Headline
CVE-2023-36476: fix luks · vlinkz/calamares-nixos-extensions@837ca4d
calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users of calamares-nixos-extensions version 0.3.12 and prior who installed NixOS through the graphical calamares installer, with an unencrypted /boot, on either non-UEFI systems or with a LUKS partition different from / have their LUKS key file in /boot as a plaintext CPIO archive attached to their NixOS initrd. A patch is available and anticipated to be part of version 0.3.13 to backport to NixOS 22.11, 23.05, and unstable channels. Expert users who have a copy of their data may, as a workaround, re-encrypt the LUKS partition(s) themselves.
Expand Up
@@ -54,13 +54,6 @@
“"”
cfgbootcrypt = “"” # Setup keyfile
boot.initrd.secrets = {
“/crypto_keyfile.bin” = null;
};
“"”
cfgbootgrubcrypt = “"” # Enable grub cryptodisk
boot.loader.grub.enableCryptodisk=true;
Expand Down Expand Up
@@ -377,7 +370,6 @@ def run():
# Check partitions
for part in gs.value(“partitions”):
if part[“claimed”] == True and part[“fsName”] == "luks":
cfg += cfgbootcrypt
if fw_type != "efi":
cfg += cfgbootgrubcrypt
status = _(“Setting up LUKS”)
Expand All
@@ -394,10 +386,9 @@ def run():
return (_(“Failed to create /crypto_keyfile.bin”), _(“Check if you have enough free space on your partition.”))
break
# Setup keys in /crypto_keyfile. If we use systemd-boot (EFI), don’t add /
# Goal is to have one password prompt when booted
# Setup keys in /crypto_keyfile. Don’t add rootfs!
for part in gs.value(“partitions”):
if part[“claimed”] == True and part[“fsName”] == “luks” and part[“device”] is not None and not (fw_type == “efi” and part[“mountPoint”] == “/”):
if part[“claimed”] == True and part[“fsName”] == “luks” and part[“device”] is not None and not part[“mountPoint”] == "/":
if part[“fs”] == "linuxswap":
cfg += cfgswapcrypt
catenate(variables, "swapdev", part[“luksMapperName”])
Expand Down