gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/luksroot: build pbkdf2-sha512 binary in its own derivation

Browse Source 
Since this feature's inception, we've compiled a binary that uses OpenSSL
to perform PBKDF-SHA512 during the extra-utils build. In addition to this
being inefficient, it broke as of 6ea1a2a1be,
which switched the extra-utils derivation to use stdenvNoCC.

For now, I think the path of least resistence is to move the pbkdf-sha512
build to its own derivation, to fix the breakage, as well as improving
the efficiency of the extra-utils build.

(I do believe that at some point, we should revisit this binary -- perhaps
rewriting it -- as Clang even just on its default settings emits more
warnings than you'd want to see in a security-related codebase when
compiling it.)
This commit is contained in:
Winter
2023-02-07 20:35:32 -05:00
committed by Florian Brandes
parent f48fc05f28
commit c6eea1fe9e
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/modules/system/boot/luksroot.nix
View File

@@ -929,7 +929,14 @@ in
++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []); ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []);
# copy the cryptsetup binary and it's dependencies # copy the cryptsetup binary and it's dependencies
boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' boot.initrd.extraUtilsCommands = let
pbkdf2-sha512 = pkgs.runCommandCC "pbkdf2-sha512" { buildInputs = [ pkgs.openssl ]; } ''
mkdir -p "$out/bin"
cc -O3 -lcrypto ${./pbkdf2-sha512.c} -o "$out/bin/pbkdf2-sha512"
strip -s "$out/bin/pbkdf2-sha512"
'';
in
mkIf (!config.boot.initrd.systemd.enable) ''
copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup
copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass
sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass
@@ -939,9 +946,7 @@ in
copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo
copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl
cc -O3 -I${pkgs.openssl.dev}/include -L${lib.getLib pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto copy_bin_and_libs ${pbkdf2-sha512}/bin/pbkdf2-sha512
strip -s pbkdf2-sha512
copy_bin_and_libs pbkdf2-sha512
mkdir -p $out/etc/ssl mkdir -p $out/etc/ssl
cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl