From: Klemens Nanni Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Date: Sat, 10 Feb 2024 17:37:14 +0000 On Thu, Feb 08, 2024 at 01:29:46PM +0000, Stuart Henderson wrote: > On 2024/02/08 11:07, Klemens Nanni wrote: > > + [pP]*) > > + while :; do > > + ask_password 'Passphrase for the root disk?' > > + [[ -n "$_password" ]] && break > > + echo 'The passphrase must be set.' > > + done > > + PASSFILE=/tmp/i/passfile > > + (umask 077 && print -r -- "$_password" >$PASSFILE) > > This is fairly distasteful, OpenBSD usually goes out of its way to > even wipe sensitive things like this even from memory in a single > process after use. > > If doing this, it might be better to only have this question for the > autoinstall case (like how ask_root_sshd is done) and use the standard > bioctl method for manual install. If you mean 'New passphrase: ' interactively, but some question unattended, than there'd be no way to discover the autoinstall(8) wording... > > bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null > > + rm -f $PASSFILE > > rm -fP perhaps? > > But, do enough people really want autoinstall with FDE from a password > fetched from a webserver to be worth doing this? It doesn't seem very > sensible to me. Unless I hear objections, I'll go ahead with my first diff (OK afresh1) plus your -P suggestion. Automate this at least helps testing and (k)eydisk does not have the problem of relying on a secure network like (p)assphrase does. Index: install.sub =================================================================== RCS file: /cvs/src/distrib/miniroot/install.sub,v diff -u -p -r1.1258 install.sub --- install.sub 26 Jan 2024 16:35:58 -0000 1.1258 +++ install.sub 10 Feb 2024 17:27:24 -0000 @@ -917,7 +917,7 @@ ask_password() { } # Ask for a passphrase once showing prompt $1. Ensure input is not empty -# save it in $_passphrase. +# and save it in $_passphrase. ask_passphrase() { local _q=$1 @@ -3106,9 +3106,6 @@ encrypt_root() { [[ $MDBOOTSR == y ]] || return - # The interactive bioctl(8) passphrase prompt requires a TTY. - $AI && return - [[ -x /sbin/bioctl ]] || return # Do not even try if softraid is in use already, @@ -3124,8 +3121,12 @@ encrypt_root() { _args=-k$KEYDISK break ;; - # Do nothing, bioctl(8) will handle the passphrase. - [pP]*) break + [pP]*) $AI || break + ask_passphrase 'New passphrase?' + PASSFILE=/tmp/i/passfile + (umask 077 && print -r -- "$_passphrase" >$PASSFILE) + _args=-p$PASSFILE + break ;; [nN]*) return ;; @@ -3139,6 +3140,7 @@ encrypt_root() { echo 'RAID *' | disklabel -w -A -T- $_chunk bioctl -Cforce -cC -l${_chunk}a $_args softraid0 >/dev/null + rm -fP $PASSFILE # No volumes existed before asking, but we just created one. ROOTDISK=$(get_softraid_volumes)