From: Klemens Nanni Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Date: Fri, 26 Jan 2024 01:48:21 +0000 On Thu, Jan 25, 2024 at 08:29:43PM +0000, Chris Narkiewicz wrote: > On Thu, Jan 25, 2024 at 05:59:25PM +0000, Klemens Nanni wrote: > > How did you test? > > 1. built bsd.rd and booted intaller from it > 2. installed manually with full disk encryption and recorded answers file > 3. added new answer with password for encryption to autoinstall file > 4. booted again and selected autoinstall > 5. after installation booted again and verified system asks > for disk password and boots > > > ask_password() may return the empty string, but bioctl(8) won't accept it. > > Ok, I need to make sure non-empty password is required. Untested idea: ask_passphrase() question (match interactive bioctl prompt) in unattended install only. _autorespond() already requires non-empty answers, i.e. it fails on Encrypt the root disk with a (p)assphrase or (k)eydisk = p where 'New passphrase = secret' is missing or invalid. > > DISK_PASS serves no purpose. > > Right. I'll remove it. > > > A different interactive prompt is certainly the only effective change. > > > > Unattended installations won't be able to run this code as you left this > > up in encrypt_root(): > > Hm... I remember that my autoinstall failed because of it and I had > to rebuild with this line commented out. Then it worked. I can't > remember how I ended up with invalid diff. > > Sorry, I'll come up with an updated patch including requested changes. I think the (k)eydisk answer would then need $AI handling also; (unattended) upgrades should not be effected. What do you think? Could you give it a try? > Thanks for feedback. > > Best regards, > Chris Narkiewicz Index: install.sub =================================================================== RCS file: /cvs/src/distrib/miniroot/install.sub,v diff -u -p -r1.1257 install.sub --- install.sub 24 Oct 2023 18:03:53 -0000 1.1257 +++ install.sub 26 Jan 2024 01:09:38 -0000 @@ -917,7 +917,7 @@ ask_password() { } # Ask for a passphrase once showing prompt $1. Ensure input is not empty -# save it in $_passphrase. +# and save it in $_passphrase. ask_passphrase() { local _q=$1 @@ -3104,9 +3104,6 @@ encrypt_root() { [[ $MDBOOTSR == y ]] || return - # The interactive bioctl(8) passphrase prompt requires a TTY. - $AI && return - [[ -x /sbin/bioctl ]] || return # Do not even try if softraid is in use already, @@ -3122,8 +3119,14 @@ encrypt_root() { _args=-k$KEYDISK break ;; - # Do nothing, bioctl(8) will handle the passphrase. - [pP]*) break + [pP]*) + if $AI; then + ask_passphrase 'New passphrase?' + PASSFILE=/tmp/i/passfile + (umask 077; print -r -- "$_passphrase" > $PASSFILE) + _args=-p$PASSFILE + fi + break ;; [nN]*) return ;; @@ -3137,6 +3140,7 @@ encrypt_root() { echo 'RAID *' | disklabel -w -A -T- $_chunk bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null + rm -f $PASSFILE # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes)