Add full disk encryption to image module

jmbaur · Jan 5, 2024 · 1118a78 · 1118a78
1 parent e4b26c5
commit 1118a78
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 16 deletions.
diff --git a/checks.nix b/checks.nix
@@ -2,9 +2,10 @@ inputs:
 inputs.nixpkgs.lib.mapAttrs
   (_: pkgs: {
     inherit (pkgs.callPackage ./tests/image.nix { })
-      image-simple-immutable
-      image-simple-mutable
-      # image-luks-encrypted
+      image-immutable
+      image-mutable
+      image-unencrypted
+      image-tpm2-encrypted
       ;
   })
   inputs.self.legacyPackages
diff --git a/flake.lock b/flake.lock
diff --git a/nixos-modules/image/default.nix b/nixos-modules/image/default.nix
@@ -5,6 +5,8 @@ let
 
   maxUsrSize = cfg.immutableMaxSize;
   maxUsrHashSize = maxUsrSize / 8;
+
+  encrypt = if cfg.encrypt then (if cfg.hasTpm2 then "tpm2" else "key-file") else "none";
 in
 {
   options.custom.image = with lib; {
@@ -19,6 +21,8 @@ in
 
     hasTpm2 = mkEnableOption "TODO";
 
+    encrypt = mkEnableOption "TODO" // { default = true; };
+
     mutableNixStore = mkEnableOption "TODO";
 
     postImageCommands = mkOption {
@@ -81,6 +85,10 @@ in
 
       # Tell systemd to not automount anything on /usr. We don't
       # actually have a /usr mount in our fstab...
+      #
+      # TODO(jared): we should be using the SD_GPT_FLAG_NO_AUTO partition flag
+      # to indicate that the partition should not be auto-mounted. See
+      # https://uapi-group.org/specifications/specs/discoverable_partitions_specification/#partition-attribute-flags
       "mount.usr=fstab"
     ];
 
@@ -150,7 +158,13 @@ in
         repart.device = cfg.primaryDisk;
       };
 
-      availableKernelModules = [ "dm-verity" ] ++ lib.optional cfg.mutableNixStore "overlay";
+      availableKernelModules = [
+        "dm_verity"
+
+        # systemd-repart wants to use loop devices for doing "online" partition
+        # creation
+        "loop"
+      ] ++ lib.optional cfg.mutableNixStore "overlay";
     };
 
     systemd.repart.partitions = {
@@ -193,18 +207,27 @@ in
         Format = "btrfs";
         FactoryReset = true;
         MakeDirectories = lib.mkIf cfg.mutableNixStore (toString [ "/nix/.rw-store/store" "/nix/.rw-store/work" ]);
-        # TODO(jared): doesn't work?
-        # Encrypt = if cfg.hasTpm2 then "tpm2" else "off";
+        Encrypt = encrypt;
       };
     };
 
+    boot.initrd.luks.devices.root = lib.mkIf cfg.encrypt {
+      device = "/dev/disk/by-partlabel/${config.systemd.repart.partitions."30-root".Label}";
+      crypttabExtraOpts = lib.optional cfg.hasTpm2 "tpm2-device=auto";
+      tryEmptyPassphrase = !cfg.hasTpm2;
+    };
+
     # enable zram by default since we don't create any swap partitions
     zramSwap.enable = lib.mkDefault true;
 
     fileSystems."/" = {
-      device = "/dev/disk/by-partlabel/${config.systemd.repart.partitions."30-root".Label}";
       fsType = config.systemd.repart.partitions."30-root".Format;
       options = [ "compress=zstd" "noatime" "defaults" ];
+      device =
+        if cfg.encrypt then
+          "/dev/mapper/root"
+        else
+          "/dev/disk/by-partlabel/${config.systemd.repart.partitions."30-root".Label}";
     };
     fileSystems."/nix/.ro-store" = {
       device = "/dev/mapper/usr";

diff --git a/nixos-modules/image/image.nix b/nixos-modules/image/image.nix
@@ -23,6 +23,8 @@
 }:
 
 let
+  iniFormat = formats.ini { };
+
   seed = "39c4020e-af73-434a-93e4-7e37fdcc7f96";
 
   bootPartition = partitions."10-boot" // { };
@@ -50,9 +52,9 @@ let
   systemdArchitecture = builtins.replaceStrings [ "_" ] [ "-" ] stdenv.hostPlatform.linuxArch;
   closure = closureInfo { rootPaths = [ toplevel ]; };
 
-  bootPartitionConfig = (formats.ini { }).generate "10-boot.conf" { Partition = bootPartition; };
-  dataPartitionConfig = (formats.ini { }).generate "20-usr-a.conf" { Partition = dataPartition; };
-  hashPartitionConfig = (formats.ini { }).generate "20-usr-a-hash.conf" { Partition = hashPartition; };
+  bootPartitionConfig = iniFormat.generate "10-boot.conf" { Partition = bootPartition; };
+  dataPartitionConfig = iniFormat.generate "20-usr-a.conf" { Partition = dataPartition; };
+  hashPartitionConfig = iniFormat.generate "20-usr-a-hash.conf" { Partition = hashPartition; };
 in
 stdenv.mkDerivation {
   name = "nixos-image-${imageName}";

diff --git a/tests/image.nix b/tests/image.nix
@@ -16,6 +16,7 @@ let
     # Make the qemu-vm.nix module use what is found under
     # `config.fileSystems`.
     virtualisation.fileSystems = lib.mkForce { };
+    virtualisation.useDefaultFilesystems = false;
 
     custom.image = {
       enable = true;
@@ -68,6 +69,8 @@ lib.mapAttrs'
       # Set NIX_DISK_IMAGE so that the qemu script finds the right disk image.
       os.environ['NIX_DISK_IMAGE'] = tmp_disk_image.name
 
+      machine.start(allow_reboot=True)
+
       bootctl_status = machine.succeed("bootctl status")
 
       def disk_size(partlabel):
@@ -99,9 +102,10 @@ lib.mapAttrs'
     '';
   }))
 {
-  simple-immutable = { };
-  simple-mutable = { custom.image.mutableNixStore = true; };
-  luks-encrypted = {
+  immutable = { };
+  mutable = { custom.image.mutableNixStore = true; };
+  unencrypted = { custom.image.encrypt = false; };
+  tpm2-encrypted = {
     virtualisation.tpm.enable = true;
     custom.image.hasTpm2 = true;
   };