systemd-boot: allow setting editor security option (#21853)

2024-11-16 14:54:29 +01:00 · 2017-01-21 13:24:26 +00:00 · 2017-01-21 13:24:26 +00:00 · 98bd722d1d
commit 98bd722d1d
parent 140d135ee2
2 changed files with 18 additions and 0 deletions
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@ -28,6 +28,8 @@ def write_loader_conf(generation):
        if "@timeout@" != "":
            f.write("timeout @timeout@\n")
        f.write("default nixos-generation-%d\n" % generation)
+        if not @editor@:
+            f.write("editor 0");
    os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf")

 def copy_from_profile(generation, name, dry_run=False):
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
@ -20,6 +20,8 @@ let

    timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else "";

+    editor = if cfg.editor then "True" else "False";
+
    inherit (efi) efiSysMountPoint canTouchEfiVariables;
  };
 in {
@ -36,6 +38,20 @@ in {

      description = "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager";
    };
+
+    editor = mkOption {
+      default = true;
+
+      type = types.bool;
+
+      description = ''
+        Whether to allow editing the kernel command-line before
+        boot. It is recommended to set this to false, as it allows
+        gaining root access by passing init=/bin/sh as a kernel
+        parameter. However, it is enabled by default for backwards
+        compatibility.
+      ''
+    };
  };

  config = mkIf cfg.enable {