From 4e24ac988fbe33dbcb104bcf5b4994051a11c73b Mon Sep 17 00:00:00 2001
From: Petru Paler <petru@paler.net>
Date: Fri, 13 Sep 2024 10:31:44 +0100
Subject: [PATCH] Restrict permissions on /boot to protect the random seed.

---
 common/encrypted-btrfs-layout.nix | 3 +++
 hosts/alo-cloud-1/hardware.nix    | 1 +
 hosts/c1/hardware.nix             | 1 +
 hosts/c2/hardware.nix             | 1 +
 hosts/zippy/hardware.nix          | 2 +-
 5 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/common/encrypted-btrfs-layout.nix b/common/encrypted-btrfs-layout.nix
index 844dd38..a4c646b 100644
--- a/common/encrypted-btrfs-layout.nix
+++ b/common/encrypted-btrfs-layout.nix
@@ -31,6 +31,9 @@ in
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"  # to avoid the random seed being world readable
+                ];
               };
             };
             luksroot = {
diff --git a/hosts/alo-cloud-1/hardware.nix b/hosts/alo-cloud-1/hardware.nix
index 1974535..2f700cf 100644
--- a/hosts/alo-cloud-1/hardware.nix
+++ b/hosts/alo-cloud-1/hardware.nix
@@ -36,6 +36,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/FF9C-DC81";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {
diff --git a/hosts/c1/hardware.nix b/hosts/c1/hardware.nix
index 570e713..d60c905 100644
--- a/hosts/c1/hardware.nix
+++ b/hosts/c1/hardware.nix
@@ -39,6 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/D8C2-9216";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {
diff --git a/hosts/c2/hardware.nix b/hosts/c2/hardware.nix
index 6e6d080..bed4683 100644
--- a/hosts/c2/hardware.nix
+++ b/hosts/c2/hardware.nix
@@ -39,6 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/B543-374F";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = pkgs.lib.mkForce [ {
diff --git a/hosts/zippy/hardware.nix b/hosts/zippy/hardware.nix
index 86717fc..486bb4b 100644
--- a/hosts/zippy/hardware.nix
+++ b/hosts/zippy/hardware.nix
@@ -39,7 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/F3C9-A38F";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {