Skip to content

systemd: Fix systemd-cryptenroll TPM2 + fix systemd-tmpfiles-setup-dev.service #171242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dasJ wants to merge 3 commits into from
Closed

systemd: Fix systemd-cryptenroll TPM2 + fix systemd-tmpfiles-setup-dev.service #171242

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6d2b985
cryptsetup: Allow reading tokens from a relative path
dasJ May 2, 2022
d3378df
systemd: Wrap in LUKS2 tokens
dasJ May 2, 2022
e01a082
systemd: Remove accidential sysinit re-add
dasJ May 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions pkgs/os-specific/linux/cryptsetup/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,12 @@ stdenv.mkDerivation rec {
sha256 = "sha256-/A35RRiBciZOxb8dC9oIJk+tyKP4VtR+upHzH+NUtQc=";
};

# Disable 4 test cases that fail in a sandbox
patches = [ ./disable-failing-tests.patch ];
patches = [
# Disable 4 test cases that fail in a sandbox
./disable-failing-tests.patch
# Allow reading tokens from a relative path, see #167994
./relative-token-path.patch
];

postPatch = ''
patchShebangs tests
Expand Down
18 changes: 18 additions & 0 deletions pkgs/os-specific/linux/cryptsetup/relative-token-path.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index 88d84418..ed3a079b 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -151,12 +151,10 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp

token = &ret->u.v2;

- r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", crypt_token_external_path(), name);
+ r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
if (r < 0 || (size_t)r >= sizeof(buf))
return -EINVAL;

- assert(*buf == '/');
-
log_dbg(cd, "Trying to load %s.", buf);

h = dlopen(buf, RTLD_LAZY);
17 changes: 10 additions & 7 deletions pkgs/os-specific/linux/systemd/default.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
, fetchpatch
, fetchzip
, buildPackages
, makeBinaryWrapper
, ninja
, meson
, m4
Expand Down Expand Up @@ -345,6 +346,7 @@ stdenv.mkDerivation {
nativeBuildInputs =
[
pkg-config
makeBinaryWrapper
gperf
ninja
meson
Expand Down Expand Up @@ -641,12 +643,6 @@ stdenv.mkDerivation {
'';

postInstall = ''
# sysinit.target: Don't depend on
# systemd-tmpfiles-setup.service. This interferes with NixOps's
# send-keys feature (since sshd.service depends indirectly on
# sysinit.target).
mv $out/lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup-dev.service $out/lib/systemd/system/multi-user.target.wants/

mkdir -p $out/example/systemd
mv $out/lib/{modules-load.d,binfmt.d,sysctl.d,tmpfiles.d} $out/example
mv $out/lib/systemd/{system,user} $out/example/systemd
Expand Down Expand Up @@ -674,7 +670,14 @@ stdenv.mkDerivation {
preFixup = lib.optionalString withEfi ''
mv $out/lib/systemd/boot/efi $out/dont-strip-me
'';
postFixup = lib.optionalString withEfi ''

postFixup = ''
# Wrap in the correct path for LUKS2 tokens. Must be after the fixup phase
# or the rpath cleanup removes the directories again.
Comment on lines +675 to +676
Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't look right. Down there, we set LD_LIBRARY_PATH, not set rpath. Also, I'd propose moving the comment above postFixup, so iterating on the comment itself doesn't trigger rebuilds.

for f in lib/systemd/systemd-cryptsetup bin/systemd-cryptenroll; do
wrapProgram $out/$f --prefix LD_LIBRARY_PATH : ${placeholder "out"}/lib/cryptsetup
Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to set LD_LIBRARY_PATH? I was under the assumption that ${systemd}/lib being in rpath of all systemd binaries calling out libcryptsetup code is sufficient…

Copy link
Member Author

@dasJ dasJ May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, ${systemd}/lib is not the same thing as ${systemd}/lib/cryptsetup

Copy link
Member

@flokli flokli May 2, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So patchelf --add-rpath, and disable the rpath trimming?

Copy link
Contributor

@ElvishJerricco ElvishJerricco May 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. LD_LIBRARY_PATH is not the solution.

Also, in systemdMinimal, these executables don't exist, so the build fails.

done
'' + lib.optionalString withEfi ''
mv $out/dont-strip-me $out/lib/systemd/boot/efi
'';

Expand Down