guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.

From: Jookia
Subject: Re: [PATCH] DISCUSSION: Jookia's Libreboot+LUKS+LVM FDE patch.
Date: Fri, 11 Mar 2016 08:11:49 +1100
User-agent: Mutt/1.5.24 (2015-08-30) 
On Thu, Mar 10, 2016 at 05:10:09PM +0100, Ludovic Courtès wrote:
> Jookia <address@hidden> skribis:
> 
> > So I've come up with the following hack commit that effectively
> > stops any sort of dependency management and adds some new targets
> > for LVM and LUKS with a keyfile.
> >
> > Here's my current setup, take note that order of mapped devices
> > matter since there's no dependency management:
> >
> >   (mapped-devices (list (mapped-device
> >                           (source "/dev/sda")
> >                           (target "hdd")
> >                           (type (luks-device-keyfile-mapping
> >                                   (local-file "/root/keyfile"))))
> >                         (mapped-device
> >                           (source "/dev/mapper/hdd")
> >                           (target "matrix")
> >                           (type lvm-device-mapping))))
> >
> >   (file-systems (cons (file-system
> >                         (device "/dev/mapper/matrix-root")
> >                         (title 'device)
> >                         (mount-point "/")
> >                         (type "ext4"))
> >                       %base-file-systems))
> >
> >   (swap-devices '("/dev/mapper/matrix-swap"))
> 
> As you note, and as discussed on IRC, this is not OK because the private
> key ends up being stored world-readable in the store.  :-/

That's one thing to talk about- Store permissions and what to do about them. I
also have another situation where I want to run a container with an OpenVPN
service, but I'd have to pass credentials to them somehow. It's tricky to do
this on NixOS because I'd have to edit the container files which means I now
have state not only in /etc but in my containers too!

Setting permissions to just 'root' might be a bit bad if container's 'root' also
get to read it, or containers can read each other's 'root' values.

> Am I missing the part you wanted to discuss?

I'd really like to discuss how much I needed to break to get the mapped-devices,
file-systems and swap-devices to just 'work'. I even had to make a function to
return a mapped-device type, and have swap-devices not do dependency tests since
I technically don't use a device I've defined.

It'd be much much better if I could do something like this in my services:

  (devices (list (file-system
                   (uses '("/dev/matrix/root"))
                   (creates '("/"))
                   (device "/dev/matrix/root")
                   (mount-point "/")
                   (type "ext4"))
                 (swap-device
                   (uses '("/dev/mapper/matrix-swap"))
                   (creates '()))
                   (device "/dev/mapper/matrix-swap")
                 (lvm-device
                   (uses '("/dev/mapper/hdd" "/dev/sdb"))
                   (creates '("/dev/matrix/"
                              "/dev/mapper/matrix-swap"))
                   (devices '("/dev/mapper/hdd" "/dev/sdb")))
                 (luks-device
                   (uses '("UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb"))
                   (creates '("/dev/mapper/hdd"))
                   (device "UUID=4dab5feb-d176-45de-b287-9b0a6e4c01cb")
                   (name "hdd")
                   (key-file "..."))))

The issue is that it has a lot of duplicate information as I'm not sure
uses/creates could always map to device/mount-point, like LUKS names. But this
should satisfy most dependency issues automatically, I hope.

> Thanks,
> Ludo’.
> 
> PS: I still intend to look at the patch series you sent ;-), just
>     prioritizing things that relate to 0.9.1.

That's fine. :)
Jookia.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]