Commit a5cc2d09 authored by Vladimir Panteleev's avatar Vladimir Panteleev
Browse files

nixos/luksroot: Check if the device was opened while reading password 

Helps the following situation:

- SSH in initrd is enabled

- NixOS is waiting for a password to be typed at the console (or
  provided via cryptsetup-askpass)

- The user logs in via SSH, but instead of running cryptsetup-askpass,
  they run "cryptsetup open" directly (because they don't know that
  they need to use NixOS's cryptsetup-askpass script, or because they
  want to use a non-trivial unlocking method that is not natively
  supported by this module)

Currently, in the above situation, NixOS will keep waiting for a
password to be entered even though the device is already unlocked. If
a password is entered, it will print a confusing "already exists"
error and keep asking for the same password.

We can improve on this by simply checking if the device is already
unlocked in our read loop. In this case, we don't need to do anything
other than return from the function and continue booting.
parent 84564712

nixos/modules/system/boot/luksroot.nix

+4 −0
Original line number Diff line number Diff line
@@ -185,6 +185,10 @@ let 
                    echo "reused"

                    passphrase=$(cat /crypt-ramfs/passphrase)

                    break

                elif [ -e /dev/mapper/${dev.name} ]; then

                    echo "opened externally"

                    rm -f /crypt-ramfs/device

                    return

                else

                    # ask cryptsetup-askpass

                    echo -n "${dev.device}" > /crypt-ramfs/device