Commit b2d04c11 authored by Winter's avatar Winter
Browse files

nixos/luksroot: build pbkdf2-sha512 binary in its own derivation 

Since this feature's inception, we've compiled a binary that uses OpenSSL
to perform PBKDF-SHA512 during the extra-utils build. In addition to this
being inefficient, it broke as of 6ea1a2a1,
which switched the extra-utils derivation to use stdenvNoCC.

For now, I think the path of least resistence is to move the pbkdf-sha512
build to its own derivation, to fix the breakage, as well as improving
the efficiency of the extra-utils build.

(I do believe that at some point, we should revisit this binary -- perhaps
rewriting it -- as Clang even just on its default settings emits more
warnings than you'd want to see in a security-related codebase when
compiling it.)
parent 9d2042e4

nixos/modules/system/boot/luksroot.nix

+9 −4
Original line number Diff line number Diff line
@@ -929,7 +929,14 @@ in 
      ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []);



    # copy the cryptsetup binary and it's dependencies

    boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) ''

    boot.initrd.extraUtilsCommands = let

      pbkdf2-sha512 = pkgs.runCommandCC "pbkdf2-sha512" { buildInputs = [ pkgs.openssl ]; } ''

        mkdir -p "$out/bin"

        cc -O3 -lcrypto ${./pbkdf2-sha512.c} -o "$out/bin/pbkdf2-sha512"

        strip -s "$out/bin/pbkdf2-sha512"

      '';

    in

    mkIf (!config.boot.initrd.systemd.enable) ''

      copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup

      copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass

      sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass
@@ -939,9 +946,7 @@ in 
        copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo

        copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl



        cc -O3 -I${pkgs.openssl.dev}/include -L${lib.getLib pkgs.openssl}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto

        strip -s pbkdf2-sha512

        copy_bin_and_libs pbkdf2-sha512

        copy_bin_and_libs ${pbkdf2-sha512}/bin/pbkdf2-sha512



        mkdir -p $out/etc/ssl

        cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl