From 35ea5efc40855089cb818dc4678aa795b5eb909f Mon Sep 17 00:00:00 2001 From: kn Date: Tue, 7 Mar 2023 17:29:42 +0000 Subject: [PATCH] Initial support for guided disk encryption One new question to cover the most common use case, such that manual setup in (S)hell or '!' prior to install is no longer required: Encrypt the root disk? (disk, 'no' or '?' for details) [no] ? Create a passphrase protected CRYPTO softraid volume to be used as root disk. Available disks are: sd0. Encrypt the root disk? (disk, 'no' or '?' for details) [no] Use of keydisk or different disciplines are not covered. Only asked in interactive installations; no autoinstall(8) or upgrades. Only reachable on i386, amd64, sparc64 and riscv64 for now (arm64 WIP). Tested by cheloha naddy and a few users Feedback from cheloha deraadt claudio OK cheloha "get it in now" deraadt --- distrib/amd64/common/install.md | 3 +- distrib/i386/common/install.md | 3 +- distrib/miniroot/install.sub | 57 +++++++++++++++++++++++++++++- distrib/riscv64/ramdisk/install.md | 3 +- distrib/sparc64/common/install.md | 6 +++- 5 files changed, 67 insertions(+), 5 deletions(-) diff --git a/distrib/amd64/common/install.md b/distrib/amd64/common/install.md index 1abb6c217fc..905accdb10d 100644 --- a/distrib/amd64/common/install.md +++ b/distrib/amd64/common/install.md @@ -1,4 +1,4 @@ -# $OpenBSD: install.md,v 1.58 2023/02/06 08:41:00 kn Exp $ +# $OpenBSD: install.md,v 1.59 2023/03/07 17:29:42 kn Exp $ # # Copyright (c) 1996 The NetBSD Foundation, Inc. # All rights reserved. @@ -31,6 +31,7 @@ # machine dependent section of installation/upgrade script. # +MDBOOTSR=y MDXAPERTURE=2 MDXDM=y NCPU=$(sysctl -n hw.ncpufound) diff --git a/distrib/i386/common/install.md b/distrib/i386/common/install.md index c318e38a8b6..148ce64d6bc 100644 --- a/distrib/i386/common/install.md +++ b/distrib/i386/common/install.md @@ -1,4 +1,4 @@ -# $OpenBSD: install.md,v 1.73 2017/07/28 18:15:44 rpe Exp $ +# $OpenBSD: install.md,v 1.74 2023/03/07 17:29:42 kn Exp $ # # Copyright (c) 1996 The NetBSD Foundation, Inc. # All rights reserved. @@ -31,6 +31,7 @@ # machine dependent section of installation/upgrade script. # +MDBOOTSR=y MDXAPERTURE=2 MDXDM=y NCPU=$(sysctl -n hw.ncpufound) diff --git a/distrib/miniroot/install.sub b/distrib/miniroot/install.sub index 954feb26776..93a02c11b79 100644 --- a/distrib/miniroot/install.sub +++ b/distrib/miniroot/install.sub @@ -1,5 +1,5 @@ #!/bin/ksh -# $OpenBSD: install.sub,v 1.1230 2023/02/21 12:56:50 kn Exp $ +# $OpenBSD: install.sub,v 1.1231 2023/03/07 17:29:42 kn Exp $ # # Copyright (c) 1997-2015 Todd Miller, Theo de Raadt, Ken Westerback # Copyright (c) 2015, Robert Peichaer @@ -340,6 +340,8 @@ get_dkdevs_root() { for _d in $_disks; do is_rootdisk "$_d" || _disks=$(rmel "$_d" $_disks) done + else + _disks=$(rmel "$CRYPTODISK" $_disks) fi echo $_disks } @@ -2395,6 +2397,8 @@ get_rootinfo() { case $resp in "?") diskinfo $(get_dkdevs);; '') ;; + $CRYPTODISK) + echo "$resp is used for root disk encryption.";; *) # Translate $resp to disk dev name in case it is a DUID. # get_dkdev_name bounces back the disk dev name if not. _dkdev=$(get_dkdev_name "$resp") @@ -3053,6 +3057,50 @@ do_autoinstall() { exec reboot } +encrypt_root() { + local _chunk _tries=0 + local _q="Encrypt the root disk? (disk, 'no' or '?' for details)" + + [[ $MDBOOTSR == y ]] || return + + # The interactive bioctl(8) passphrase prompt requires a TTY. + $AI && return + + # Do not even try if softraid is in use already, + # e.g. auto-assembled at boot or done in (S)hell. + [[ -z $(get_softraid_disks) ]] || return + + while :; do + echo "Available disks are: $(get_dkdevs | sed 's/^$/none/')." + _ask "$_q" no || continue + case $resp in + '?') cat <<'__EOT' + +Create a passphrase protected CRYPTO softraid volume to be used as root disk. + +__EOT + diskinfo $(get_dkdevs);; + '') ;; + no) return;; + *) isin "$resp" $(get_dkdevs) && break + echo 'No such disk.';; + esac + done + _chunk=$resp + log_answers "$_q" $_chunk + + make_dev $_chunk + md_prep_fdisk $_chunk softraid + echo 'RAID *' | disklabel -w -A -T- $_chunk + + until bioctl -c C -l ${_chunk}a softraid0 >/dev/null; do + # Most likely botched passphrases, silently retry twice. + ((++_tries < 3)) || exit + done + + CRYPTODISK=$_chunk +} + do_install() { local _rootkey _rootpass @@ -3106,6 +3154,8 @@ do_install() { echo + encrypt_root + # Get information about ROOTDISK, etc. get_rootinfo @@ -3485,8 +3535,12 @@ umount -af >/dev/null 2>&1 # md_prep_disklabel() - put an OpenBSD disklabel on the disk # md_consoleinfo() - set CDEV, CTTY, CSPEED, CPROM # +# The following functions can be provided if required: +# md_prep_fdisk() - put a partition table on the disk +# # The following variables can be provided if required: # MDEFI - set to 'y' on archs that support GPT partitioning +# MDBOOTSR - set to 'y' on archs that support boot from softraid volumes # MDFSOPT - newfs options for non-root partitions, '-O2' assumed if not provided # MDROOTFSOPT - newfs options for the root partition, '-O2' assumed if not provided # MDSETS - list of files to add to DEFAULT and ALLSETS @@ -3516,6 +3570,7 @@ INSTALL_METHOD= NIFS=0 export PS1="$MODE# " PUB_KEY=/etc/signify/openbsd-${VERSION}-base.pub +CRYPTODISK= ROOTDEV= ROOTDISK= SETDIR="$VNAME/$ARCH" diff --git a/distrib/riscv64/ramdisk/install.md b/distrib/riscv64/ramdisk/install.md index 8f315c34d11..fbd8516a253 100644 --- a/distrib/riscv64/ramdisk/install.md +++ b/distrib/riscv64/ramdisk/install.md @@ -1,4 +1,4 @@ -# $OpenBSD: install.md,v 1.7 2023/02/06 08:41:00 kn Exp $ +# $OpenBSD: install.md,v 1.8 2023/03/07 17:29:42 kn Exp $ # # # Copyright (c) 1996 The NetBSD Foundation, Inc. @@ -32,6 +32,7 @@ # machine dependent section of installation/upgrade script. # +MDBOOTSR=y NCPU=$(sysctl -n hw.ncpufound) md_installboot() { diff --git a/distrib/sparc64/common/install.md b/distrib/sparc64/common/install.md index 26ec5132021..60691d9d30e 100644 --- a/distrib/sparc64/common/install.md +++ b/distrib/sparc64/common/install.md @@ -1,4 +1,4 @@ -# $OpenBSD: install.md,v 1.51 2018/01/03 10:22:38 rpe Exp $ +# $OpenBSD: install.md,v 1.52 2023/03/07 17:29:42 kn Exp $ # $NetBSD: install.md,v 1.3.2.5 1996/08/26 15:45:28 gwr Exp $ # # Copyright (c) 1996 The NetBSD Foundation, Inc. @@ -32,6 +32,7 @@ # machine dependent section of installation/upgrade script. # +MDBOOTSR=y MDHALT=y MDTERM=sun MDXAPERTURE=1 @@ -46,6 +47,9 @@ md_installboot() { fi } +md_prep_fdisk() { +} + md_prep_disklabel() { local _disk=$1 _f=/tmp/i/fstab.$1 -- 2.20.1