Unverified Commit 2ff3306c authored by Will Fancher's avatar Will Fancher Committed by GitHub
Browse files

Revert "nixos: support dm-verity" (#339886)

parents 8edc6689 5a575e88

nixos/doc/manual/release-notes/rl-2411.section.md

+0 −3
Original line number Diff line number Diff line
@@ -34,9 +34,6 @@ 
  Users that want to keep PulseAudio will want to set `services.pipewire.enable = false;` and `hardware.pulseaudio.enable = true;`.

  There is currently no plan to fully deprecate and remove PulseAudio, however, PipeWire should generally be preferred for new installs.



- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)

  was added through the `boot.initrd.systemd.dmVerity` option.



## New Modules {#sec-release-24.11-new-modules}



- [TaskChampion Sync-Server](https://github.com/GothenburgBitFactory/taskchampion-sync-server), a [Taskwariror 3](https://taskwarrior.org/docs/upgrade-3/) sync server, replacing Taskwarrior 2's sync server named [`taskserver`](https://github.com/GothenburgBitFactory/taskserver).

nixos/modules/module-list.nix

+0 −1
Original line number Diff line number Diff line
@@ -1622,7 +1622,6 @@ 
  ./system/boot/stage-2.nix

  ./system/boot/systemd.nix

  ./system/boot/systemd/coredump.nix

  ./system/boot/systemd/dm-verity.nix

  ./system/boot/systemd/initrd-secrets.nix

  ./system/boot/systemd/initrd.nix

  ./system/boot/systemd/journald.nix

nixos/modules/system/boot/systemd/dm-verity.nix

deleted100644 → 0
+0 −65
Original line number Diff line number Diff line 
{ config, lib, ... }:



let

  cfg = config.boot.initrd.systemd.dmVerity;

in

{

  options = {

    boot.initrd.systemd.dmVerity = {

      enable = lib.mkEnableOption "dm-verity" // {

        description = ''

          Mount verity-protected block devices in the initrd.



          Enabling this option allows to use `systemd-veritysetup` and

          `systemd-veritysetup-generator` in the initrd.

        '';

      };

    };

  };



  config = lib.mkIf cfg.enable {

    assertions = [

      {

        assertion = cfg.enable -> config.boot.initrd.systemd.enable;

        message = ''

          'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.

        '';

      }

    ];



    boot.initrd = {

      availableKernelModules = [

        # For documentation, see https://docs.kernel.org/admin-guide/device-mapper/dm-init.html

        "dm_mod"

        # For documentation, see:

        # - https://docs.kernel.org/admin-guide/device-mapper/verity.html

        # - https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMVerity

        "dm_verity"

      ];



      # dm-verity needs additional udev rules from LVM to work.

      services.lvm.enable = true;



      # The additional targets and store paths allow users to integrate verity-protected devices

      # through the systemd tooling.

      systemd = {

        additionalUpstreamUnits = [

          # https://github.com/systemd/systemd/blob/main/units/veritysetup-pre.target

          "veritysetup-pre.target"

          # https://github.com/systemd/systemd/blob/main/units/veritysetup.target

          "veritysetup.target"

          # https://github.com/systemd/systemd/blob/main/units/remote-veritysetup.target

          "remote-veritysetup.target"

        ];



        storePaths = [

          # These are the two binaries mentioned in https://github.com/systemd/systemd/blob/main/src/veritysetup/meson.build; there are no others.

          "${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"

          "${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"

        ];

      };

    };

  };



  meta.maintainers = [ lib.maintainers.msanft ];

}

nixos/modules/system/boot/systemd/initrd.nix

+4 −7
Original line number Diff line number Diff line
@@ -218,7 +218,7 @@ in { 
    };



    root = lib.mkOption {

      type = lib.types.nullOr (lib.types.enum [ "fstab" "gpt-auto" ]);

      type = lib.types.enum [ "fstab" "gpt-auto" ];

      default = "fstab";

      example = "gpt-auto";

      description = ''
@@ -227,9 +227,6 @@ in { 
        allow specifying the root file system itself this

        way. Instead, the `fstab` value is used in order to interpret

        the root file system specified with the `fileSystems` option.



        If the root FS is mounted by other means, such as systemd generators other than

        `fstab`, `gpt-auto` or a custom generator, set this to `null`.

      '';

    };
@@ -401,9 +398,9 @@ in { 
    ++ lib.optional (cfg.enableTpm2 && !(pkgs.stdenv.hostPlatform.isRiscV64 || pkgs.stdenv.hostPlatform.isArmv7)) "tpm-crb"

    ++ lib.optional cfg.package.withEfi "efivarfs";



    boot.kernelParams =

      lib.optional (config.boot.initrd.systemd.root != null) "root=${config.boot.initrd.systemd.root}"

      ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"

    boot.kernelParams = [

      "root=${config.boot.initrd.systemd.root}"

    ] ++ lib.optional (config.boot.resumeDevice != "") "resume=${config.boot.resumeDevice}"

      # `systemd` mounts root in initrd as read-only unless "rw" is on the kernel command line.

      # For NixOS activation to succeed, we need to have root writable in initrd.

      ++ lib.optional (config.boot.initrd.systemd.root == "gpt-auto") "rw";

nixos/tests/all-tests.nix

+0 −1
Original line number Diff line number Diff line
@@ -259,7 +259,6 @@ in { 
  dhparams = handleTest ./dhparams.nix {};

  disable-installer-tools = handleTest ./disable-installer-tools.nix {};

  discourse = handleTest ./discourse.nix {};

  dm-verity = runTest ./dm-verity.nix;

  dnscrypt-proxy2 = handleTestOn ["x86_64-linux"] ./dnscrypt-proxy2.nix {};

  dnscrypt-wrapper = runTestOn ["x86_64-linux"] ./dnscrypt-wrapper;

  dnsdist = import ./dnsdist.nix { inherit pkgs runTest; };