From: Andrew Hewus Fresh Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Date: Tue, 30 Jan 2024 21:58:12 -0800 On Tue, Jan 30, 2024 at 07:47:31PM -0800, Andrew Hewus Fresh wrote: > On Wed, Jan 31, 2024 at 01:53:40AM +0000, Klemens Nanni wrote: > > On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote: > > > Untested idea: ask_passphrase() question (match interactive bioctl prompt) > > > in unattended install only. > > > > What do you think? > > > Could you give it a try? > > > > All four interactive/unattended passphrase/key disk combinations work. > > Anyone else interested? > > Thinking this through, it looks OK to me. Unfortunately my test setup > is giving me trouble, so I haven't yet been able to give it a try. > > Not entirely sure I'll have time to get it fixed before vacation in one > week, but I'll let you know if I get to it before this gets committed. It turns out it wasn't that broken, below is the script I am using to test install.sub changes, it has now been enhanced to support looking for the keydisk answer in the answer file and setting up a keydisk. The passphrase version seemed to work well. I do wish there was a way to avoid the cleartext password in the file, but I suppose a best practice would be to use `bioctl -P` after install to change it. In any case, that worked great. You may notice in the script that the "second" disk is commented out. That's because pick_keydisk doesn't filter for only disks with RAID partitions, it just complains if the disk isn't. That means it failed to work when there were three disks and the keydisk wasn't the second one. Perhaps we can add `get_dkdevs_raid` that does the `disklabel $_disk 2>/dev/null | ! grep -qw RAID` before even allowing an option. I'm not sure if that could cause issues though. In any case, even with the limitations, this seems like a nice improvement. OK afresh1@ #!/bin/ksh set -e DIR= VND=vnd3 rcctl check vmd if vmctl status | grep -q test-install-sub; then echo "vm still running" >&2 exit 1 fi OLDPWD=${PWD} cd /tmp [ -e bsd.rd ] || oget snapshots/bsd.rd if file bsd.rd | grep -q 'gzip compressed'; then mv bsd.rd bsd.rd.gz gunzip bsd.rd fi cleanup() { mount | grep -q "^/dev/${VND}a on /" && doas umount /dev/${VND}a doas vnconfig -l ${VND} | grep -q 'not in use' || doas vnconfig -u ${VND} rm -rf -- "$DIR" } trap cleanup EXIT cleanup forwarding=$( sysctl net.{inet.ip,inet6.ip6}.forwarding | sed -n 's/=0/=1/p' ) [ "$forwarding" ] && doas sysctl $forwarding # Add to pf.conf #dns_server=192.168.1.2 #pass out on egress from 100.64.0.0/10 to any nat-to (egress) #pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \ # rdr-to $dns_server port domain DIR=$( mktemp -dt install-sub-XXXXXXXXX ) rdsetroot -dx bsd.rd ${DIR}/root.fs doas vnconfig ${VND} ${DIR}/root.fs mkdir ${DIR}/root doas mount /dev/${VND}a ${DIR}/root doas cp /usr/src/distrib/miniroot/install.sub $DIR/root keydisk=false for f in "${OLDPWD}"/auto_{install,upgrade}.conf; do [ -e "$f" ] || continue doas cp "$f" "$DIR/root/" grep -iq 'Encrypt the root disk with a (p)assphrase or (k)eydisk? = k' "$f" && keydisk=true done doas umount /dev/${VND}a doas vnconfig -u ${VND} rdsetroot -d bsd.rd $DIR/root.fs vmctl create -s 5G "$DIR"/first.img #vmctl create -s 1G "$DIR"/second.img images=first #,second if "$keydisk"; then vmctl create -s 1M "$DIR"/third.img doas vnconfig ${VND} ${DIR}/third.img doas dd if=/dev/urandom of=/dev/${VND}c bs=1m count=1 doas fdisk -iy ${VND} echo 'RAID *' | doas disklabel -wAT- ${VND} doas vnconfig -u ${VND} images="$images,third" fi doas vmctl start -cLb bsd.rd -i 4 -d"$DIR"/{$images}.img "$@" test-install-sub