nixos: add support for dm-verity (5ee6467b) · Commits · nix / nixpkgs

nixos/doc/manual/release-notes/rl-2411.section.md

+3 −0

Original line number	Diff line number	Diff line
		@@ -46,6 +46,9 @@
		If you experience any issues, please report them.
		The original Perl script can still be used for now by setting `system.switch.enableNg` to `false`.

		- Support for mounting filesystems from block devices protected with [dm-verity](https://docs.kernel.org/admin-guide/device-mapper/verity.html)
		was added through the `boot.initrd.systemd.dmVerity` option.

		- The [Xen Hypervisor](https://xenproject.org) is once again available as a virtualisation option under [`virtualisation.xen`](#opt-virtualisation.xen.enable).
		- This release includes Xen [4.17.5](https://wiki.xenproject.org/wiki/Xen_Project_4.17_Release_Notes), [4.18.3](https://wiki.xenproject.org/wiki/Xen_Project_4.18_Release_Notes) and [4.19.0](https://wiki.xenproject.org/wiki/Xen_Project_4.19_Release_Notes), as well as support for booting the hypervisor on EFI systems.
		::: {.warning}

+1 −0

Original line number	Diff line number	Diff line
		@@ -1625,6 +1625,7 @@
		./system/boot/stage-2.nix
		./system/boot/systemd.nix
		./system/boot/systemd/coredump.nix
		./system/boot/systemd/dm-verity.nix
		./system/boot/systemd/initrd-secrets.nix
		./system/boot/systemd/initrd.nix
		./system/boot/systemd/journald.nix

0 → 100644

+61 −0

Original line number	Diff line number	Diff line
		{ config, lib, ... }:

		let
		cfg = config.boot.initrd.systemd.dmVerity;
		in
		{
		options = {
		boot.initrd.systemd.dmVerity = {
		enable = lib.mkEnableOption "dm-verity" // {
		description = ''
		Mount verity-protected block devices in the initrd.

		Enabling this option allows to use `systemd-veritysetup` and
		`systemd-veritysetup-generator` in the initrd.
		'';
		};
		};
		};

		config = lib.mkIf cfg.enable {
		assertions = [
		{
		assertion = config.boot.initrd.systemd.enable;
		message = ''
		'boot.initrd.systemd.dmVerity.enable' requires 'boot.initrd.systemd.enable' to be enabled.
		'';
		}
		];

		boot.initrd = {
		availableKernelModules = [
		"dm_mod"
		"dm_verity"
		];

		# dm-verity needs additional udev rules from LVM to work.
		services.lvm.enable = true;

		# The additional targets and store paths allow users to integrate verity-protected devices
		# through the systemd tooling.
		systemd = {
		additionalUpstreamUnits = [
		"veritysetup-pre.target"
		"veritysetup.target"
		"remote-veritysetup.target"
		];

		storePaths = [
		"${config.boot.initrd.systemd.package}/lib/systemd/systemd-veritysetup"
		"${config.boot.initrd.systemd.package}/lib/systemd/system-generators/systemd-veritysetup-generator"
		];
		};
		};
		};

		meta.maintainers = with lib.maintainers; [
		msanft
		nikstur
		willibutz
		];
		}