From: Chris Narkiewicz Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Cc: kn@openbsd.org Date: Wed, 31 Jan 2024 23:00:03 +0000 On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote: > Untested idea: ask_passphrase() question (match interactive bioctl prompt) > in unattended install only. I'm not sure if it's a good idea to bind bioctl prompt to installer prompt. I left a custom prompt in my 2nd diff, but if we're really sure it's the way, it will be trivial to flip. I made the following modifications: 1. password renamed to passphrase 2. passphrase prompt loops until valid input (same as root pass) 3. no more $AI break I'm aware that we probably want to re-visit nameing and phrasing. Index: distrib/miniroot/install.sub =================================================================== RCS file: /cvs/src/distrib/miniroot/install.sub,v retrieving revision 1.1257 diff -u -p -u -p -r1.1257 install.sub --- distrib/miniroot/install.sub 24 Oct 2023 18:03:53 -0000 1.1257 +++ distrib/miniroot/install.sub 31 Jan 2024 22:51:49 -0000 @@ -3099,14 +3099,20 @@ pick_keydisk() { KEYDISK=$_disk$_label } +ask_disk_encryption_passphrase() { + while :; do + ask_password 'Passphrase for disk encryption?' + [[ -n "$_password" ]] && break + echo "Disk encryption passphrase must be set." + done + (umask 077 && echo "${_password}" > $DISK_PASSPHRASE_FILE) +} + encrypt_root() { local _args _chunk=$ROOTDISK [[ $MDBOOTSR == y ]] || return - # The interactive bioctl(8) passphrase prompt requires a TTY. - $AI && return - [[ -x /sbin/bioctl ]] || return # Do not even try if softraid is in use already, @@ -3122,8 +3128,11 @@ encrypt_root() { _args=-k$KEYDISK break ;; - # Do nothing, bioctl(8) will handle the passphrase. - [pP]*) break + # Ask for password and store it into a temporary file for bioctl + [pP]*) + ask_disk_encryption_passphrase + _args=-p$DISK_PASSPHRASE_FILE + break ;; [nN]*) return ;; @@ -3137,6 +3146,7 @@ encrypt_root() { echo 'RAID *' | disklabel -w -A -T- $_chunk bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null + rm -f $DISK_PASSPHRASE_FILE # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes) @@ -3606,6 +3616,7 @@ CGI_INFO=/tmp/i/cgiinfo CGI_METHOD= CGI_TIME= CGI_TZ= +DISK_PASSPHRASE_FILE=/tmp/i/disk_passphrase export EDITOR=ed HTTP_DIR= HTTP_LIST=/tmp/i/httplist Best regards, Chris Narkiewicz