| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
Add a sync command just after writing to the /crypt-storage file in order to reduce
the possibilities of corruption errors.
|
| | |
|
| | |
|
| |
|
| |
https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Disable_workqueue_for_increased_solid_state_drive_(SSD)_performance
|
| | |
|
| | |
|
| |
|
|
| |
Also remove interactive flag from initrd, because of broken io.
|
| |\
| |
| | |
treewide: completely remove types.loaOf
|
| | | |
|
| |\ \
| |/
|/| |
treewide: fix modules options types where the default is null
|
| | |
| |
| |
| |
| | |
They can be caught with `nixos-option -r` on an empty ({...}:{}) NixOS
configuration.
|
| |\ \
| | |
| | | |
boot.initrd.luks: remove x86_64/i586 AES modules
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Commit 1d2c3279311e4f03fcf164e1366f2fda9f4bfccf in the upstream kernel
repository removed support for the scalar x86_64 and i586 AES
assembly implementations, since the generic AES implementation generated
by the compiler is faster for both platforms. Remove the modules from
the cryptoModules list. This causes a regression for kernel versions
>=5.4 which include the removal. This should have no negative impact on
AES performance on older kernels since the generic implementation should
be faster there as well since the implementation was hardly touched from
its initial submission.
Fixes #84842
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
|
| | |
|
| |
|
|
|
|
|
|
| |
This is needed for tcrypt and the benchmark subcommand. If enabled,
it is also used to unlock LUKS2 volumes and therefore the kernel modules
providing this feature need to be available in our initrd.
Fixes #42163. #54019.
|
| | |
|
| |
|
|
| |
Needed since 2.0.0
Changed to /run/cryptsetup from /run/lock/cryptsetup in 2.0.1
|
| | |
|
| |
|
|
|
|
| |
This reverts commit 9cd4ce98bfc11292fbebc6b85d14bb386e82c9a8.
This might be broken for some people: https://github.com/NixOS/nixpkgs/pull/50281#issuecomment-443516289
|
| |
|
|
|
|
|
| |
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
It is deprecated and will be removed after 18.09.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
From reading the source I'm pretty sure it doesn't support multiple Yubikeys, hence
those options are useless.
Also, I'm pretty sure nobody actually uses this feature, because enabling it causes
extra utils' checks to fail (even before applying any patches of this branch).
As I don't have the hardware to test this, I'm too lazy to fix the utils, but
I did test that with extra utils checks commented out and Yubikey
enabled the resulting script still passes the syntax check.
|
| |
|
|
|
|
|
|
|
|
|
| |
Also reuse common cryptsetup invocation subexpressions.
- Passphrase reading is done via the shell now, not by cryptsetup.
This way the same passphrase can be reused between cryptsetup
invocations, which this module now tries to do by default (can be
disabled).
- Number of retries is now infinity, it makes no sense to make users
reboot when they fail to type in their passphrase.
|
| |
|
|
| |
Also fix Yubikey timeout handling mess.
|
| | |
|
| | |
|
| |
|
|
|
| |
Since f2a9f9aeab5016d28ab4bcf6da81924ceecdd676, we already load
"input_leds", so this comment isn't useful anymore.
|
| |\
| |
| | |
nixos/luksroot.nix: fallback to interactive password entry when no keyfile found
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This option, if set to true, enables fallbacking to an interactive
passphrase prompt when the specified keyFile is not found.
The default is false, which is compatible with previous behavior and
doesn't prevent unattended boot.
|
| | | |
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
| |
To get working caps lock lights already at stage 1, the input_leds
module needs to be loaded.
Closes #12456.
|
| |
|
|
|
|
|
|
|
|
|
| |
Boot fails when a keyfile is configured for all encrypted filesystems
and no other luks devices are configured. This is because luks support is only
enabled in the initrd, when boot.initrd.luks.devices has entries. When a
fileystem has a keyfile configured though, it is setup by a custom
command, not by boot.initrd.luks.
This commit adds an internal config flag to enable luks support in the
initrd file, even if there are no luks devices configured.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The LUKS header can be on another device (e.g. a USB stick). In my case
it can take up to two seconds until the partition on my USB stick is
available (i.e. the decryption fails without this patch). This will also
remove some redundancy by providing the shell function `wait_target` and
slightly improve the output (one "." per second and a success/failure
indication after 10 seconds instead of always printing "ok").
|
| |
|
|
| |
Looks like this accidentally got packaged twice.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
This reverts commit c69c76ca7efecba24aba555c2a03f933997d1fd5.
This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
|