nixos: add support for dm-verity

Co-authored-by: nikstur <nikstur@outlook.com> Co-authored-by: WilliButz <willibutz@posteo.de>
2024-11-26 00:43:20 +00:00 · 2024-09-06 16:06:15 +02:00 · 2024-09-06 16:06:15 +02:00 · 5ee6467bd3
commit 5ee6467bd3
parent 3fe7fe4a14
3 changed files with 65 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -46,6 +46,9 @@
  If you experience any issues, please report them.
  The original Perl script can still be used for now by setting `system.switch.enableNg` to `false`.

+- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
+  was added through the `boot.initrd.systemd.dmVerity` option.
+
 - The [Xen Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
  - This release includes Xen [4.17.5](https://wiki.xenproject.org/wiki/Xen_Project_4.17_Release_Notes), [4.18.3](https://wiki.xenproject.org/wiki/Xen_Project_4.18_Release_Notes) and [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes), as well as support for booting the hypervisor on EFI systems.
  ::: {.warning}
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1625,6 +1625,7 @@
  ./system/boot/stage-2.nix
  ./system/boot/systemd.nix
  ./system/boot/systemd/coredump.nix
+  ./system/boot/systemd/dm-verity.nix
  ./system/boot/systemd/initrd-secrets.nix
  ./system/boot/systemd/initrd.nix
  ./system/boot/systemd/journald.nix
--- a/nixos/modules/system/boot/systemd/dm-verity.nix
+++ b/nixos/modules/system/boot/systemd/dm-verity.nix
@ -0,0 +1,61 @@
+{ config, lib, ... }:
+
+let
+  cfg = config.boot.initrd.systemd.dmVerity;
+in
+{
+  options = {
+    boot.initrd.systemd.dmVerity = {
+      enable = lib.mkEnableOption "dm-verity" // {
+        description = ''
+          Mount verity-protected block devices in the initrd.
+
+          Enabling this option allows to use `systemd-veritysetup` and
+          `systemd-veritysetup-generator` in the initrd.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = config.boot.initrd.systemd.enable;
+        message = ''
+          'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
+        '';
+      }
+    ];
+
+    boot.initrd = {
+      availableKernelModules = [
+        "dm_mod"
+        "dm_verity"
+      ];
+
+      # dm-verity needs additional udev rules from LVM to work.
+      services.lvm.enable = true;
+
+      # The additional targets and store paths allow users to integrate verity-protected devices
+      # through the systemd tooling.
+      systemd = {
+        additionalUpstreamUnits = [
+          "veritysetup-pre.target"
+          "veritysetup.target"
+          "remote-veritysetup.target"
+        ];
+
+        storePaths = [
+          "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
+          "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
+        ];
+      };
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [
+    msanft
+    nikstur
+    willibutz
+  ];
+}