Index | Thread | Search

From:
Chris Narkiewicz <hello@ezaquarii.com>
Subject:
Re: [patch] Autoinstall with disk encryption
To:
tech@openbsd.org
Cc:
kn@openbsd.org
Date:
Wed, 31 Jan 2024 23:00:03 +0000

Download raw body.

Thread

  • Chris Narkiewicz:

    [patch] Autoinstall with disk encryption

    • On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote:
> Untested idea:  ask_passphrase() question (match interactive bioctl prompt)
> in unattended install only.

I'm not sure if it's a good idea to bind bioctl prompt to installer prompt.
I left a custom prompt in my 2nd diff, but if we're really sure it's the
way, it will be trivial to flip.

I made the following modifications:
1. password renamed to passphrase
2. passphrase prompt loops until valid input (same as root pass)
3. no more $AI break

I'm aware that we probably want to re-visit nameing and phrasing.

Index: distrib/miniroot/install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.1257
diff -u -p -u -p -r1.1257 install.sub
--- distrib/miniroot/install.sub	24 Oct 2023 18:03:53 -0000	1.1257
+++ distrib/miniroot/install.sub	31 Jan 2024 22:51:49 -0000
@@ -3099,14 +3099,20 @@ pick_keydisk() {
 	KEYDISK=$_disk$_label
 }
 
+ask_disk_encryption_passphrase() {
+	while :; do
+		ask_password 'Passphrase for disk encryption?'
+		[[ -n "$_password" ]] && break
+		echo "Disk encryption passphrase must be set."
+	done
+	(umask 077 && echo "${_password}" > $DISK_PASSPHRASE_FILE)
+}
+
 encrypt_root() {
 	local _args _chunk=$ROOTDISK
 
 	[[ $MDBOOTSR == y ]] || return
 
-	# The interactive bioctl(8) passphrase prompt requires a TTY.
-	$AI && return
-
 	[[ -x /sbin/bioctl ]] || return
 
 	# Do not even try if softraid is in use already,
@@ -3122,8 +3128,11 @@ encrypt_root() {
 			_args=-k$KEYDISK
 			break
 			;;
-		# Do nothing, bioctl(8) will handle the passphrase.
-		[pP]*)	break
+		# Ask for password and store it into a temporary file for bioctl
+		[pP]*)
+			ask_disk_encryption_passphrase
+			_args=-p$DISK_PASSPHRASE_FILE
+			break
 			;;
 		[nN]*)	return
 			;;
@@ -3137,6 +3146,7 @@ encrypt_root() {
 	echo 'RAID *' | disklabel -w -A -T- $_chunk
 
 	bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
+	rm -f $DISK_PASSPHRASE_FILE
 
 	# No volumes existed before asking, but we just created one.
 	ROOTDISK=$(get_softraid_volumes)
@@ -3606,6 +3616,7 @@ CGI_INFO=/tmp/i/cgiinfo
 CGI_METHOD=
 CGI_TIME=
 CGI_TZ=
+DISK_PASSPHRASE_FILE=/tmp/i/disk_passphrase
 export EDITOR=ed
 HTTP_DIR=
 HTTP_LIST=/tmp/i/httplist


Best regards,
Chris Narkiewicz

  • Chris Narkiewicz:

    [patch] Autoinstall with disk encryption