diff options
author | Linus Heckemann <git@sphalerite.org> | 2017-01-21 13:24:26 +0000 |
---|---|---|
committer | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-21 14:24:26 +0100 |
commit | 98bd722d1dae747c5786497b8689415d2bebf78f (patch) | |
tree | a9ebc46f42244f1525fb4e113fc698d034db5c23 /nixos | |
parent | 140d135ee2e2f2ea538591fe25719c9c91d4651e (diff) |
systemd-boot: allow setting editor security option (#21853)
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 2 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix | 16 |
2 files changed, 18 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 515136c904c5c..b91d64bb0a7fe 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -28,6 +28,8 @@ def write_loader_conf(generation): if "@timeout@" != "": f.write("timeout @timeout@\n") f.write("default nixos-generation-%d\n" % generation) + if not @editor@: + f.write("editor 0"); os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf") def copy_from_profile(generation, name, dry_run=False): diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix index cc43fb8bab4c2..39a9ffdb7a394 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix @@ -20,6 +20,8 @@ let timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else ""; + editor = if cfg.editor then "True" else "False"; + inherit (efi) efiSysMountPoint canTouchEfiVariables; }; in { @@ -36,6 +38,20 @@ in { description = "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager"; }; + + editor = mkOption { + default = true; + + type = types.bool; + + description = '' + Whether to allow editing the kernel command-line before + boot. It is recommended to set this to false, as it allows + gaining root access by passing init=/bin/sh as a kernel + parameter. However, it is enabled by default for backwards + compatibility. + '' + }; }; config = mkIf cfg.enable { |