feat: check luks on boot

config/services/adguardhome.nix

@@ -41,8 +41,8 @@
         ];
       };
       user_rules = [
-        # "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}"
+        "||homematic.internal^$dnsrewrite=${lib.net.cidr.host 30 globals.net.vlans.devices.cidrv4}"
-        # "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}"
+        "||testberry.internal^$dnsrewrite=${lib.net.cidr.host 31 globals.net.vlans.devices.cidrv4}"
         "||smb.internal^$dnsrewrite=${lib.net.cidr.host globals.services.samba.ip globals.net.vlans.home.cidrv4}"
         "||${globals.domains.web}^$dnsrewrite=${lib.net.cidr.host 1 globals.net.vlans.services.cidrv4}"
         "@@||${globals.services.vaultwarden.domain}"

hosts/desktopnix/default.nix

@@ -56,6 +56,7 @@
     "nohibernate"
     "root=fstab"
     "loglevel=4"
+    "rd.luks=no"
     "nvidia-drm.modeset=1"
     "nvidia.NVreg_PreserveVideoMemoryAllocations=1"
   ];

hosts/desktopnix/fs.nix

@@ -65,12 +65,8 @@
       };
     };
   };
-  boot.initrd.luks.devices.rpool_m2-ssd.crypttabExtraOpts = [
+  systemIdentity = {
-    "tpm2-device=auto"
+    enable = true;
-    "tpm2-measure-pcr=yes"
+    pcr15 = "dc9b7fa0d2a0ef5441bb8bfb7b2103b9f45f1143d87f69929c12cf7a3cc35ccf";
-  ];
+  };
-  boot.initrd.luks.devices.panzer_sata-hdd.crypttabExtraOpts = [
-    "tpm2-device=auto"
-    "tpm2-measure-pcr=yes"
-  ];
 }

hosts/patricknix/fs.nix

@@ -33,31 +33,11 @@
   };
   fileSystems."/state".neededForBoot = true;
   fileSystems."/persist".neededForBoot = true;
-
   boot.initrd.systemd.extraBin = {
     jq = lib.getExe pkgs.jq;
   };
-  # In ermergency shell type:
+  systemIdentity = {
-  # ´systemctl disable check-pcrs´
+    enable = true;
-  # ´systemctl default´
+    pcr15 = "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547";
-  # to continue booting
-  boot.initrd.systemd.services.check-pcrs = {
-    script = ''
-      echo "Checking PCRS tag: ctiectie"
-      if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "a8cfdc8ec869f9edf4635129ba6bb19a076a5d234655cf4684286dc57e325a38" ]] ; then
-        echo "PCR 15 contains invalid hash"
-        exit 1
-      else
-        echo "PCR 15 checked"
-      fi
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    unitConfig.DefaultDependencies = "no";
-    after = [ "cryptsetup.target" ];
-    before = [ "sysroot.mount" ];
-    requiredBy = [ "sysroot.mount" ];
   };
 }

modules/ensure-pcr.nix

@@ -1,13 +1,128 @@
-{ lib, ... }:
 {
-  options.boot.initrd.luks.devices = lib.mkOption {
+  lib,
-    type =
+  utils,
-      with lib.types;
+  config,
-      attrsOf (submodule {
+  ...
-        config.crypttabExtraOpts = [
+}:
-          "tpm2-device=auto"
+let
-          "tpm2-measure-pcr=yes"
+  inherit (lib)
-        ];
+    head
-      });
+    optional
+    foldl'
+    nameValuePair
+    listToAttrs
+    optionals
+    concatStringsSep
+    sortOn
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    ;
+in
+{
+  options = {
+    systemIdentity = {
+      enable = mkEnableOption "hashing of Luks values into PCR 15 and subsequent checks";
+      pcr15 = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          The expected value of PCR 15 after all luks partitions have been unlocked
+          Should be a 64 character hex string as ouput by the sha256 field of
+          ´systemd-analyze pcrs 15 --json=short´
+          If set to null (the default) it will not check the value.
+          If the check fails the boot will abort and you will be dropped into an emergency shell, if enabled.
+          In ermergency shell type:
+          ´systemctl disable check-pcrs´
+          ´systemctl default´
+          to continue booting
+        '';
+        example = "6214de8c3d861c4b451acc8c4e24294c95d55bcec516bbf15c077ca3bffb6547";
+      };
+    };
+    boot.initrd.luks.devices = lib.mkOption {
+      type =
+        with lib.types;
+        attrsOf (submodule {
+          config.crypttabExtraOpts = optionals config.systemIdentity.enable [
+            "tpm2-device=auto"
+            "tpm2-measure-pcr=yes"
+          ];
+        });
+    };
+  };
+  config = mkIf config.systemIdentity.enable {
+    boot.kernelParams = [
+      "rd.luks=no"
+    ];
+    boot.initrd.systemd.services =
+      {
+        check-pcrs = mkIf (config.systemIdentity.pcr15 != null) {
+          script = ''
+            echo "Checking PCR 15 value"
+            if [[ $(systemd-analyze pcrs 15 --json=short | jq -r ".[0].sha256") != "${config.systemIdentity.pcr15}" ]] ; then
+              echo "PCR 15 check failed"
+              exit 1
+            else
+              echo "PCR 15 check suceed"
+            fi
+          '';
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          unitConfig.DefaultDependencies = "no";
+          after = [ "cryptsetup.target" ];
+          before = [ "sysroot.mount" ];
+          requiredBy = [ "sysroot.mount" ];
+        };
+      }
+      // (listToAttrs (
+        foldl' (
+          acc: attrs:
+          let
+            extraOpts = attrs.value.crypttabExtraOpts ++ (optional attrs.value.allowDiscards "discard");
+            cfg = config.boot.initrd.systemd;
+          in
+          [
+            (nameValuePair "cryptsetup-${attrs.name}" {
+              unitConfig = {
+                Description = "Cryptography setup for ${attrs.name}";
+                DefaultDependencies = "no";
+                IgnoreOnIsolate = true;
+                Conflicts = [ "umount.target" ];
+                BindsTo = "${utils.escapeSystemdPath attrs.value.device}.device";
+              };
+              serviceConfig = {
+                Type = "oneshot";
+                RemainAfterExit = true;
+                TimeoutSec = "infinity";
+                KeyringMode = "shared";
+                OOMScoreAdjust = 500;
+                ImportCredential = "cryptsetup.*";
+                ExecStart = ''${cfg.package}/bin/systemd-cryptsetup attach '${attrs.name}' '${attrs.value.device}' '-' '${concatStringsSep "," extraOpts}' '';
+                ExecStop = ''${cfg.package}/bin/systemd-cryptsetup detach '${attrs.name}' '';
+              };
+              after =
+                [
+                  "cryptsetup-pre.target"
+                  "systemd-udevd-kernel.socket"
+                  "${utils.escapeSystemdPath attrs.value.device}.device"
+                ]
+                ++ (optional cfg.tpm2.enable "systemd-tpm2-setup-early.service")
+                ++ optional (acc != [ ]) "${(head acc).name}.service";
+              before = [
+                "blockdev@dev-mapper-${attrs.name}.target"
+                "cryptsetup.target"
+                "umount.target"
+              ];
+              wants = [ "blockdev@dev-mapper-${attrs.name}.target" ];
+              requiredBy = [ "sysroot.mount" ];
+            })
+          ]
+          ++ acc
+        ) [ ] (sortOn (x: x.name) (lib.attrsets.attrsToList config.boot.initrd.luks.devices))
+      ));
   };
 }