Index | Thread | Search

From:
Klemens Nanni <kn@openbsd.org>
Subject:
Re: [patch] Autoinstall with disk encryption
To:
tech@openbsd.org, kn@openbsd.org
Date:
Thu, 25 Jan 2024 17:59:25 +0000

Download raw body.

Thread 
On Thu, Jan 25, 2024 at 12:01:01PM +0000, Chris Narkiewicz wrote:
> On Fri, Dec 22, 2023 at 02:58:06PM +0000, Chris Narkiewicz wrote:
> > I'd like to kindly ask again if there is any interest in such feature to
> > enable unattended installation with disk encryption.
> 
> There was some encouragement I received, but I assume that xmas and new year
> were not a good time to seek for attention. :)
> 
> Here I am again, asking for feedback.

How did you test?

> Index: install.sub
> ===================================================================
> RCS file: /cvs/src/distrib/miniroot/install.sub,v
> retrieving revision 1.1257
> diff -u -p -u -p -r1.1257 install.sub
> --- install.sub	24 Oct 2023 18:03:53 -0000	1.1257
> +++ install.sub	13 Dec 2023 18:27:30 -0000
> @@ -3099,6 +3099,13 @@ pick_keydisk() {
>  	KEYDISK=$_disk$_label
>  }
>  
> +get_disk_passphrase() {
> +	ask_password 'Password for disk encryption?'

(I ignore wording for now.)

ask_password() may return the empty string, but bioctl(8) won't accept it.

> +	DISK_PASS="${_password}"

DISK_PASS serves no purpose.

> +	echo "${DISK_PASS}" > $DISK_PASS_FILE
> +	chmod 0600 $DISK_PASS_FILE

Setting umask(2) in a subshell and using ksh(1)'s print `builtin' is shorter
and the idiom install.sub already uses.

> +}
> +
>  encrypt_root() {
>  	local _args _chunk=$ROOTDISK
>  
> @@ -3122,8 +3129,11 @@ encrypt_root() {
>  			_args=-k$KEYDISK
>  			break
>  			;;
> -		# Do nothing, bioctl(8) will handle the passphrase.
> -		[pP]*)	break
> +		# Ask for password and store it into a temporary file for bioctl
> +		[pP]*)
> +			get_disk_passphrase
> +			_args=-p$DISK_PASS_FILE
> +			break

A different interactive prompt is certainly the only effective change.

Unattended installations won't be able to run this code as you left this
up in encrypt_root():

	# The interactive bioctl(8) passphrase prompt requires a TTY.
	$AI && return

(You may as well the passfile right after use, for good measure.
 No point in leaving cleartext passphrases behind.)

>  			;;
>  		[nN]*)	return
>  			;;
> @@ -3606,6 +3616,7 @@ CGI_INFO=/tmp/i/cgiinfo
>  CGI_METHOD=
>  CGI_TIME=
>  CGI_TZ=
> +DISK_PASS_FILE=/tmp/i/disk_password
>  export EDITOR=ed
>  HTTP_DIR=
>  HTTP_LIST=/tmp/i/httplist
> 
> 
> Best regards,
> Chris Narkiewicz
> 
> -- 
> Phone:    +44 7502 415 180 (also Signal, WhatsApp)
> Matrix:   @ezaquarii:etacassiopeiae.net
> Mastodon: @ezaquarii@social.etacassiopeiae.net
> GPG:      F86C 15AB 6FFE 6F81 43D7 4C1E 98BF 5BA2 F3BB 4D28
>