I am trying to install NixOS on a Raspberry Pi 4 with a LUKS encrypted rootfs. I put the standard sd-image-aarch64 from Hydra on a USB stick, booted from that, and then started installing on the SD card.
Without LUKS, the standard config booted fine. The process was basically:
sfdisk /dev/mmcblk1 <<EOF
label: dos
label-id: 0x2178694e
start=8M, size=61440, type=b
start=38M, type=83, bootable
EOF
Then make vfat and ext4 filesystems, mount the ext4 to /mnt and the vfat to /mnt/boot/firmware, copy the contents of /boot/firmware to /mnt/boot/firmware, generate the standard config nixos-generate-config --root /mnt (changed nothing), and then nixos-install. It boots fine.
For LUKS, I tried to set up the Yubikey method, the process taken from here: GitHub - sgillespie/nixos-yubikey-luks: Set up a LUKS-encrypted filesystem for Yubikey in NixOS
Basically, make the same partition table as before, do luksFormat and then luksOpen for the second partition, then make the ext4 fs, mount everything as before, then generate the config. The config is slightly different of course (pasted below). The result is that the system doesn’t boot to the kernel. What I see from the Pi is:
Net: eth0: ethernet@7d580000
PCIe BRCM: link up, 5.0 Gbps x1 (SSC)
starting USB...
Bus xchi_pci: Register 5000420 NbrPorts 5
Starting the controller
USB XHCI 1.00
scanning bus xhci_pci for devices... 3 USB Device(s) found
scanning usb for storage devices... 0 Storage Device(s) found
Hit any key to stop autoboot: 0
switch to partitions #0, OK
mmc0 is current device
** Unrecognized filesystem type **
The configuration.nix:
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
boot.initrd = {
kernelModules = [ "vfat" "nls_cp437" "nls_iso8859-1" "usbhid" ];
luks = {
yubikeySupport = true;
devices."encrypted" = {
device = "/dev/disk/by-uuid/f443c6fd-055d-4d1a-9854-fc493a04fa76";
yubikey = {
slot = 2;
twoFactor = false;
gracePeriod = 30;
keyLength = 64;
saltLength = 16;
storage = {
device = "/dev/disk/by-uuid/2178-694E";
fsType = "vfat";
path = "/crypt-storage/default";
};
};
};
};
};
# networking.hostName = "nixos"; # Define your hostname.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# Set your time zone.
# time.timeZone = "Europe/Amsterdam";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.eth0.useDHCP = true;
networking.interfaces.wlan0.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.layout = "us";
# services.xserver.xkbOptions = "eurosign:e";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# sound.enable = true;
# hardware.pulseaudio.enable = true;
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
# Define a user account. Don't forget to set a password with ‘passwd’.
# users.users.jane = {
# isNormalUser = true;
# extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
# };
# List packages installed in system profile. To search, run:
# $ nix search wget
# environment.systemPackages = with pkgs; [
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
# firefox
# ];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘s perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "21.05"; # Did you read the comment?
}
hardware-configuration.nix:
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/9a314b6b-94b5-4712-bbee-b30663ba26db";
fsType = "ext4";
};
boot.initrd.luks.devices."encrypted".device = "/dev/disk/by-uuid/f443c6fd-055d-4d1a-9854-fc493a04fa76";
fileSystems."/boot/firmware" =
{ device = "/dev/disk/by-uuid/2178-694E";
fsType = "vfat";
};
swapDevices = [ ];
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}
lsblk -o +UUID:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT UUID
sda 8:0 1 14.3G 0 disk
├─sda1 8:1 1 30M 0 part 2178-694E
└─sda2 8:2 1 14.3G 0 part / 44444444-4444-4444-8888-888888888888
mmcblk1 179:0 0 29.8G 0 disk
├─mmcblk1p1 179:1 0 30M 0 part 2178-694E
└─mmcblk1p2 179:2 0 29.8G 0 part f443c6fd-055d-4d1a-9854-fc493a04fa76
└─encrypted 253:0 0 29.8G 0 crypt /mnt 9a314b6b-94b5-4712-bbee-b30663ba26db