Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/bcachefs: support unlock with clevis in systemd stage 1 #295736

Merged
merged 2 commits into from
Apr 7, 2024
Merged

nixos/bcachefs: support unlock with clevis in systemd stage 1 #295736

merged 2 commits into from
Apr 7, 2024

Conversation

mjm
Copy link
Contributor

@mjm mjm commented Mar 13, 2024

Description of changes

Update the unlock script for bcachefs devices to attempt to use Clevis to unlock, as currently this only works in scripted stage 1.

I tested it on my Framework 13 by using PCR 7 and toggling whether SecureBoot was enabled. With it enabled, I wasn't prompted for my passphrase and booted to my display manager without input. With SecureBoot disabled, the unlock with Clevis failed and I was prompted for my passphrase.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Mar 13, 2024
@mjm mjm requested a review from JulienMalka March 13, 2024 23:49
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Mar 14, 2024
ElvishJerricco
ElvishJerricco reviewed Mar 24, 2024
View reviewed changes
Copy link
Contributor

@ElvishJerricco ElvishJerricco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine to me, though I haven't tested it in any way. Maybe we should add the clevisBcachefs test to nixos/tests/installer-systemd-stage-1.nix?

@JulienMalka
Copy link
Member

I'll test this on my device during this week

@JulienMalka
Copy link
Member

I tested the change on physical hardware, works for me.

@JulienMalka
Copy link
Member

Some of clevis tests are broken currently so I was not able to add the tests so far.

ElvishJerricco
ElvishJerricco previously requested changes Apr 2, 2024
View reviewed changes
Copy link
Contributor

@ElvishJerricco ElvishJerricco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JulienMalka

Some of clevis tests are broken currently so I was not able to add the tests so far.

I think that's a blocker.

@ElvishJerricco
Copy link
Contributor

Sounds like #300757 will fix the test. Let's add the test in this PR after that's merged.

@JulienMalka JulienMalka force-pushed the bcachefs-clevis-systemd branch from cdaae3d to 5afb7f3 Compare April 5, 2024 15:25
JulienMalka
JulienMalka approved these changes Apr 5, 2024
View reviewed changes
Copy link
Member

@JulienMalka JulienMalka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#300757 has landed, rebased on master and added the two tests.
Tested on local hardware for a week, tests are going through, LGTM.

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Apr 6, 2024
@JulienMalka JulienMalka merged commit 668834f into NixOS:master Apr 7, 2024
22 checks passed
@mjm mjm deleted the bcachefs-clevis-systemd branch April 15, 2024 06:20
@mjm mjm mentioned this pull request May 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JulienMalka JulienMalka JulienMalka approved these changes

@ElvishJerricco ElvishJerricco ElvishJerricco left review comments

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
Bcachefs
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mjm @JulienMalka @ElvishJerricco @wegank