Skip to content

Commit f2d4179

Browse files
emilazylukateras
authored andcommitted
nixos/stage-1: check secret paths before copying
Fixes #84976. (cherry picked from commit 91c6809)
1 parent 0e48b50 commit f2d4179

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

nixos/modules/system/boot/stage-1.nix

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,8 @@ let
137137
''}
138138
139139
# Copy secrets if needed.
140+
#
141+
# TODO: move out to a separate script; see #85000.
140142
${optionalString (!config.boot.loader.supportsInitrdSecrets)
141143
(concatStringsSep "\n" (mapAttrsToList (dest: source:
142144
let source' = if source == null then dest else source; in
@@ -565,6 +567,25 @@ in
565567
message = "boot.resumeDevice has to be an absolute path."
566568
+ " Old \"x:y\" style is no longer supported.";
567569
}
570+
# TODO: remove when #85000 is fixed
571+
{ assertion = !config.boot.loader.supportsInitrdSecrets ->
572+
all (source:
573+
builtins.isPath source ||
574+
(builtins.isString source && hasPrefix source builtins.storeDir))
575+
(attrValues config.boot.initrd.secrets);
576+
message = ''
577+
boot.loader.initrd.secrets values must be unquoted paths when
578+
using a bootloader that doesn't natively support initrd
579+
secrets, e.g.:
580+
581+
boot.initrd.secrets = {
582+
"/etc/secret" = /path/to/secret;
583+
};
584+
585+
Note that this will result in all secrets being stored
586+
world-readable in the Nix store!
587+
'';
588+
}
568589
];
569590

570591
system.build =

0 commit comments

Comments
 (0)