00 Bryan Gardiner <bog at khumba.net>:
> 
> > On Fri, Sep 11, 2015 at 01:05:36PM +0100, Tomasz Czyż wrote:
> > > 2015-09-11 13:01 GMT+01:00 Tuomas Tynkkynen <tuomas.tynkkynen at iki.fi>:
> > >
> > > > (Argh, replying to the list this time...)
> > > >
> > > > 2015-09-09 9:03 GMT+03:00 Bryan Gardiner <bog at khumba.net>:
> > > > > On Tue, Sep 08, 2015 at 08:09:16PM +0100, Tomasz Czyż wrote:
> > > > [...]
> > > > >
> > > > > How about doing something like:
> > > > >
> > > > >     preLVMCommands =
> > > > >       let key = builtins.readFile ./keyfile; in
> > > > >       "echo '${key}' >/key"
> > > > >
> > > >
> > > > Do note that by doing this, the key will get embedded somewhere in
> > > > /nix/store, with world-readable unix permissions.
> > >
> > > Mhm, that's definitely not cool. I thought it will appear only inside
> > > initrd image :[
> > > Do you think is there any other way to put this key in initrd?
> >
> > If you don't want it in plain text, you could compress or obfuscate it
> > by any means, then reverse that in the initrd...  The
> > extraUtilsCommands method will certainly result in "not simply plain
> > text."  Though this is security by obscurity, and I don't know a quick
> > way to truly secure it without having to enter your password an extra
> > time.  Nix doesn't support non-world-readable data in the store.
> >
> Thanks for explenation.
> 
> >
> > Can Grub pass its unlock password to the initrd?  If so, you could
> > decrypt the keyfile with that, and only put an encrypted keyfile in
> > the store.
> >
> Not really, that's why I want to put key inside initrd. Otherwise I could
> decrypt partitions with the pass from grub.
> 
> >
> > Or maybe you could restrict non-root users from accessing the initrds
> > in the store via grsec or apparmor.
> >
> Mhm, I see.
> What about putting something into initrd but not adding it to nixstore?
> Do you think is there any initrd hook I can use to add stuff?

That could work, if you find how the initrd is copied over.  Grub
manages to make /boot/grub have 700 permissions, so if you extract +
insert + rebuild the initrd during its installation, and make
/boot/kernels 700 as well?  In my readings of nixpkgs/nixos, I haven't
gotten to the bottom of the rabbit hole and found out how nixos
modules *actually* have an effect on the world yet :).

Cheers,
Bryan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150911/8be44596/attachment.bin

More information about the nix-dev mailing list