Index | Thread | Search

From:
Andrew Hewus Fresh <andrew@afresh1.com>
Subject:
Re: [patch] Autoinstall with disk encryption
To:
tech@openbsd.org
Date:
Tue, 30 Jan 2024 22:05:19 -0800

Download raw body.

Thread 
On Tue, Jan 30, 2024 at 09:58:12PM -0800, Andrew Hewus Fresh wrote:
> On Tue, Jan 30, 2024 at 07:47:31PM -0800, Andrew Hewus Fresh wrote:
> > On Wed, Jan 31, 2024 at 01:53:40AM +0000, Klemens Nanni wrote:
> > > On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote:
> > > > Untested idea:  ask_passphrase() question (match interactive bioctl prompt)
> > > > in unattended install only.
> > <SNIP>
> > > > What do you think?
> > > > Could you give it a try?
> > > 
> > > All four interactive/unattended passphrase/key disk combinations work.
> > > Anyone else interested?
> > 
> > Thinking this through, it looks OK to me.  Unfortunately my test setup
> > is giving me trouble, so I haven't yet been able to give it a try.
> > 
> > Not entirely sure I'll have time to get it fixed before vacation in one
> > week, but I'll let you know if I get to it before this gets committed.
> 
> 
> It turns out it wasn't that broken, below is the script I am using to
> test install.sub changes, it has now been enhanced to support looking
> for the keydisk answer in the answer file and setting up a keydisk.
> 
> 
> The passphrase version seemed to work well.  I do wish there was a way
> to avoid the cleartext password in the file, but I suppose a best
> practice would be to use `bioctl -P` after install to change it.  In any
> case, that worked great.

autioinstall(8) does say

    Passwords may be in plaintext, encrypted with encrypt(1), or set to
    ‘*************’ (13 '*'s) to disable password logins, only
    permitting alternative access methods (for example, ssh(1) keys).

So the documentation will need improving since we can't use a value from
encrypt(1) here.

 
> You may notice in the script that the "second" disk is commented out.
> That's because pick_keydisk doesn't filter for only disks with RAID
> partitions, it just complains if the disk isn't.  That means it failed
> to work when there were three disks and the keydisk wasn't the second
> one.  Perhaps we can add `get_dkdevs_raid` that does the `disklabel
> $_disk 2>/dev/null | ! grep -qw RAID` before even allowing an option.
> I'm not sure if that could cause issues though.
> 
> In any case, even with the limitations, this seems like a nice
> improvement.
> 
> OK afresh1@
> 
> 
> #!/bin/ksh
> set -e
> 
> DIR=
> VND=vnd3
> 
> rcctl check vmd
> 
> if vmctl status | grep -q test-install-sub; then
> 	echo "vm still running" >&2
> 	exit 1
> fi
> 
> OLDPWD=${PWD}
> cd /tmp
> [ -e bsd.rd ] || oget snapshots/bsd.rd
> if file bsd.rd | grep -q 'gzip compressed'; then
> 	mv bsd.rd bsd.rd.gz
> 	gunzip bsd.rd
> fi
> 
> cleanup() {
>     mount | grep -q "^/dev/${VND}a on /" && doas umount /dev/${VND}a
>     doas vnconfig -l ${VND} | grep -q 'not in use' || doas vnconfig -u ${VND}
> 
>     rm -rf -- "$DIR"
> }
> trap cleanup EXIT
> cleanup
> 
> forwarding=$( sysctl net.{inet.ip,inet6.ip6}.forwarding | sed -n 's/=0/=1/p' )
> [ "$forwarding" ] && doas sysctl $forwarding
> 
> # Add to pf.conf
> #dns_server=192.168.1.2
> #pass out on egress from 100.64.0.0/10 to any nat-to (egress)
> #pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
> #        rdr-to $dns_server port domain
> 
> DIR=$( mktemp -dt install-sub-XXXXXXXXX )
> 
> rdsetroot -dx bsd.rd ${DIR}/root.fs
> doas vnconfig ${VND} ${DIR}/root.fs
> 
> mkdir ${DIR}/root
> doas mount /dev/${VND}a ${DIR}/root
> 
> doas cp /usr/src/distrib/miniroot/install.sub $DIR/root
> 
> keydisk=false
> for f in "${OLDPWD}"/auto_{install,upgrade}.conf; do
>     [ -e "$f" ] || continue
>     doas cp "$f" "$DIR/root/"
>     grep -iq 'Encrypt the root disk with a (p)assphrase or (k)eydisk? = k' "$f" && keydisk=true
> done
> 
> doas umount /dev/${VND}a
> doas vnconfig -u ${VND}
> rdsetroot -d bsd.rd $DIR/root.fs
> 
> vmctl create -s 5G "$DIR"/first.img
> #vmctl create -s 1G "$DIR"/second.img
> images=first #,second
> 
> if "$keydisk"; then
>     vmctl create -s 1M "$DIR"/third.img
>     doas vnconfig ${VND} ${DIR}/third.img
> 
>     doas dd if=/dev/urandom of=/dev/${VND}c bs=1m count=1
>     doas fdisk -iy ${VND}
>     echo 'RAID *' | doas disklabel -wAT- ${VND}
> 
>     doas vnconfig -u ${VND}
> 
>     images="$images,third"
> fi
> 
> doas vmctl start -cLb bsd.rd -i 4 -d"$DIR"/{$images}.img "$@" test-install-sub
> 

-- 
andrew

If your computer says, "Printer out of Paper," this problem cannot
      be resolved by continuously clicking the "OK" button.