Merge pull request #230153 from mklca/swap-encrypt-enhancement

nixos/config/swap: improve randomEncrytion
This commit is contained in:
Ryan Lahfa 2023-05-14 19:01:56 +02:00 committed by GitHub
commit 285330f081
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 137 additions and 3 deletions

View File

@ -385,6 +385,26 @@ In addition to numerous new and upgraded packages, this release has the followin
- `nextcloud` has an option to enable SSE-C in S3.
- NixOS swap partitions with random encryption can now control the sector size, cipher, and key size used to setup the plain encryption device over the
underlying block device rather than allowing them to be determined by `cryptsetup(8)`. One can use these features like so:
```nix
{
swapDevices = [
{
device = "/dev/disk/by-partlabel/swapspace";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}
];
}
```
- `services.peertube` now requires you to specify the secret file `secrets.secretsFile`. It can be generated by running `openssl rand -hex 32`.
Before upgrading, read the release notes for PeerTube:
- [Release v5.0.0](https://github.com/Chocobozzz/PeerTube/releases/tag/v5.0.0)

View File

@ -38,6 +38,34 @@ let
'';
};
keySize = mkOption {
default = null;
example = "512";
type = types.nullOr types.int;
description = lib.mdDoc ''
Set the encryption key size for the plain device.
If not specified, the amount of data to read from `source` will be
determined by cryptsetup.
See `cryptsetup-open(8)` for details.
'';
};
sectorSize = mkOption {
default = null;
example = "4096";
type = types.nullOr types.int;
description = lib.mdDoc ''
Set the sector size for the plain encrypted device type.
If not specified, the default sector size is determined from the
underlying block device.
See `cryptsetup-open(8)` for details.
'';
};
source = mkOption {
default = "/dev/urandom";
example = "/dev/random";
@ -157,11 +185,11 @@ let
};
config = rec {
config = {
device = mkIf options.label.isDefined
"/dev/disk/by-label/${config.label}";
deviceName = lib.replaceStrings ["\\"] [""] (escapeSystemdPath config.device);
realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
realDevice = if config.randomEncryption.enable then "/dev/mapper/${config.deviceName}" else config.device;
};
};
@ -247,7 +275,12 @@ in
''}
${optionalString sw.randomEncryption.enable ''
cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} \
${optionalString sw.randomEncryption.allowDiscards "--allow-discards"} ${sw.device} ${sw.deviceName}
'' + concatMapStrings (arg: arg + " \\\n") (flatten [
(optional (sw.randomEncryption.sectorSize != null) "--sector-size=${toString sw.randomEncryption.sectorSize}")
(optional (sw.randomEncryption.keySize != null) "--key-size=${toString sw.randomEncryption.keySize}")
(optional sw.randomEncryption.allowDiscards "--allow-discards")
]) + ''
${sw.device} ${sw.deviceName}
mkswap ${sw.realDevice}
''}
'';

View File

@ -689,6 +689,7 @@ in {
sudo = handleTest ./sudo.nix {};
swap-file-btrfs = handleTest ./swap-file-btrfs.nix {};
swap-partition = handleTest ./swap-partition.nix {};
swap-random-encryption = handleTest ./swap-random-encryption.nix {};
sway = handleTest ./sway.nix {};
switchTest = handleTest ./switch-test.nix {};
sympa = handleTest ./sympa.nix {};

View File

@ -0,0 +1,80 @@
import ./make-test-python.nix ({ lib, pkgs, ... }:
{
name = "swap-random-encryption";
nodes.machine =
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.cryptsetup ];
virtualisation.useDefaultFilesystems = false;
virtualisation.rootDevice = "/dev/vda1";
boot.initrd.postDeviceCommands = ''
if ! test -b /dev/vda1; then
${pkgs.parted}/bin/parted --script /dev/vda -- mklabel msdos
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary 1MiB -250MiB
${pkgs.parted}/bin/parted --script /dev/vda -- mkpart primary -250MiB 100%
sync
fi
FSTYPE=$(blkid -o value -s TYPE /dev/vda1 || true)
if test -z "$FSTYPE"; then
${pkgs.e2fsprogs}/bin/mke2fs -t ext4 -L root /dev/vda1
fi
'';
virtualisation.fileSystems = {
"/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
};
swapDevices = [
{
device = "/dev/vda2";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}
];
};
testScript = ''
machine.wait_for_unit("multi-user.target")
with subtest("Swap is active"):
# Doesn't matter if the numbers reported by `free` are slightly off due to unit conversions.
machine.succeed("free -h | grep -E 'Swap:\s+2[45][0-9]Mi'")
with subtest("Swap device has 4k sector size"):
import json
result = json.loads(machine.succeed("lsblk -Jo PHY-SEC,LOG-SEC /dev/mapper/dev-vda2"))
block_devices = result["blockdevices"]
if len(block_devices) != 1:
raise Exception ("lsblk output did not report exactly one block device")
swapDevice = block_devices[0];
if not (swapDevice["phy-sec"] == 4096 and swapDevice["log-sec"] == 4096):
raise Exception ("swap device does not have the sector size specified in the configuration")
with subtest("Swap encrypt has assigned cipher and keysize"):
import re
results = machine.succeed("cryptsetup status dev-vda2").splitlines()
cipher_pattern = re.compile(r"\s*cipher:\s+aes-xts-plain64\s*")
if not any(cipher_pattern.fullmatch(line) for line in results):
raise Exception ("swap device encryption does not use the cipher specified in the configuration")
key_size_pattern = re.compile(r"\s*keysize:\s+512\s+bits\s*")
if not any(key_size_pattern.fullmatch(line) for line in results):
raise Exception ("swap device encryption does not use the key size specified in the configuration")
'';
})