boot.initrd.postDeviceCommands waiting for device

hugolgst · October 9, 2020, 10:27am

Hello,
I currently have this in my configuration.nix and my /dev/nvme0n1p1 device encrypted by LUKS.
(Just to test) I added this small command to boot.initrd.postDeviceCommands.
But when starting the computer, after executing the command it waits for the device infinitely.
Do you have an idea why ?

boot.initrd.extraUtilsCommands = ''
    copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup
  '';

  boot.initrd.kernelModules = ["vfat" "nls_cp437" "nls_iso8859-1" "usbhid" "alx"];

  boot.initrd.postDeviceCommands = ''
    echo -n "dummy" | cryptsetup luksOpen /dev/nvme0n1p1 nixos-luks
  '';

clefru · October 10, 2020, 9:11am

I have a very similar setup, and my cryptsetup luksOpen commands are issued in the boot.initrd.preLVMCommands hook, although I don’t use LVM at all. Maybe try to move it there?

Also (I think with 5.8) there was a change that required cryptsetup to work with the encrypted-key feature. I had to add the following to my kernel modules:

  boot.initrd.availableKernelModules = [ "sha256-ssse3" "aesni_intel" "xts" "cbc" "gf128mul" "gcm" ];

hugolgst · October 13, 2020, 4:15pm

Could you give me more details about your setup because it does not seem to work for me?

clefru · October 20, 2020, 1:31pm

My setup is almost exactly like yours, except that my key material isn’t “echo dummy”, and that I am using the preLVMCommand hook for my cryptsetup.

Try to change:

  boot.initrd.postDeviceCommands = ''
    echo -n "dummy" | cryptsetup luksOpen /dev/nvme0n1p1 nixos-luks
    ls -l /dev/mapper/nixos-luks || sh
  '';

If your cryptsetup command is successful, you should see a /dev/mapper/nixos-luks device. Otherwise, you get dropped into a shell to fix it. You could also read your /init script to see if that script is looking for “nixos-luks” or is blocked by something else.