From: Klemens Nanni <kn@openbsd.org>
Subject: Re: [patch] Autoinstall with disk encryption
To: tech@openbsd.org
Date: Wed, 31 Jan 2024 01:53:40 +0000

On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote:
> Untested idea:  ask_passphrase() question (match interactive bioctl prompt)
> in unattended install only.
> 
> _autorespond() already requires non-empty answers, i.e. it fails on
> 	Encrypt the root disk with a (p)assphrase or (k)eydisk = p
> where  'New passphrase = secret' is missing or invalid.

> I think the (k)eydisk answer would then need $AI handling also;

'Which disk contains the key disk?' only takes sdN, unlike
'Which disk is the root disk?' also taking DUIDs, but that is a limitation
of the former, it otherwise uses ask_which() where $AI is taken care of.

This picks pre-configured sd2a expected without further changes:

	System hostname = fde
	Password for root account = password
	Which disk is the root disk = sd1
	Encrypt the root disk with a (p)assphrase or (k)eydisk = keydisk
	Which disk contains the key disk = sd2
	Set name(s) = -* b*
	Directory does not contain SHA256.sig. Continue without verification = yes

Just encrypt_root() calls pick_keydisk().

> (unattended) upgrades should not be effected.

Just do_install() calls encrpyt_root(), so upgrades are unaffected.

> What do you think?
> Could you give it a try?

All four interactive/unattended passphrase/key disk combinations work.
Anyone else interested?

Index: install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
diff -u -p -r1.1258 install.sub
--- install.sub	26 Jan 2024 16:35:58 -0000	1.1258
+++ install.sub	31 Jan 2024 01:44:32 -0000
@@ -917,7 +917,7 @@ ask_password() {
 }
 
 # Ask for a passphrase once showing prompt $1. Ensure input is not empty
-# save it in $_passphrase.
+# and save it in $_passphrase.
 ask_passphrase() {
 	local _q=$1
 
@@ -3106,9 +3106,6 @@ encrypt_root() {
 
 	[[ $MDBOOTSR == y ]] || return
 
-	# The interactive bioctl(8) passphrase prompt requires a TTY.
-	$AI && return
-
 	[[ -x /sbin/bioctl ]] || return
 
 	# Do not even try if softraid is in use already,
@@ -3124,8 +3121,12 @@ encrypt_root() {
 			_args=-k$KEYDISK
 			break
 			;;
-		# Do nothing, bioctl(8) will handle the passphrase.
-		[pP]*)	break
+		[pP]*)	$AI || break
+			ask_passphrase 'New passphrase?'
+			PASSFILE=/tmp/i/passfile
+			(umask 077 && print -r -- "$_passphrase" >$PASSFILE)
+			_args=-p$PASSFILE
+			break
 			;;
 		[nN]*)	return
 			;;
@@ -3139,6 +3140,7 @@ encrypt_root() {
 	echo 'RAID *' | disklabel -w -A -T- $_chunk
 
 	bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null
+	rm -f $PASSFILE
 
 	# No volumes existed before asking, but we just created one.
 	ROOTDISK=$(get_softraid_volumes)