Restrict permissions on /boot to protect the random seed.

2024-09-13 10:31:44 +01:00
parent 8588d7f09f
commit 4e24ac988f
5 changed files with 7 additions and 1 deletions
--- a/common/encrypted-btrfs-layout.nix
+++ b/common/encrypted-btrfs-layout.nix
@@ -31,6 +31,9 @@ in
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"  # to avoid the random seed being world readable
+                ];
              };
            };
            luksroot = {
--- a/hosts/alo-cloud-1/hardware.nix
+++ b/hosts/alo-cloud-1/hardware.nix
@@ -36,6 +36,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/FF9C-DC81";
      fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = [ {
--- a/hosts/c1/hardware.nix
+++ b/hosts/c1/hardware.nix
@@ -39,6 +39,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/D8C2-9216";
      fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = [ {
--- a/hosts/c2/hardware.nix
+++ b/hosts/c2/hardware.nix
@@ -39,6 +39,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B543-374F";
      fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = pkgs.lib.mkForce [ {
--- a/hosts/zippy/hardware.nix
+++ b/hosts/zippy/hardware.nix
@@ -39,7 +39,7 @@
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/F3C9-A38F";
      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
    };

  swapDevices = [ {