Request ZFS/LUKS passwords via Plymouth

[puckipedia]

Plymouth currently starts after FDE passphrases have been entered, which is not very useful on modern systems, where booting takes less than 10 seconds. This PR contains a few (partially untested, but works for plymouth + ZFS for me) commits that move Plymouth to earlier in the boot process, and then handle passwords via the bootsplash.

To be done:

• Test with more obscure LUKS setups (the luksroot test worked, but that doesn't guarantee yubikey / GPG card do, and I'm not entirely sure how to test those in a VM.)
• Clean up some of the commits
• Figure out if cryptsetup-askpass was actually used

If anyone wants to help with testing this out, that'd be highly appreciated!

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Determined the impact on package closure size (by running nix path-info -S before and after)
• Ensured that relevant documentation is up to date
• Fits CONTRIBUTING.md.

[amaxine]

Tested and works with luks, but this breaks scaling in plymouth during boot for me. Prior to enabling this, regardless of whether I used hidpi console fonts, plymouth would always scale "correctly", during boot and shutdown. Now it only does so during shutdown.

Setting DeviceScale (previously completely unset) in /etc/plymouth/plymouthd.conf affects shutdown scaling but not boot scaling, so this could just be a plymouth bug.

[puckipedia]

@maxeaubrey Interesting. There's no direct reason this'd cause a scaling issue, unless you use console.earlySetup, I think.. Any other details on your config?

[amaxine]

Here's my system configuration: https://github.com/maxeaubrey/systems
console.earlySetup is enabled, but I just checked and with it disabled I still get no scaling in plymouth during boot, whether DeviceScale is set or not.

[puckipedia]

Meh. I suspect the issue might be that it's no longer using the DRM backend but instead the plain framebuffer backend. (Maybe because the DRM driver doesn't exist yet?) I'm not entirely sure how to verify this (does plymouth without this patch the backlight once / re-sync the display before showing up, I guess?), I could add a config flag that allows you to set DeviceScale though, if that'd help.

[puckipedia]

oh dang, didn't notice @eadwu had a patchset (#84158) making (tho it's mostly aiming at the flicker-free part). Might look at the differences and merge those in..

[jtojnar]

This will break with #73795, since fontconfig now includes configuration from ${fontconfig}/etc/fonts/conf.d, which is not in allowed references:

output '/nix/store/4gkpl38kjw3qskfz5gy7f74ahlps04c7-extra-utils' is not allowed to refer to the following paths:
  /nix/store/whh21mr17whyq1mm2h7lzj98ixi4w3ps-fontconfig-2.13.92

[puckipedia]

guess i'll have to actually build my own fontconfig xml..

[jtojnar]

We also need to use the versioned fonts.conf path since our fontconfig no longer uses the unversioned one.

Something like this might work:

--- a/nixos/modules/system/boot/plymouth.nix
+++ b/nixos/modules/system/boot/plymouth.nix
@@ -105,7 +105,13 @@ in
     systemd.services.systemd-ask-password-plymouth.wantedBy = ["multi-user.target"];
     systemd.paths.systemd-ask-password-plymouth.wantedBy = ["multi-user.target"];
 
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = let
+      fonts_conf = (pkgs.makeFontsConf {
+        fontDirectories = [];
+      }).override {
+        dejavu_fonts.minimal = "/usr/share/fonts";
+      };
+    in ''
       copy_bin_and_libs ${pkgs.plymouth}/bin/plymouthd
       copy_bin_and_libs ${pkgs.plymouth}/bin/plymouth
 
@@ -135,13 +141,15 @@ in
       cp ${cfg.logo} $out/share/plymouth/logo.png
 
       mkdir -p $out/usr/share/fonts/truetype
-      mkdir -p $out/etc/fonts/2.11/conf.d
+      mkdir -p $out/etc/fonts/${pkgs.fontconfig.configVersion}/conf.d
       cp -r ${pkgs.cantarell-fonts}/share/fonts/cantarell/Cantarell-{Thin,Regular}.otf $out/usr/share/fonts/truetype
       cp -r ${pkgs.dejavu_fonts.minimal}/share/fonts/truetype/DejaVuSans.ttf $out/usr/share/fonts/truetype
 
-      cp ${pkgs.fontconfig.out}/share/fontconfig/conf.avail/60-latin.conf $out/etc/fonts/2.11/conf.d
-      cp ${pkgs.fontconfig.out}/etc/fonts/fonts.conf $out/etc/fonts/2.11
-      sed -i 's@<dir>${pkgs.dejavu_fonts.minimal}</dir>@<dir>/usr/share/fonts</dir>@g' $out/etc/fonts/2.11/fonts.conf
+      cp ${pkgs.fontconfig.out}/share/fontconfig/conf.avail/60-latin.conf $out/etc/fonts/${pkgs.fontconfig.configVersion}/conf.d
+      cp ${fonts_conf} $out/etc/fonts/${pkgs.fontconfig.configVersion}/fonts.conf
+
+      # Do not include default config files since they are not available in stage-1.
+      sed -i 's@<include>${pkgs.fontconfig.out}/etc/fonts/conf.d</include>@@g' $out/etc/fonts/${pkgs.fontconfig.configVersion}/fonts.conf
     '';
 
     boot.initrd.extraUtilsCommandsTest = ''

[jtojnar]

In #95358, we have stopped using versioned configs altogether.

[Ninlives]

Hi, what's the status of this pr?

[ymarkus]

@jtojnar @puckipedia @cole-h Is there any progress on this issue? I'd be happy to try myself, but I'd have to invest quite some time, so I wanted to ask first...

[jtojnar]

@ymarkus it has been recently discussed on IRC: https://logs.nix.samueldr.com/nixos-dev/2021-02-22#1613999739-1614013629;

[ymarkus]

Ok thanks, so I guess @puckipedia will rebase this PR on that one when it gets merged? If you need any help or someone to test it out, feel free to ping me!

[andersk]

Is systemd-ask-password a better way to do this? See also #74842.

[TLATER]

@andersk probably, but there's a bit of a gridlock going on between all the systemd initrd changes. It'd be nice to have plymouth password prompts for the time being, and do the proper thing when the systemd-related issues are resolved.

Let's not shave yaks ;)

[stale]

I marked this as stale due to inactivity. → More info

[maydayv7]

bumping....

[stale]

I marked this as stale due to inactivity. → More info

[yorickvP]

Should integrate with #164943

[ners]

@puckipedia I've merged the latest nixos-unstable branch into plymouth-fixes: ners@4620d13
Feel free to grab that commit to resolve the merge conflicts.
I've tested out the branch with #164943 enabled, but haven't managed to get a Plymouth prompt to show up.

[flokli]

I've plymouth prompts on a LUKS initrd setup for a while now. What's the status of this PR, what's missing from here in the main branch? Could this be rebased?