Index | Thread | Search

From:
Andrew Hewus Fresh <andrew@afresh1.com>
Subject:
Re: [patch] Autoinstall with disk encryption
To:
tech@openbsd.org
Date:
Tue, 30 Jan 2024 19:47:31 -0800

Download raw body.

Thread 
On Wed, Jan 31, 2024 at 01:53:40AM +0000, Klemens Nanni wrote:
> On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote:
> > Untested idea:  ask_passphrase() question (match interactive bioctl prompt)
> > in unattended install only.
<SNIP>
> > What do you think?
> > Could you give it a try?
> 
> All four interactive/unattended passphrase/key disk combinations work.
> Anyone else interested?

Thinking this through, it looks OK to me.  Unfortunately my test setup
is giving me trouble, so I haven't yet been able to give it a try.

Not entirely sure I'll have time to get it fixed before vacation in one
week, but I'll let you know if I get to it before this gets committed.


> Index: install.sub
> ===================================================================
> RCS file: /cvs/src/distrib/miniroot/install.sub,v
> diff -u -p -r1.1258 install.sub
> --- install.sub	26 Jan 2024 16:35:58 -0000	1.1258
> +++ install.sub	31 Jan 2024 01:44:32 -0000
> @@ -917,7 +917,7 @@ ask_password() {
>  }
>  
>  # Ask for a passphrase once showing prompt $1. Ensure input is not empty
> -# save it in $_passphrase.
> +# and save it in $_passphrase.
>  ask_passphrase() {
>  	local _q=$1
>  
> @@ -3106,9 +3106,6 @@ encrypt_root() {
>  
>  	[[ $MDBOOTSR == y ]] || return
>  
> -	# The interactive bioctl(8) passphrase prompt requires a TTY.
> -	$AI && return
> -
>  	[[ -x /sbin/bioctl ]] || return
>  
>  	# Do not even try if softraid is in use already,
> @@ -3124,8 +3121,12 @@ encrypt_root() {
>  			_args=-k$KEYDISK
>  			break
>  			;;
> -		# Do nothing, bioctl(8) will handle the passphrase.
> -		[pP]*)	break
> +		[pP]*)	$AI || break
> +			ask_passphrase 'New passphrase?'
> +			PASSFILE=/tmp/i/passfile
> +			(umask 077 && print -r -- "$_passphrase" >$PASSFILE)
> +			_args=-p$PASSFILE
> +			break
>  			;;
>  		[nN]*)	return
>  			;;
> @@ -3139,6 +3140,7 @@ encrypt_root() {
>  	echo 'RAID *' | disklabel -w -A -T- $_chunk
>  
>  	bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
> +	rm -f $PASSFILE
>  
>  	# No volumes existed before asking, but we just created one.
>  	ROOTDISK=$(get_softraid_volumes)
>