3 files changed, 59 insertions, 3 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index c216d1b4a6..a66005ee9d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -41070,6 +41070,55 @@ This option in enabled by default.  In some cases involving the
 @code{u-boot} bootloader, where the device tree has already been loaded
 in RAM, it can be handy to disable the option by setting it to
 @code{#f}.
+
+@item @code{extra-initrd} (default: @code{#f})
+File name of an additional initrd to load during the boot.  It may or
+may not point to a file in the store, but the main use case is for
+out-of-store files containing secrets.
+
+In order to be able to provide decryption keys for the LUKS device, they
+need to be available in the initial ram disk.  However they cannot be
+stored inside the usual initrd, since it is stored in the store and
+being a world-readable (as files in the store are) is not a desired
+property for a initrd containing decryption keys.  You can therefore use
+this field to instruct GRUB to also load a manually created initrd not
+stored in the store.
+
+For any use case not involving secrets, you should use regular initrd
+(@pxref{operating-system Reference, @code{initrd}}) instead.
+
+Suitable image can be created for example like this:
+
+@example
+echo /key-file.bin | cpio -oH newc >/key-file.cpio
+chmod 0000 /key-file.cpio
+@end example
+
+After it is created, you can use it in this manner:
+
+@lisp
+;; Operating system with encrypted boot partition
+(operating-system
+  ...
+  (bootloader (bootloader-configuration
+               (bootloader grub-efi-bootloader)
+               (targets '("/boot/efi"))
+               ;; Load the initrd with a key file
+               (extra-initrd "/key-file.cpio")))
+  (mapped-devices
+   (list (mapped-device
+          (source (uuid "12345678-1234-1234-1234-123456789abc"))
+          (target "my-root")
+          (type (luks-device-mapping-with-options
+                 ;; And use it to unlock the root device
+                 #:key-file "/key-file.bin"))))))
+@end lisp
+
+Be careful when using this option, since pointing to a file that is not
+readable by the grub while booting will cause the boot to fail and
+require a manual edit of the initrd line in the grub menu.
+
+Currently only supported by GRUB.
 @end table
 
 @end deftp
diff --git a/gnu/bootloader.scm b/gnu/bootloader.scm
index ba06de7618..f32e90e79d 100644
--- a/gnu/bootloader.scm
+++ b/gnu/bootloader.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Reza Alizadeh Majd <r.majd@pantherx.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -77,6 +78,7 @@
             bootloader-configuration-serial-unit
             bootloader-configuration-serial-speed
             bootloader-configuration-device-tree-support?
+            bootloader-configuration-extra-initrd
 
             %bootloaders
             lookup-bootloader-by-name
@@ -279,7 +281,9 @@ instead~%")))
   (serial-speed          bootloader-configuration-serial-speed
                          (default #f))    ;integer | #f
   (device-tree-support?  bootloader-configuration-device-tree-support?
-                         (default #t)))   ;boolean
+                         (default #t))    ;boolean
+  (extra-initrd          bootloader-configuration-extra-initrd
+                         (default #f)))   ;string | #f
 
 (define-deprecated (bootloader-configuration-target config)
   bootloader-configuration-targets
diff --git a/gnu/bootloader/grub.scm b/gnu/bootloader/grub.scm
index 5f3fcd7074..2723eda5f4 100644
--- a/gnu/bootloader/grub.scm
+++ b/gnu/bootloader/grub.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2020 Stefan <stefan-guix@vodafonemail.de>
 ;;; Copyright © 2022 Karl Hallsby <karl@hallsby.com>
 ;;; Copyright © 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
+;;; Copyright © 2024 Tomas Volf <~@wolfsden.cz>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -386,7 +387,8 @@ when booting a root file system on a Btrfs subvolume."
                                      store-directory-prefix))
               (initrd (normalize-file (menu-entry-initrd entry)
                                       device-mount-point
-                                      store-directory-prefix)))
+                                      store-directory-prefix))
+              (extra-initrd (bootloader-configuration-extra-initrd config)))
           ;; Here DEVICE is the store and DEVICE-MOUNT-POINT is its mount point.
           ;; Use the right file names for LINUX and INITRD in case
           ;; DEVICE-MOUNT-POINT is not "/", meaning that the store is on a
@@ -397,11 +399,12 @@ when booting a root file system on a Btrfs subvolume."
           #~(format port "menuentry ~s {
   ~a
   linux ~a ~a
-  initrd ~a
+  initrd ~a ~a
 }~%"
                     #$label
                     #$(grub-root-search device linux)
                     #$linux (string-join (list #$@arguments))
+                    (or #$extra-initrd "")
                     #$initrd)))
        (multiboot-kernel
         (let* ((kernel (menu-entry-multiboot-kernel entry))